[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Roger Dingledine arma at mit.edu
Tue Oct 4 20:18:54 UTC 2016


On Tue, Oct 04, 2016 at 10:08:25PM +0200, Markus Koch wrote:
> Thank you very much, interesting. So I could block URLs but not on
> deep packet inspection?

That's where it starts to get murky: where do headers end and contents
begin? It depends what protocol layer you're looking at. Law-makers
spend a lot of time debating exactly that question.

In Tor's world, since Tor transports TCP streams, we think the headers
are what the TCP layer thinks of as headers, e.g. destination IP and
destination port. And the URL is way down in the payload. (After all,
what business is it of Tor's whether that stream you send over port 80
is http or is something else?)

--Roger



More information about the tor-relays mailing list