[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] What is being detected to alert upon?



On 04/30/2015 09:15 PM, Frederick Zierold wrote:
>
>
> Hi,
>
> I am very curious how a vendor is detecting Tor Project traffic.
>
> My questions is what are they seeing to alert upon?  I have asked
them,
> but I was told "that is in the special sauce."
>
> Is the connection from the users computer to the bridge encrypted?
>
> Thank you for your insight.
>
>
>

Special Sauce, I'll buy that for a dollar ..

At a minimum, there are different kinds of detection for Tor within the Snort "Emerging Threats" Free-version signatures. So, this isn't even 'hard' necessarily.

One rules file is dedicated to it (emerging-tor.rules), that file has all the Tor IP addresses hardcoded into it. Additionally, there are other, non-IP-address related detections for Tor within other rules files (do an egrep in the directory for "Tor " to see those).

If you run Snort with the emerging threats ruleset, but disable the emerging-tor.rules (removing its awareness of the IP addresses of tor nodes), it still gives 3 alerts when Tor starts up. "ET POLICY TLS possible TOR SSL traffic". That's with a regular Tor connection, I don't know if bridges would change anything.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk