Solved: TOR Client Activity

jnlawrence76 · ‎01-03-2011

I am trying to monitor TOR Client Activity via SIG IDs 5816/1 and 5816/0, however the IPS doesn't seem to pick them up. I watch the logs while running TOR from a test machine and I see nothing. Is there something I am missing or doing wrong? Both are enabled in the the Policy that I am using on the IPS Sensors.

Thanks in Advance!

Jeremy

Scott Fringer · ‎01-06-2011

Jeremy;

You will most likely need to perform a packet capture of the initial TOR connection traffic and analyze that it meets the signature specifics:

signature 5816/0 is checking for a URI that contains \tor\status\fp (case insensitive) on TCP ports 80,9001 and 9030
signature 5816/1 is looking for a TOR TLS handshake on TCP ports 443,9001 and 9030

If the above criteria are not present in the traffic your TOR client is using, the IPS will not detect the activity.

Scott

View solution in original post

Scott Fringer · ‎01-06-2011

Jeremy;

You will most likely need to perform a packet capture of the initial TOR connection traffic and analyze that it meets the signature specifics:

signature 5816/0 is checking for a URI that contains \tor\status\fp (case insensitive) on TCP ports 80,9001 and 9030
signature 5816/1 is looking for a TOR TLS handshake on TCP ports 443,9001 and 9030

If the above criteria are not present in the traffic your TOR client is using, the IPS will not detect the activity.

Scott