Tor rules
102 views
Skip to first unread message
packetsmacker
Nov 3, 2017, 4:44:12 PM11/3/17
to security-onion
I think both of these are saying that a know Tor Relay/Router or exit node IP is hitting our website. Is that correct? Our IPs are always the destination in these alerts. Also what does the group number mean because each group number has a different ID which makes disabling them a pain. Is there a better way to disable them? I am currently adding the ID to the disablesid.conf file. I wondered about using the pcre but all the examples I found just use one word like pcre:Tor. I wondered if pcre:Tor Relay would work.
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 59
ET TOR Known Tor Exit Node TCP Traffic group 58
Current security policies don't cover Tor traffic. I really just want to make sure we are not hosting an exit node. I don't know that much about Tor. Based on these two alerts I don't think we are. These are the only two I have seen so up.
Wes Lambert
Nov 4, 2017, 8:32:24 PM11/4/17
to securit...@googlegroups.com
Could this be related to NTP?
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
packetsmacker
Nov 6, 2017, 9:54:06 AM11/6/17
to security-onion
On Saturday, November 4, 2017 at 8:32:24 PM UTC-4, Wes wrote:
> Could this be related to NTP?
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/NTP#ids-alerts
>
>
>
> Thanks,
> Wes
>
>
> On Nov 3, 2017 4:44 PM, "packetsmacker" <ott....@gmail.com> wrote:
> I think both of these are saying that a know Tor Relay/Router or exit node IP is hitting our website. Is that correct? Our IPs are always the destination in these alerts. Also what does the group number mean because each group number has a different ID which makes disabling them a pain. Is there a better way to disable them? I am currently adding the ID to the disablesid.conf file. I wondered about using the pcre but all the examples I found just use one word like pcre:Tor. I wondered if pcre:Tor Relay would work.
>
>
>
> ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 59
>
> ET TOR Known Tor Exit Node TCP Traffic group 58
>
>
>
>
>
> Current security policies don't cover Tor traffic. I really just want to make sure we are not hosting an exit node. I don't know that much about Tor. Based on these two alerts I don't think we are. These are the only two I have seen so up.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> Could this be related to NTP?
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/NTP#ids-alerts
>
>
>
> Thanks,
> Wes
>
>
> On Nov 3, 2017 4:44 PM, "packetsmacker" <ott....@gmail.com> wrote:
> I think both of these are saying that a know Tor Relay/Router or exit node IP is hitting our website. Is that correct? Our IPs are always the destination in these alerts. Also what does the group number mean because each group number has a different ID which makes disabling them a pain. Is there a better way to disable them? I am currently adding the ID to the disablesid.conf file. I wondered about using the pcre but all the examples I found just use one word like pcre:Tor. I wondered if pcre:Tor Relay would work.
>
>
>
> ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 59
>
> ET TOR Known Tor Exit Node TCP Traffic group 58
>
>
>
>
>
> Current security policies don't cover Tor traffic. I really just want to make sure we are not hosting an exit node. I don't know that much about Tor. Based on these two alerts I don't think we are. These are the only two I have seen so up.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
I don't think so. Looking at capme they source IP is just browsing our website on 80. Port 123 isn't used. > Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Wes Lambert
Nov 6, 2017, 1:11:53 PM11/6/17
to securit...@googlegroups.com
You could certainly put something like the following in disablesid.conf:
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Wes Lambert
Nov 6, 2017, 1:15:07 PM11/6/17
to securit...@googlegroups.com
Accidentally hit enter before I was finished :)
I meant to say,
You could certainly put something like the following in disablesid.conf:
pcre: Tor Relay
That would indeed squelch alerts for all of those rules.
These rules are mainly looking for traffic from one of these nodes to you.
Ex. alert udp [82.47.32.72,82.49.189.131,82.5.42.105,82.59.161.232,82.6.112.160,82.64.7.146,82.64.9.116,82.67.110.229,8.26.94.18,82.69.76.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 522"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523043; rev:3135;
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages