[Snort-sigs] TOR Browser detection policy rule

Rob Lopez rob.a.lopez.jr at gmail.com
Tue Dec 12 13:24:11 EST 2017


unsubscribe

On Tue, Dec 12, 2017 at 12:55 PM, Alberto Colosi via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi , I understand TOR is a big problem, as me inside IBM as IBM NetWork
> and Security Admin and Architect
>
> Know that u can block TOR activities if trought a proy or direct with IP
> filtering.
>
>
> TOR list tor nodes to IN and OUT and MAIL and so on.
>
>
> You can firewall all TOR IN - IP Addresses as I done
>
>
> It is so quick and easy.
>
>
> Is not better to lock instead to detect and even complain with who used it?
>
>
>
>
>
>
> ------------------------------
> *From:* Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of
> William Siradas <bill at lantrax.com>
> *Sent:* Tuesday, December 12, 2017 6:46 PM
> *To:* snort-sigs at lists.snort.org
> *Subject:* Re: [Snort-sigs] TOR Browser detection policy rule
>
>
> unsubscribe
>
>
>
> *From:* Snort-sigs [mailto:snort-sigs-bounces at lists.snort.org] *On Behalf
> Of *Tyler Montier
> *Sent:* Monday, December 11, 2017 10:00 AM
> *To:* R S <rene.shuster at bcsemail.org>
> *Cc:* snort-sigs <snort-sigs at lists.snort.org>; Lenny Hansson <
> lenny at netcowboy.dk>
> *Subject:* Re: [Snort-sigs] TOR Browser detection policy rule
>
>
>
> Lenny,
>
>
>
> Thanks for your submission. We will review the rule for addition into the
> community ruleset, and get back to you when its finished.
>
>
>
> You said you tested the rule already, do you have any pcaps that you could
> send our way while we test the rule?
>
>
>
> Thanks,
>
>
>
> Tyler Montier
>
> Cisco Talos
>
>
>
> On Mon, Dec 11, 2017 at 9:34 AM, R S <rene.shuster at bcsemail.org> wrote:
>
> 9000,9001,9040 etc. but not 300 ports. There will be lots of traffic
> attributed to Tor although it isn't.
>
> Suggest to change to date to international ISO format YYYY-MM-DD
>
>
>
> On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny at netcowboy.dk> wrote:
>
> To all SNORT users:
>
> TOR Browser detection rule. Feel free to use.
>
> I have tested the rule on 100GB data set no false positives so far. If
> you find any false positives please let me know.
>
> alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
> - TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
> name"; flow:from_server,established;
> pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
> reference:url,networkforensic.dk; metadata:10122017;
> classtype:policy-violation; sid:5021501; rev:3;)
>
> It detects every time the TOR Browser is started.
>
> Best Regards
> Lenny Hansson
> ***********************************
> E-mail: security at netcowboy.dk
> Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
> ***********************************
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
>
>
>
> --
>
> Tech III * AppControl * Endpoint Protection * Server Maintenance
> Buncombe County Schools Technology Department Network Group
> ComicSans Awareness Campaign <http://comicsanscriminal.com>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171212/64604ddd/attachment.html>


More information about the Snort-sigs mailing list