Snort mailing list archives
Re: TOR Browser detection policy rule
From: R S <rene.shuster () bcsemail org>
Date: Mon, 11 Dec 2017 09:34:42 -0500
9000,9001,9040 etc. but not 300 ports. There will be lots of traffic attributed to Tor although it isn't. Suggest to change to date to international ISO format YYYY-MM-DD On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny () netcowboy dk> wrote:
To all SNORT users: TOR Browser detection rule. Feel free to use. I have tested the rule on 100GB data set no false positives so far. If you find any false positives please let me know. alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY - TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS name"; flow:from_server,established; pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i"; reference:url,networkforensic.dk; metadata:10122017; classtype:policy-violation; sid:5021501; rev:3;) It detects every time the TOR Browser is started. Best Regards Lenny Hansson *********************************** E-mail: security () netcowboy dk Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877 *********************************** _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Tech III * AppControl * Endpoint Protection * Server Maintenance Buncombe County Schools Technology Department Network Group ComicSans Awareness Campaign <http://comicsanscriminal.com>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- TOR Browser detection policy rule Lenny Hansson (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule William Siradas (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Alberto Colosi via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule R S (Dec 12)
- Re: TOR Browser detection policy rule Rob Lopez via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)