[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Thu Oct 6 04:43:49 UTC 2016

>> >   for i in subdir/*; do ssh host mkdir -p "$i"; done
>> >
>> > with an ssh-agent would look pretty exactly the same to the exit node.
>>
>> OK, so I left out the "Permission denied, please try again." bits :)
>
> The exit node doesn't see that - that's the point of ssh. It can
> at best look at the session length and timing and infer flakily
> from that.

Exactly. There isn't a 100% effective way to accurately filter out
"bad ssh" on the wire. It's a good example of where intrusion
prevention systems fail.

I worked at a public university where Bro (https://www.bro.org/) was
in use. One of the enabled rules was for ssh brute-force /
failed-login. It was mostly false positives. Bro was flagging
legitimate ssh traffic. Turns out Bro is notorious for this (ref:
http://mailman.icsi.berkeley.edu/pipermail/bro/2013-September/006026.html
and many other similar posts).

I've also worked with Snort and Cisco and Palo Alto IPS/IDS systems,
and I've come to hate all of them for a couple of reasons:

1) The rulesets are finicky, always in flux, highly variant between
vendors, and wildly inaccurate.

2) At the end of the day they are just tools for censorship.

The way these systems work: the admin is presented with an assortment
of rulesets, usually broadly categorized, and you just go through and
start checking off boxes with labels like "adult content", "violence",
"hacking", "tor", or if you're using an open source variant it may be
a bit more refined like "ssh brute force", "syn flood", "tcp scan",
etc.

At the end of the day though someone is just checking off boxes. The
underlying regex applied to packets may or may not have even been
looked at.

Multiply that chaos by the number of Tor exit operators who might
implement such a thing. Think about the different experience levels of
operators too; how many would know that the Bro rule for ssh was
mostly going to block legitimate ssh traffic?

We have technical and highly qualified Exit operators who could
install an IPS, sure. But we have others fairly new to being
sysadmins.

One other huge problem -- where there's IPS there are IPS logs. Every
IPS tool I know of has an option to log, and they're all going to log
by default. That's bad. I'd vote BadExit flag (if I had a vote, ha).
There's too much metadata that this would leave behind, and it may
open up the operator to legal liabilities.