Delivery-Date: Thu, 30 Apr 2015 14:57:14 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 2BE711E1048
	for <archiver@seul.org>; Thu, 30 Apr 2015 14:57:12 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5FA4734928;
	Thu, 30 Apr 2015 18:57:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id C0C2C34925
 for <tor-talk@lists.torproject.org>; Thu, 30 Apr 2015 18:57:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id rUz7wK0561XA for <tor-talk@lists.torproject.org>;
 Thu, 30 Apr 2015 18:57:03 +0000 (UTC)
Received: from corp.netservicesgroup.com (corp.netservicesgroup.com
 [64.113.34.13])
 by eugeni.torproject.org (Postfix) with ESMTP id A73A534922
 for <tor-talk@lists.torproject.org>; Thu, 30 Apr 2015 18:57:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default;
 t=1430420223; bh=VW8TrMDvCFFUXM8piIVEMUgcj1xGPnlk0lkpXJRPwKg=;
 h=From:To:Subject:Date;
 b=uqQWzPzCXNSJgPRcC/uvkeay9PdEdaSAx5hRaZkrW8MbhgIV4yZnIn7dPICwiufpo
 InIPnf7Q+7oy4KFvrz0WECGUXsD6TLx++jMFEd3nef13AOBiG/rXemGG4Rq2XProw8
 JX3dcFsCfgYS8kKjHL2haa2+MIxjYSZ4x3tk3S+U=
X-Rcpt-Trace: tor-talk at lists.torproject.org
X-Default-Received-SPF: pass (skip=forwardok (res=PASS))
 x-ip-name=64.113.32.22; 
From: tor@t-3.net
To: <tor-talk@lists.torproject.org>
Date: Thu, 30 Apr 2015 14:57:01 -0400
Message-ID: <55427afd.9d8.e2df0700.2c63169a@t-3.net>
MIME-Version: 1.0
X-Originating-IP: 64.113.32.22
X-Mailer: SurgeWeb - Ajax Webmail Client
X-Authenticated-User: tor@t-3.net 
X-SpamDetect: : 0.000000 
X-Vpipe: Scanner said ok (av_avast)
X-Info: aspam skipped due to (g_smite_skip_auth)
X-VirusScan: Message is clean (g_virus_cmd clamdscan scanned message)
X-MyRbl: Color=Unknown ip=64.113.32.22
X-IP-stats: Incoming Last 6, First 7, in=2, out=0, spam=0 ip=64.113.32.22
Subject: Re: [tor-talk] What is being detected to alert upon?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 04/30/2015 09:15 PM, Frederick Zierold wrote:
 >
 >
 > Hi,
 >
 > I am very curious how a vendor is detecting Tor Project traffic.
 >
 > My questions is what are they seeing to alert upon?  I have asked
them,
 > but I was told "that is in the special sauce."
 >
 > Is the connection from the users computer to the bridge encrypted?
 >
 > Thank you for your insight.
 >
 >
 >

Special Sauce, I'll buy that for a dollar ..

At a minimum, there are different kinds of detection for Tor within 
the Snort "Emerging Threats" Free-version signatures. So, this isn't 
even 'hard' necessarily.

One rules file is dedicated to it (emerging-tor.rules), that file has 
all the Tor IP addresses hardcoded into it. Additionally, there are 
other, non-IP-address related detections for Tor within other rules 
files (do an egrep in the directory for "Tor " to see those).

If you run Snort with the emerging threats ruleset, but disable the 
emerging-tor.rules (removing its awareness of the IP addresses of tor 
nodes), it still gives 3 alerts when Tor starts up. "ET POLICY TLS 
possible TOR SSL traffic". That's with a regular Tor connection, I 
don't know if bridges would change anything.



-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

