[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor honeypot



I was thinking about creating a Tor clone and see the traffic goin to it, something that simulates a Tor relay with a virtual file system

Cannon <cannon@xxxxxxxxxxxxxxxxx> skrev: (11 oktober 2016 19:48:19 CEST)
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On 10/11/2016 04:17 PM, Flipchan wrote:
>>  is ofc not connected to the Tor Network.
>
>What is "ofc" ?
>What would be advantages of having it disconnected from Tor network?
>Having the honeypot not listed in the Tor directory servers would only
>detect scanners or adversaries that identify targets based on port
>number. If I was an adversary I would just refer to the directory
>server for listings of Tor routers instead of doing internet wide scans
>which could take up to a day. 
>If concerned about "normal Tor traffic" acting as a cover for malicious
>traffic, then perhaps sort log data through a filter omitting traffic
>based on following criteria:
>
>1. OMIT traffic to/from known Tor Nodes and their listed ports, WHICH
>ALSO INCLUDES traffic pattern matching normal Tor traffic.
>
>So what this filter would do is omit traffic between your honeypot node
>and other Tor nodes, while bringing to attention traffic that is
>connecting to/from non Tor routers or non Tor related ports or traffic
>that may be connecting to other Tor routers/ports but with non standard
>Tor traffic.
>
>So even if an adversary is mass hacking Tor from a Tor router as cover,
>this would likely pick up traffic that is not matching that of standard
>Tor traffic. 
>-----BEGIN PGP SIGNATURE-----
>
>iQIcBAEBCgAGBQJX/SVIAAoJEAYDai9lH2mwnhUP/0RVjI7a7Ysc9iDh5bicQWDa
>dV6/fL/enXy0UiryHwA+7tO3is0gctgVmbbFSQNSqSOiDReuRV7KyKW437LsyJoq
>YQE5RtiPga9ZdDxCiw3uHGXRYahH/VfZe7D0I+IkZOQdMbFBqo5kPQjAFYhix58l
>Q9HFazbmuntXhdTuFgpJlctM1j5objyGi9EFg5+cRfKwIkllGvF2y/42M01yeB0H
>9hNpO6KPFm6gHgNQBxJ0VZkP/wXSuYc2n0ae9r+P86Xox6N/xTqJ4ABiwDHGap5u
>A4dotNEoW88f+gJx5/1S5i6PpFzll3/MbfH9gnLgRklrDljWS3GWLYhamhRoVbZx
>XMPO/5wDwPWnm73EDBQJPbdDyVlFziMrf0d+Tjk3UAtCWODURXx4TTi90WRjZCF0
>rVBYqTP9Qn+0/Y5/wE8tPMjjLQqMaVdSPc5PvrZ+m+Hat7q17T4ZpKAedm7IbqME
>G+F51lgqfOLleIabcP76xyEaxoM8jFNcI4oCSCzDLATe+romlE/PNLLlqHGa8VIL
>AYhEhkMwgcHsy6eO+e7jcZx/7qC1jOvrxTYuT81cbgjc5VgPwdI9utyYQ85Qz9sO
>G4az6M2FTHLnY8scGU4NbIsoZfN4RwNu++DLB0mPOr+iHWmSJZSNNOmz5fyhbLQi
>sTWzCCofvLXLyK60RLc9
>=eadK
>-----END PGP SIGNATURE-----
>
>
>-- 
>
>Cannon
>PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832 
>Email: cannon@xxxxxxxxxxxxxxxxx
>Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU 
>Ricochet-IM: ricochet:hfddt2csxnsb2mdq 
>
>NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD
>BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
>If this matters to you, use PGP or bitmessage.
>-- 
>tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
Sincerly Flipchan
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk