[tor-talk] What is being detected to alert upon?

tor at t-3.net tor at t-3.net
Thu Apr 30 18:57:01 UTC 2015


On 04/30/2015 09:15 PM, Frederick Zierold wrote:
 >
 >
 > Hi,
 >
 > I am very curious how a vendor is detecting Tor Project traffic.
 >
 > My questions is what are they seeing to alert upon?  I have asked
them,
 > but I was told "that is in the special sauce."
 >
 > Is the connection from the users computer to the bridge encrypted?
 >
 > Thank you for your insight.
 >
 >
 >

Special Sauce, I'll buy that for a dollar ..

At a minimum, there are different kinds of detection for Tor within 
the Snort "Emerging Threats" Free-version signatures. So, this isn't 
even 'hard' necessarily.

One rules file is dedicated to it (emerging-tor.rules), that file has 
all the Tor IP addresses hardcoded into it. Additionally, there are 
other, non-IP-address related detections for Tor within other rules 
files (do an egrep in the directory for "Tor " to see those).

If you run Snort with the emerging threats ruleset, but disable the 
emerging-tor.rules (removing its awareness of the IP addresses of tor 
nodes), it still gives 3 alerts when Tor starts up. "ET POLICY TLS 
possible TOR SSL traffic". That's with a regular Tor connection, I 
don't know if bridges would change anything.





More information about the tor-talk mailing list