[Bro] Detect tor
Daniel Guerra
daniel.guerra69 at gmail.com
Thu Feb 23 01:52:04 PST 2017
Tor can be detected by looking at the ssl certificates. Because the certificates
are generated by tor, the subject issuer or ssl_hostname can be used to detect
it.
This example matches only if subject and issuer match. I have seen tor connections
module DetectTor;
event ssl_established(c: connection ) &priority=6
{
if ( c$ssl?$subject && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl$subject && c$ssl?$issuer && /^CN=www.[0-9a-zA-Z]+.(com|net)$/ == c$ssl$issuer || (c$ssl?$server_name && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl?$server_name )
{
add c$service["tor"];
}
}
Regards,
Daniel
> On 23 Feb 2017, at 05:20, Richard Johnson <rdump at river.com> wrote:
>
> If you want valid, low false positive, detection of the public Tor (not TOR)
> network use, you can look at the descriptors of the public relays. Get them
> from any Tor node you run, or download from the Tor Project site. That will
> give you IP addresses and ports over time. A connection to those is very
> probably Tor user->network traffic.
>
> A connection to a Tor node's IP on a port that isn't listed as a Tor port at
> the time of interest is much less likely to be Tor traffic. That's one of the
> failings of intel feeds listing only IPs, as almost all do when it comes to Tor.
>
> Bridges complicate the picture, as they're handed only to a limited subset of
> users. There, you may want to consider active measures--connect to the same
> port yourself, see if you can evoke a Tor handshake. China's delay on active
> probing of the ports was on the order of hours to days when this was most
> popular; they may have gotten faster since.
>
> Trying to ID Tor traffic characteristics is not as easy as it used to be. DPI
> vendors can often keep up, but it's unlikely they'll share the competitive
> advantage.
>
> Further along the arms race, bridges using pluggable transports like obfs4, or
> connections using domain fronting are not going to be easily detected, even by
> active probing.
>
>
> Richard
>
> On 2017-02-22 08:26, ps sunu wrote:
>> ok thanks for your info
>>
>> On Wed, Feb 22, 2017 at 6:51 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>
>>> Another thing you could try is, if you use intel framework, then you can
>>> feed the intel FW with
>>> the IOCs data for TOR, and load it in Intel, so that you will get logs in
>>> intel.log, whenever there's
>>> a hit on TOR IPs in your network traffic.
>>>
>>> Thanks,
>>> Fatema.
>>>
>>> On Wed, Feb 22, 2017 at 4:50 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>>
>>>>
>>>> -----
>>>> Hi,
>>>> Which is the best TOR detection script in bro ? below one
>>>> is good , or any other script there ?
>>>>
>>>> https://raw.githubusercontent.com/sethhall/bro-junk-drawer/m
>>>> aster/detect-tor.bro
>>>>
>>>>
>>>> Regards,
>>>> Sunu
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list