Re: [security-onion] Snort Alerts - TOR Known Tor Relay/Router
4,183 views
Skip to first unread message
Message has been deleted
Doug Burks
Dec 9, 2015, 6:15:18 PM12/9/15
to securit...@googlegroups.com
Hi Michael,
Since the port is 123, this is most likely NTP traffic and I would
further assume that your VOIP phones are configured to update their
time using NTP from pool.ntp.org, which quite often fires these TOR
alerts. You may want to configure your VOIP phones to pull from an
internal NTP server or tune this alert.
On Wed, Dec 9, 2015 at 2:31 PM, Michael Woiten <mike....@gmail.com> wrote:
> All,
>
> With the recent setup of Security Onion my group started seeing the following alerts generated within Snort. They are all coming from the same external address and the destination IP is to one of our many VOIP phones. Upon seeing these alerts we upgraded the firmware on the phones but the alerts are still generating at random times. Can anyone provide some more insight on the issue? Could this be a false positive?
>
>
> ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 626
> Src Port - 123
> Sig ID - 2523251
>
> Alert Rule - alert udp [95.90.132.208,95.90.16.114,95.91.10.203,95.91.121.36,95.91.168.143,95.91.43.231,96.126.102.136,96.126.105.219,96.126.105.86,96.126.122.166] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523251; rev:2361;)
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Since the port is 123, this is most likely NTP traffic and I would
further assume that your VOIP phones are configured to update their
time using NTP from pool.ntp.org, which quite often fires these TOR
alerts. You may want to configure your VOIP phones to pull from an
internal NTP server or tune this alert.
On Wed, Dec 9, 2015 at 2:31 PM, Michael Woiten <mike....@gmail.com> wrote:
> All,
>
> With the recent setup of Security Onion my group started seeing the following alerts generated within Snort. They are all coming from the same external address and the destination IP is to one of our many VOIP phones. Upon seeing these alerts we upgraded the firmware on the phones but the alerts are still generating at random times. Can anyone provide some more insight on the issue? Could this be a false positive?
>
>
> ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 626
> Src Port - 123
> Sig ID - 2523251
>
> Alert Rule - alert udp [95.90.132.208,95.90.16.114,95.91.10.203,95.91.121.36,95.91.168.143,95.91.43.231,96.126.102.136,96.126.105.219,96.126.105.86,96.126.122.166] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523251; rev:2361;)
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
Message has been deleted
0 new messages