[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

IDS signatures [was Re: Interestingly enough...]



On Tue, Nov 07, 2006 at 09:44:07AM +0100, Jan Reister wrote:
> On 31/10/2006 03:53, Fergie wrote:
> > I found it interesting that Cisco added this their most recent IDS
> > signatures:
> 
> Bleedingsnort has the following signatures:

You can see the rules at 
   http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Tor?view=markup

> 2001728 || BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic ||
> url,tor.eff.org

This one checks for the string "client <identity>".

> 2002950 || BLEEDING-EDGE POLICY TOR 1.0 Server Key Retrival ||
> url,tor.eff.org
> 2002951 || BLEEDING-EDGE POLICY TOR 1.0 Status Update || url,tor.eff.org

These two check for "GET /tor/server/" and "GET /tor/status/"
respectively.  I'm surprised they don't have a rule for "Hey, somebody
just _uploaded_ a descriptor; there's a Tor server running on your
network."

> 2002952 || BLEEDING-EDGE POLICY TOR 1.0 Inbound Circuit Traffic ||
> url,tor.eff.org
> 2002953 || BLEEDING-EDGE POLICY TOR 1.0 Outbound Circuit Traffic ||
> url,tor.eff.org

These two check for the string "TOR" near the string "<identity>".

So it looks like they're detecting unencrypted directory connections,
as well as some fixed strings in our X.509 certificates.  Good; that's
about what we had thought made us most fingerprintable now.  We'll
probably take care of these some time as a part of our next protocol
revision.

(Note: we're not trying to resist IDS users here, or help people
violate network policy.  We're trying to do it as a part of a broader
effort to keep censorious governments from blocking Tor easily.)

yrs,
-- 
Nick Mathewson

Attachment: pgpgk42hulTpZ.pgp
Description: PGP signature