[tor-relays] Intrusion Prevention System Software - Snort or Suricata

[Ralph Seichter]

On 05.10.2016 14:06, oconor at email.cz wrote:

> Unfortunately for us (as an ISP) it's not just about passing these
> messages. If we don't want to be accused from not stopping something
> illegal we knew about, we need some feedback - what have been done to
> prevent this to happen in the future.

If you pass on the complaint to me, I'll give you the feedback that I
will deal with it (using "you" and "I" as examples, obviously). While I
do have the responsibility to verify that my server has not been
compromised, I am not obliged to provide detailed information on how I
deal with complaints. Also, just because some complaining party does not
like the traffic passing through my server, it does not mean that I
automatically have a legally binding obligation to prevent that traffic.

Don't get me wrong, I do take complaints seriously, and I always strive
to work with my ISPs to resolve issues in an amicable manner. However,
I do that because I choose to be a good netizen. Sometimes I don't do
anything at all, because it either does not make any sense or would
violate the "just passing through" concept (e.g. I never use any form
of traffic content inspection).

> It's really time consuming and that's why I would like to combine tor
> with some IPS for automation of the "policy set process".

I can see what motivates you. Personally, I can't think of a scenario
where I would use automation to set outbound traffic policies (inbound
traffic is a different matter, fail2ban comes to mind). I am interested
in other people's opinion regarding the prospect of an automated tool to
generate exit policies.

-Ralph