Tuesday, January 25, 2005

Detecting TOR on your network

I've written about the TOR anonymizing TCP proxy before, and in general I think it's quite a useful tool. There are a lot of situations where you might legitimately want to obfuscate your true online identity and/or prevent your ISP from keeping track of what you access over the Internet. TOR is really good for these sorts of things, and is a cool project, to boot.

There are some situations, though, in which using TOR (or any other similar service) is not appropriate. One such situation is when your Acceptable Use Policy forbids it, as is probably the case for many people using their employer's LAN. If you're a network administrator and you need to monitor TOR usage, you can try the following Snort rule I cooked up:

alert tcp any any -> $HOME_NET any (msg: "TOR 1.0 Proxy Connection Attempt"; content: "TOR"; content: "<identity>"; within:30; classtype:policy-violation; resp:rst_all; sid:5000030; rev:1;)

This should alert you any time the TOR proxy attempts to create a connection to the rest of the TOR network. As written, this rule also makes use of Snort's "flexible response" feature to try to shut down the connections as they are established. This isn't entirely effective, but it seems to work about 80% of the time for me, which at least makes TOR really annoying to use. If you prefer not to take action, delete the part that says "resp:rst_all;".


falter said...

(I found your blog post after googling for "detecting tor")

After battling with the problem of how to detect TOR, I realized that it should be fairly simple. TOR uses SSL. SSL uses signed certificates. TOR signs the certificates that are distributed with their official client releases (as far as I can tell).

Poking around in Ethereal, I found that this filter works rather well with detecting TOR's SSL negotiation :
x509sat.DirectoryString == "TOR"

From this, I was able to put together a quick little snort signature. Pardon the fact that it is horribly generic. We use ISS Realsecure, which has only a very basic implementation of Snort called "Trons" (which is "Snort" spelled backwards). It's incredibly ancient and horrible, but it works.

alert tcp $HOME_NET any -> any any (msg:"TOR_detected"; content:"|06 03 55 04 0a 13 03 54 4f 52|"; sid:9996; priority:3;)

I'd imagine that with a response, it could be rather effective.

~mike ryan (falter@gmail.com)

carp said...

Actually, if your AUP forbids it (I imagine most don't actually), thats kinda stupid, I would recommend that you tell the people in charge of it that it should be updated.

Its useful for anyone who doesn't want to be giving away accidental information. Do you want every website that you go to to know that someobody at your company is checking them out? Do you want anyone sitting just outside your uplink sniffing your traffic and seeing what sites people at your company use a lot so he can target man in the middle attacks?

Frankly, I am of the "every computer on the intenet should just start running tor, and all services should transition to location hidden" mindset.

If I were in charge, it would be a violation of the AUP to NOT use it, it is for your own protection!