[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] What is being detected to alert upon?
On 04/30/2015 09:15 PM, Frederick Zierold wrote:
> I am very curious how a vendor is detecting Tor Project traffic.
> My questions is what are they seeing to alert upon? I have asked
> but I was told "that is in the special sauce."
> Is the connection from the users computer to the bridge encrypted?
> Thank you for your insight.
Special Sauce, I'll buy that for a dollar ..
At a minimum, there are different kinds of detection for Tor within
the Snort "Emerging Threats" Free-version signatures. So, this isn't
even 'hard' necessarily.
One rules file is dedicated to it (emerging-tor.rules), that file has
all the Tor IP addresses hardcoded into it. Additionally, there are
other, non-IP-address related detections for Tor within other rules
files (do an egrep in the directory for "Tor " to see those).
If you run Snort with the emerging threats ruleset, but disable the
emerging-tor.rules (removing its awareness of the IP addresses of tor
nodes), it still gives 3 alerts when Tor starts up. "ET POLICY TLS
possible TOR SSL traffic". That's with a regular Tor connection, I
don't know if bridges would change anything.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to