Snort mailing list archives
Re: TOR Browser detection policy rule
From: R S <rene.shuster () bcsemail org>
Date: Tue, 12 Dec 2017 13:18:17 -0500
Tor is on several 9000 range ports. 9001,9040 etc. but it's not using all 300 ports. There will be lots of traffic attributed to Tor although it isn't. Very misleading and will cause trouble down the road with wrong accusations. Will shed bad light on network admins. Also suggest to change date to international ISO format YYYY-MM-DD. Thanks. Best Regards. On Tue, Dec 12, 2017 at 12:55 PM, Alberto Colosi via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi , I understand TOR is a big problem, as me inside IBM as IBM NetWork and Security Admin and Architect Know that u can block TOR activities if trought a proy or direct with IP filtering. TOR list tor nodes to IN and OUT and MAIL and so on. You can firewall all TOR IN - IP Addresses as I done It is so quick and easy. Is not better to lock instead to detect and even complain with who used it? ------------------------------ *From:* Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of William Siradas <bill () lantrax com> *Sent:* Tuesday, December 12, 2017 6:46 PM *To:* snort-sigs () lists snort org *Subject:* Re: [Snort-sigs] TOR Browser detection policy rule unsubscribe *From:* Snort-sigs [mailto:snort-sigs-bounces () lists snort org] *On Behalf Of *Tyler Montier *Sent:* Monday, December 11, 2017 10:00 AM *To:* R S <rene.shuster () bcsemail org> *Cc:* snort-sigs <snort-sigs () lists snort org>; Lenny Hansson < lenny () netcowboy dk> *Subject:* Re: [Snort-sigs] TOR Browser detection policy rule Lenny, Thanks for your submission. We will review the rule for addition into the community ruleset, and get back to you when its finished. You said you tested the rule already, do you have any pcaps that you could send our way while we test the rule? Thanks, Tyler Montier Cisco Talos On Mon, Dec 11, 2017 at 9:34 AM, R S <rene.shuster () bcsemail org> wrote: 9000,9001,9040 etc. but not 300 ports. There will be lots of traffic attributed to Tor although it isn't. Suggest to change to date to international ISO format YYYY-MM-DD On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny () netcowboy dk> wrote: To all SNORT users: TOR Browser detection rule. Feel free to use. I have tested the rule on 100GB data set no false positives so far. If you find any false positives please let me know. alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY - TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS name"; flow:from_server,established; pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i"; reference:url,networkforensic.dk; metadata:10122017; classtype:policy-violation; sid:5021501; rev:3;) It detects every time the TOR Browser is started. Best Regards Lenny Hansson *********************************** E-mail: security () netcowboy dk Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877 *********************************** _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! -- Tech III * AppControl * Endpoint Protection * Server Maintenance Buncombe County Schools Technology Department Network Group ComicSans Awareness Campaign <http://comicsanscriminal.com> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Tech III * AppControl * Endpoint Protection * Server Maintenance Buncombe County Schools Technology Department Network Group ComicSans Awareness Campaign <http://comicsanscriminal.com>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- TOR Browser detection policy rule Lenny Hansson (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule William Siradas (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Alberto Colosi via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule R S (Dec 12)
- Re: TOR Browser detection policy rule Rob Lopez via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)