On Tue, Nov 07, 2006 at 09:44:07AM +0100, Jan Reister wrote: > On 31/10/2006 03:53, Fergie wrote: > > I found it interesting that Cisco added this their most recent IDS > > signatures: > > Bleedingsnort has the following signatures: You can see the rules at http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Tor?view=markup > 2001728 || BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic || > url,tor.eff.org This one checks for the string "client <identity>". > 2002950 || BLEEDING-EDGE POLICY TOR 1.0 Server Key Retrival || > url,tor.eff.org > 2002951 || BLEEDING-EDGE POLICY TOR 1.0 Status Update || url,tor.eff.org These two check for "GET /tor/server/" and "GET /tor/status/" respectively. I'm surprised they don't have a rule for "Hey, somebody just _uploaded_ a descriptor; there's a Tor server running on your network." > 2002952 || BLEEDING-EDGE POLICY TOR 1.0 Inbound Circuit Traffic || > url,tor.eff.org > 2002953 || BLEEDING-EDGE POLICY TOR 1.0 Outbound Circuit Traffic || > url,tor.eff.org These two check for the string "TOR" near the string "<identity>". So it looks like they're detecting unencrypted directory connections, as well as some fixed strings in our X.509 certificates. Good; that's about what we had thought made us most fingerprintable now. We'll probably take care of these some time as a part of our next protocol revision. (Note: we're not trying to resist IDS users here, or help people violate network policy. We're trying to do it as a part of a broader effort to keep censorious governments from blocking Tor easily.) yrs, -- Nick Mathewson
Attachment:
pgpgk42hulTpZ.pgp
Description: PGP signature