[Bro] Detect tor
rdump at river.com
Wed Feb 22 20:20:01 PST 2017
If you want valid, low false positive, detection of the public Tor (not TOR)
network use, you can look at the descriptors of the public relays. Get them
from any Tor node you run, or download from the Tor Project site. That will
give you IP addresses and ports over time. A connection to those is very
probably Tor user->network traffic.
A connection to a Tor node's IP on a port that isn't listed as a Tor port at
the time of interest is much less likely to be Tor traffic. That's one of the
failings of intel feeds listing only IPs, as almost all do when it comes to Tor.
Bridges complicate the picture, as they're handed only to a limited subset of
users. There, you may want to consider active measures--connect to the same
port yourself, see if you can evoke a Tor handshake. China's delay on active
probing of the ports was on the order of hours to days when this was most
popular; they may have gotten faster since.
Trying to ID Tor traffic characteristics is not as easy as it used to be. DPI
vendors can often keep up, but it's unlikely they'll share the competitive
Further along the arms race, bridges using pluggable transports like obfs4, or
connections using domain fronting are not going to be easily detected, even by
On 2017-02-22 08:26, ps sunu wrote:
> ok thanks for your info
> On Wed, Feb 22, 2017 at 6:51 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>> Another thing you could try is, if you use intel framework, then you can
>> feed the intel FW with
>> the IOCs data for TOR, and load it in Intel, so that you will get logs in
>> intel.log, whenever there's
>> a hit on TOR IPs in your network traffic.
>> On Wed, Feb 22, 2017 at 4:50 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>> Which is the best TOR detection script in bro ? below one
>>> is good , or any other script there ?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro