[Snort-sigs] Please fix or disable emerging-tor.rules

wkitty42 at windstream.net wkitty42 at windstream.net
Tue Jul 31 11:18:30 EDT 2018

On 07/31/2018 03:41 AM, Bernhard M. Wiedemann wrote:
> Hi,
> I encountered severe false positives with the
> https://rules.emergingthreats.net/blockrules/emerging-tor.rules
> as described in
> https://lists.emergingthreats.net/pipermail/emerging-sigs/2018-July/028863.html

you'll likely have better luck if you post this to EmergingThreats on their 
mailing list(s)... i've cross-posted this reply there and i see that your 
referenced post, above, was also posted there... yes, i believe that ET 
splitting the TOR rules into two files, one for exit nodes and one for routers, 
is the best way to go...

FWIW: i ran into your problem back in 2014... at that time i worked out a small 
set of scripts to disable "TOR router not exit" entries... when i was working on 
that script, i asked then for ET to please split the two into separate files to 
make it easier to include one without the other... we're still patiently waiting 
for that to be done... the script running on our production boxen is dated 2014 
Sep 1...

the output of the script is an include file for oinkmaster that is all 
"disablesid" entries for the "TOR router not exit" entries listed in the 
sid-msg.map which is regenerated every time the rules are updated...

the two scripts are below... you might need to add some chown and chmod for the 
tor_routers.conf output file so your snort and oinkmaster can read it...

yes, oinkmaster.conf needs to already have an include for the tor_routers.conf 
yes, it takes a double run of oinkmaster to do this...

   1. pull the rules and extract them to /tmp
   2. run oinkmaster pointing to rules in /tmp
   3. run make-sidmap.pl script to update sidmsg.map
   4. run findtorrouters script with updated sidmsg.map
   5. run oinkmaster again with updated tor_routers.conf
   6. restart snort

----->8 snip findtorrouters 8<-----
egrep -hi "tor .* \(not exit\)" *redacted*/snort/rules/sid-msg.map | \
   cut -d " " -f 1 | *redacted*/usr/bin/addtorrouter > \
----->8 snip 8<-----

----->8 snip addtorrouters 8<-----

showusage () {
   echo "USAGE: $(basename $0) sidnumber" > /dev/stderr
   echo "  sidnumber is the SID number of the snort rule to be" > /dev/stderr
   echo "  prefixed with disablesid." > /dev/stderr
   echo "" > /dev/stderr
   echo "  eg: addtorrouter 12345678" > /dev/stderr
   echo "" > /dev/stderr
   echo "  output:" > /dev/stderr
   echo "    disablesid 12345678 # 20180731 allow tor routers" > /dev/stderr

getDateTime () {
   NOWD=$(date "+%F")
   NOWT=$(date "+%T")
   NOWC=$(date "+%Y%m%d")

terminate () {
   exit $CMDRESULT

#if [ $# -lt 1 ]
#  showusage
#  terminate
   while read ;
   do echo "disablesid $REPLY # $NOWC allow tor routers" ;
----->8 snip 8<-----

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*

More information about the Snort-sigs mailing list