Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
4
Replies

MARS - TOR Client Monitoring

Go to solution
jnlawrence76
Level 1
Level 1

‎12-17-2010 12:44 PM

I am looking for any recommendations on how to monitor for users using TOR on my network.

Thanks in Advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎12-22-2010 04:36 AM

CS-MARS relies on external reporting devices to generate incidents, malicious activity and traffic anomaly detection.

Cisco's IPS sensors have two signatures (both enabled by default) that can detect potential TOR traffic:

5816/0 - TOR Client Activity

5816/1 - TOR Client Activity

It may also be possible to write additional custom signatures if additional TOR traffic fingerprinting is available.

With the IPS reporting to CS-MARS, it should be possible to be notified when potential TOR activity is detected on the network.

Scott

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎12-22-2010 04:36 AM

CS-MARS relies on external reporting devices to generate incidents, malicious activity and traffic anomaly detection.

Cisco's IPS sensors have two signatures (both enabled by default) that can detect potential TOR traffic:

5816/0 - TOR Client Activity

5816/1 - TOR Client Activity

It may also be possible to write additional custom signatures if additional TOR traffic fingerprinting is available.

With the IPS reporting to CS-MARS, it should be possible to be notified when potential TOR activity is detected on the network.

Scott

0 Helpful

Go to solution
jnlawrence76
Level 1
Level 1
In response to Scott Fringer

‎12-27-2010 08:56 AM

I have that setup, but not getting any reporting on it when I run my TOR client so I am afraid something isn't working properly.

I have IPSs all over my network, but never seem to see any TOR alerts.

0 Helpful

Go to solution
jnlawrence76
Level 1
Level 1
In response to Scott Fringer

‎12-29-2010 08:32 AM

Scott,

Seeing I have this report setup and it runs every 24 hours but not generating any events even though I run TOR from a test box, what could be the problem?  Is it something that needs to be setup differently on the IPS sensors as I am sure its probably not a MARS issue.  Thanks in advance.

0 Helpful

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee
In response to jnlawrence76

‎01-06-2011 04:40 AM

Jeremy;

  As I answered in your post to the IPS community, you will need to verify the TOR traffic your client is generating matches what the two signatures are expecting.  Once the IPS is successfully detecting the traffic, your CS-MARS report should begin providing output.

Scott

0 Helpful
Customers Also Viewed These Support Documents