[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] What is being detected to alert upon?

To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] What is being detected to alert upon?
From: tor@xxxxxxx
Date: Thu, 30 Apr 2015 14:57:01 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 30 Apr 2015 14:57:14 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1430420223; bh=VW8TrMDvCFFUXM8piIVEMUgcj1xGPnlk0lkpXJRPwKg=; h=From:To:Subject:Date; b=uqQWzPzCXNSJgPRcC/uvkeay9PdEdaSAx5hRaZkrW8MbhgIV4yZnIn7dPICwiufpo InIPnf7Q+7oy4KFvrz0WECGUXsD6TLx++jMFEd3nef13AOBiG/rXemGG4Rq2XProw8 JX3dcFsCfgYS8kKjHL2haa2+MIxjYSZ4x3tk3S+U=
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 04/30/2015 09:15 PM, Frederick Zierold wrote:
>
>
> Hi,
>
> I am very curious how a vendor is detecting Tor Project traffic.
>
> My questions is what are they seeing to alert upon?  I have asked
them,
> but I was told "that is in the special sauce."
>
> Is the connection from the users computer to the bridge encrypted?
>
> Thank you for your insight.
>
>
>

Special Sauce, I'll buy that for a dollar ..

At a minimum, there are different kinds of detection for Tor withinthe Snort "Emerging Threats" Free-version signatures. So, this isn'teven 'hard' necessarily.

One rules file is dedicated to it (emerging-tor.rules), that file hasall the Tor IP addresses hardcoded into it. Additionally, there areother, non-IP-address related detections for Tor within other rulesfiles (do an egrep in the directory for "Tor " to see those).

If you run Snort with the emerging threats ruleset, but disable theemerging-tor.rules (removing its awareness of the IP addresses of tornodes), it still gives 3 alerts when Tor starts up. "ET POLICY TLSpossible TOR SSL traffic". That's with a regular Tor connection, Idon't know if bridges would change anything.




--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] What is being detected to alert upon?
  - From: Philipp Winter

Prev by Author: Re: [tor-talk] Clarification of Tor's involvement with DARPA's Memex
Next by Author: [tor-talk] What happened to Tor's Bridges?
Previous by thread: Re: [tor-talk] What is being detected to alert upon?
Next by thread: Re: [tor-talk] What is being detected to alert upon?
Index(es):
- Author
- Thread