02-11-2014 05:42 AM - edited 03-10-2019 06:08 AM
Hi,
I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.
I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.
i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)
thanks for your help.
02-12-2014 09:36 PM
please try to match TCP port 9001 and 9090 in the signature.
02-15-2014 09:04 AM
Hi nkumarsr,
I have cretaed tcp string signature for ports 9001, 9090
and also i have added it in builtin signature 5816/0 and 5816/1
i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.
do u have any other ideas ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide