[Bro] Detect tor

Daniel Guerra daniel.guerra69 at gmail.com
Thu Feb 23 01:52:04 PST 2017 

Tor can be detected by looking at the ssl certificates. Because the certificates
are generated by tor, the subject issuer or ssl_hostname can be used to detect
it.

This example matches only if subject and issuer match. I have seen tor connections
module DetectTor;

event ssl_established(c: connection ) &priority=6
        {
                if ( c$ssl?$subject && /^CN=www.[0-9a-zA-Z]+.(net|com)$/  == c$ssl$subject && c$ssl?$issuer && /^CN=www.[0-9a-zA-Z]+.(com|net)$/ == c$ssl$issuer || (c$ssl?$server_name && /^CN=www.[0-9a-zA-Z]+.(net|com)$/  == c$ssl?$server_name  )
                        {
                                add c$service["tor"];
                        }
        }

Regards,

Daniel

> On 23 Feb 2017, at 05:20, Richard Johnson <rdump at river.com> wrote:
> 
> If you want valid, low false positive, detection of the public Tor (not TOR)
> network use, you can look at the descriptors of the public relays. Get them
> from any Tor node you run, or download from the Tor Project site. That will
> give you IP addresses and ports over time. A connection to those is very
> probably Tor user->network traffic.
> 
> A connection to a Tor node's IP on a port that isn't listed as a Tor port at
> the time of interest is much less likely to be Tor traffic. That's one of the
> failings of intel feeds listing only IPs, as almost all do when it comes to Tor.
> 
> Bridges complicate the picture, as they're handed only to a limited subset of
> users. There, you may want to consider active measures--connect to the same
> port yourself, see if you can evoke a Tor handshake. China's delay on active
> probing of the ports was on the order of hours to days when this was most
> popular; they may have gotten faster since.
> 
> Trying to ID Tor traffic characteristics is not as easy as it used to be. DPI
> vendors can often keep up, but it's unlikely they'll share the competitive
> advantage.
> 
> Further along the arms race, bridges using pluggable transports like obfs4, or
> connections using domain fronting are not going to be easily detected, even by
> active probing.
> 
> 
> Richard
> 
> On 2017-02-22 08:26, ps sunu wrote:
>> ok thanks for your info
>> 
>> On Wed, Feb 22, 2017 at 6:51 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>> 
>>> Another thing you could try is, if you use intel framework, then you can
>>> feed the intel FW with
>>> the IOCs data for TOR, and load it in Intel, so that you will get logs in
>>> intel.log, whenever there's
>>> a hit on TOR IPs in your network traffic.
>>> 
>>> Thanks,
>>> Fatema.
>>> 
>>> On Wed, Feb 22, 2017 at 4:50 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>> 
>>>> 
>>>> -----
>>>> Hi,
>>>>                Which is the best TOR detection script in bro ? below one
>>>> is good , or any other script there ?
>>>> 
>>>> https://raw.githubusercontent.com/sethhall/bro-junk-drawer/m
>>>> aster/detect-tor.bro
>>>> 
>>>> 
>>>> Regards,
>>>> Sunu
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list