cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1114
Views
0
Helpful
1
Replies

TOR Client Activity

jnlawrence76
Level 1
Level 1

I am trying to monitor TOR Client Activity via SIG IDs 5816/1 and 5816/0, however the IPS doesn't seem to pick them up.  I watch the logs while running TOR from a test machine and I see nothing.  Is there something I am missing or doing wrong?  Both are enabled in the the Policy that I am using on the IPS Sensors.

Thanks in Advance!

Jeremy

1 Accepted Solution

Accepted Solutions

Scott Fringer
Cisco Employee
Cisco Employee

Jeremy;

  You will most likely need to perform a packet capture of the initial TOR connection traffic and analyze that it meets the signature specifics:

  •   signature 5816/0 is checking for a URI that contains \tor\status\fp (case insensitive) on TCP ports 80,9001 and 9030
  •   signature 5816/1 is looking for a TOR TLS handshake on TCP ports 443,9001 and 9030

  If the above criteria are not present in the traffic your TOR client is using, the IPS will not detect the activity.

Scott

View solution in original post

1 Reply 1

Scott Fringer
Cisco Employee
Cisco Employee

Jeremy;

  You will most likely need to perform a packet capture of the initial TOR connection traffic and analyze that it meets the signature specifics:

  •   signature 5816/0 is checking for a URI that contains \tor\status\fp (case insensitive) on TCP ports 80,9001 and 9030
  •   signature 5816/1 is looking for a TOR TLS handshake on TCP ports 443,9001 and 9030

  If the above criteria are not present in the traffic your TOR client is using, the IPS will not detect the activity.

Scott

Review Cisco Networking for a $25 gift card