cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1033
Views
3
Helpful
2
Replies

Custom signature for TOR Application

alkabeer80
Level 1
Level 1

Hi,

I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.

I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.

i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)

thanks for your help.                

2 Replies 2

Naveen Kumar
Level 4
Level 4

please try to match TCP port 9001 and 9090 in the signature.

Hi nkumarsr,

I have cretaed tcp string signature for ports 9001, 9090

and also i have added it in builtin signature 5816/0 and 5816/1

i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.

do u have any other ideas ?

Review Cisco Networking for a $25 gift card