Re: TOR Browser detection policy rule

[Tyler Montier <tmontier () sourcefire com>]

Lenny,

Thanks for your submission. We will review the rule for addition into the
community ruleset, and get back to you when its finished.

You said you tested the rule already, do you have any pcaps that you could
send our way while we test the rule?

Thanks,

Tyler Montier
Cisco Talos

On Mon, Dec 11, 2017 at 9:34 AM, R S <rene.shuster () bcsemail org> wrote:

> 9000,9001,9040 etc. but not 300 ports. There will be lots of traffic
> attributed to Tor although it isn't.
> Suggest to change to date to international ISO format YYYY-MM-DD
>
> On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny () netcowboy dk> wrote:
>
> > To all SNORT users:
> >
> > TOR Browser detection rule. Feel free to use.
> >
> > I have tested the rule on 100GB data set no false positives so far. If
> > you find any false positives please let me know.
> >
> > alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
> > - TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
> > name"; flow:from_server,established;
> > pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
> > reference:url,networkforensic.dk; metadata:10122017;
> > classtype:policy-violation; sid:5021501; rev:3;)
> >
> > It detects every time the TOR Browser is started.
> >
> > Best Regards
> > Lenny Hansson
> > ***********************************
> > E-mail: security () netcowboy dk
> > Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
> > ***********************************
> >
> >
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists snort org
> > https://lists.snort.org/mailman/listinfo/snort-sigs
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> > Please follow these rules: https://snort.org/faq/what-is-
> > the-mailing-list-etiquette
> >
> > Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> > to stay up to date to catch the most <a href="
> > https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
>
>
> --
> Tech III * AppControl * Endpoint Protection * Server Maintenance
> Buncombe County Schools Technology Department Network Group
> ComicSans Awareness Campaign <http://comicsanscriminal.com>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!