Snort mailing list archives
Re: TOR Browser detection policy rule
From: R S <rene.shuster () bcsemail org>
Date: Mon, 11 Dec 2017 09:34:42 -0500
9000,9001,9040 etc. but not 300 ports. There will be lots of traffic attributed to Tor although it isn't. Suggest to change to date to international ISO format YYYY-MM-DD On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny () netcowboy dk> wrote:
To all SNORT users:
TOR Browser detection rule. Feel free to use.
I have tested the rule on 100GB data set no false positives so far. If
you find any false positives please let me know.
alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
- TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
name"; flow:from_server,established;
pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
reference:url,networkforensic.dk; metadata:10122017;
classtype:policy-violation; sid:5021501; rev:3;)
It detects every time the TOR Browser is started.
Best Regards
Lenny Hansson
***********************************
E-mail: security () netcowboy dk
Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
***********************************
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
-- Tech III * AppControl * Endpoint Protection * Server Maintenance Buncombe County Schools Technology Department Network Group ComicSans Awareness Campaign <http://comicsanscriminal.com>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- TOR Browser detection policy rule Lenny Hansson (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule William Siradas (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Alberto Colosi via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule R S (Dec 12)
- Re: TOR Browser detection policy rule Rob Lopez via Snort-sigs (Dec 12)
- Re: TOR Browser detection policy rule lists (Dec 12)
- Re: TOR Browser detection policy rule Tyler Montier (Dec 11)
- Re: TOR Browser detection policy rule R S (Dec 11)