[Snort-sigs] TOR Browser detection policy rule

Alberto Colosi alcol at hotmail.com
Tue Dec 12 12:55:48 EST 2017


Hi , I understand TOR is a big problem, as me inside IBM as IBM NetWork and Security Admin and Architect

Know that u can block TOR activities if trought a proy or direct with IP filtering.


TOR list tor nodes to IN and OUT and MAIL and so on.


You can firewall all TOR IN - IP Addresses as I done


It is so quick and easy.


Is not better to lock instead to detect and even complain with who used it?





________________________________
From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of William Siradas <bill at lantrax.com>
Sent: Tuesday, December 12, 2017 6:46 PM
To: snort-sigs at lists.snort.org
Subject: Re: [Snort-sigs] TOR Browser detection policy rule


unsubscribe



From: Snort-sigs [mailto:snort-sigs-bounces at lists.snort.org] On Behalf Of Tyler Montier
Sent: Monday, December 11, 2017 10:00 AM
To: R S <rene.shuster at bcsemail.org>
Cc: snort-sigs <snort-sigs at lists.snort.org>; Lenny Hansson <lenny at netcowboy.dk>
Subject: Re: [Snort-sigs] TOR Browser detection policy rule



Lenny,



Thanks for your submission. We will review the rule for addition into the community ruleset, and get back to you when its finished.



You said you tested the rule already, do you have any pcaps that you could send our way while we test the rule?



Thanks,



Tyler Montier

Cisco Talos



On Mon, Dec 11, 2017 at 9:34 AM, R S <rene.shuster at bcsemail.org<mailto:rene.shuster at bcsemail.org>> wrote:

9000,9001,9040 etc. but not 300 ports. There will be lots of traffic attributed to Tor although it isn't.

Suggest to change to date to international ISO format YYYY-MM-DD



On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny at netcowboy.dk<mailto:lenny at netcowboy.dk>> wrote:

To all SNORT users:

TOR Browser detection rule. Feel free to use.

I have tested the rule on 100GB data set no false positives so far. If
you find any false positives please let me know.

alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
- TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
name"; flow:from_server,established;
pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
reference:url,networkforensic.dk<http://networkforensic.dk>; metadata:10122017;
classtype:policy-violation; sid:5021501; rev:3;)

It detects every time the TOR Browser is started.

Best Regards
Lenny Hansson
***********************************
E-mail: security at netcowboy.dk<mailto:security at netcowboy.dk>
Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
***********************************



_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!





--

Tech III * AppControl * Endpoint Protection * Server Maintenance
Buncombe County Schools Technology Department Network Group
ComicSans Awareness Campaign<http://comicsanscriminal.com>

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171212/ee22b109/attachment.html>


More information about the Snort-sigs mailing list