IDS signatures [was Re: Interestingly enough...]
Nick Mathewson
nickm at freehaven.net
Mon Nov 13 21:26:45 UTC 2006
On Tue, Nov 07, 2006 at 09:44:07AM +0100, Jan Reister wrote:
> On 31/10/2006 03:53, Fergie wrote:
> > I found it interesting that Cisco added this their most recent IDS
> > signatures:
>
> Bleedingsnort has the following signatures:
You can see the rules at
http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Tor?view=markup
> 2001728 || BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic ||
> url,tor.eff.org
This one checks for the string "client <identity>".
> 2002950 || BLEEDING-EDGE POLICY TOR 1.0 Server Key Retrival ||
> url,tor.eff.org
> 2002951 || BLEEDING-EDGE POLICY TOR 1.0 Status Update || url,tor.eff.org
These two check for "GET /tor/server/" and "GET /tor/status/"
respectively. I'm surprised they don't have a rule for "Hey, somebody
just _uploaded_ a descriptor; there's a Tor server running on your
network."
> 2002952 || BLEEDING-EDGE POLICY TOR 1.0 Inbound Circuit Traffic ||
> url,tor.eff.org
> 2002953 || BLEEDING-EDGE POLICY TOR 1.0 Outbound Circuit Traffic ||
> url,tor.eff.org
These two check for the string "TOR" near the string "<identity>".
So it looks like they're detecting unencrypted directory connections,
as well as some fixed strings in our X.509 certificates. Good; that's
about what we had thought made us most fingerprintable now. We'll
probably take care of these some time as a part of our next protocol
revision.
(Note: we're not trying to resist IDS users here, or help people
violate network policy. We're trying to do it as a part of a broader
effort to keep censorious governments from blocking Tor easily.)
yrs,
--
Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20061113/d374b7d0/attachment.pgp>
More information about the tor-talk
mailing list