[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: More GSoC Ideas

To: or-talk@xxxxxxxxxxxxx
Subject: Re: More GSoC Ideas
From: "David J. Bianco" <david@xxxxxxxxxx>
Date: Mon, 24 Mar 2008 09:24:10 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 24 Mar 2008 09:24:29 -0400
In-reply-to: <1da45f2a0803211222g6fc07497l1b4e7ff66e0c1cf1@xxxxxxxxxxxxxx>
Organization: Vorant Network Security, Inc.
References: <1da45f2a0803211222g6fc07497l1b4e7ff66e0c1cf1@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.12 (X11/20080131)

Jonathan Addington wrote:

> 2. On *nix systems, make it easy for snort to filter out tor traffic
> on a protocol level. I realize there are plenty of legal uses for
> BitTorrent, Gnutella, etc., but most of them do not require anonymity
> in a strong sense. That is, they can get the same content through http
> (most of the time) anyway, and downloading a Linux distribution (or
> whatever) won't be flagged by most governments/agencies/whatever. It's
> my bandwidth, I have the right to let *others'* use it as I see fit.
> 

You probably don't need a whole project for this.  There are already
some Snort rules to detect Tor usage, and if you can detect it, you're
98% of the way to asking Snort to ignore it.

For example, Emerging Threats has a set of snort rules in their policy
section that detect Tor.  Here's one:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR 1.0 	\
Server Key Retrieval"; flow:established,to_server; 			\
content:"|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|"; 		\
threshold:type limit, track by_src, count 1, seconds 60; 		\	
classtype:policy-violation; reference:url,tor.eff.org; 			\
sid:2002950; rev:4;)

Now, you can easily cause this rule to set a flowbit when it fires.  Flow
bits are pretty much just what they sound like: a user-definable status
bit that you can turn on or off for specific network flows (sessions).
In this case, we can add a flowbit call "is_tor":

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR 1.0 	\
Server Key Retrieval"; flow:established,to_server; 			\
content:"|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|"; 		\
threshold:type limit, track by_src, count 1, seconds 60; 		\	
flowbits:set,is_tor; flowbits:noalert;					\
classtype:policy-violation; reference:url,tor.eff.org; 			\
sid:2002950; rev:4;)

Notice the extra "flowbits:set,is_tor; flowbits:noalert;" line there.
that takes care of both setting the bit and of making sure that this rule
itself doesn't cause an alert to be generated.

For the second part, we can set up a "pass" rule that will tell snort to
avoid processing that traffic through the rules engine, but only if the
flowbit is_tor is set:

pass tcp any any -> any any (msg:"PASS Tor traffic"; 			\
flowbits:isset,is_tor;  sid:1000000; rev:1;)

Granted, that first rule may not be the only way to detect Tor traffic, or
even the best way anymore (I'm not sure of the current status of the Tor
protocol).  Also, as written, the ET rule is specifically looking for
clients on your network talking to Tor servers on the Internet, but the
general technique should still hold.  If Snort can detect the Tor traffic,
it can also easily be made to ignore the traffic without having to write
custom code.

	David

References:
- More GSoC Ideas
  - From: Jonathan Addington

Prev by Author: Re: Sudden increase in number of Tor nodes
Next by Author: Re: Excluding domains
Previous by thread: Re: More GSoC Ideas
Next by thread: USB-Stick Security Software Suite released
Index(es):
- Author
- Thread