[Bro] Detect tor
daniel.guerra69 at gmail.com
Thu Feb 23 01:52:04 PST 2017
Tor can be detected by looking at the ssl certificates. Because the certificates
are generated by tor, the subject issuer or ssl_hostname can be used to detect
This example matches only if subject and issuer match. I have seen tor connections
event ssl_established(c: connection ) &priority=6
if ( c$ssl?$subject && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl$subject && c$ssl?$issuer && /^CN=www.[0-9a-zA-Z]+.(com|net)$/ == c$ssl$issuer || (c$ssl?$server_name && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl?$server_name )
> On 23 Feb 2017, at 05:20, Richard Johnson <rdump at river.com> wrote:
> If you want valid, low false positive, detection of the public Tor (not TOR)
> network use, you can look at the descriptors of the public relays. Get them
> from any Tor node you run, or download from the Tor Project site. That will
> give you IP addresses and ports over time. A connection to those is very
> probably Tor user->network traffic.
> A connection to a Tor node's IP on a port that isn't listed as a Tor port at
> the time of interest is much less likely to be Tor traffic. That's one of the
> failings of intel feeds listing only IPs, as almost all do when it comes to Tor.
> Bridges complicate the picture, as they're handed only to a limited subset of
> users. There, you may want to consider active measures--connect to the same
> port yourself, see if you can evoke a Tor handshake. China's delay on active
> probing of the ports was on the order of hours to days when this was most
> popular; they may have gotten faster since.
> Trying to ID Tor traffic characteristics is not as easy as it used to be. DPI
> vendors can often keep up, but it's unlikely they'll share the competitive
> Further along the arms race, bridges using pluggable transports like obfs4, or
> connections using domain fronting are not going to be easily detected, even by
> active probing.
> On 2017-02-22 08:26, ps sunu wrote:
>> ok thanks for your info
>> On Wed, Feb 22, 2017 at 6:51 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>> Another thing you could try is, if you use intel framework, then you can
>>> feed the intel FW with
>>> the IOCs data for TOR, and load it in Intel, so that you will get logs in
>>> intel.log, whenever there's
>>> a hit on TOR IPs in your network traffic.
>>> On Wed, Feb 22, 2017 at 4:50 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>>> Which is the best TOR detection script in bro ? below one
>>>> is good , or any other script there ?
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro