[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] TOR rules without IPs.
From: Attack Detection <attackdetectionteam () gmail ! com>
Date: 2017-08-25 18:04:55
Message-ID: CALJOUfY-2s0OWwC=Qe=0pUzGgSV4NtDKRP2m=6qp-DDMtMgtEg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
These are rules for detection connections with TOR entry node based on
length of SSL app_data fragments. Now you can detect TOR connections using
IP reputation lists or these rules.
Some facts about rules:
- 10 rules split in 5 groups with description at the beginning of each one;
- rules use flowbits under the hood: flowbits which was set by previous
group are used by next one;
- rules check 3 things: small content, app_data length using byte_test and
registered amount of bytes in a stream;
- rules contain ports so you can specify which trafic you want to inspect
or reduce the load on sensor;
- only one last rule generates alert. All other are suppressed (flowbits:
noalert).
We analyzed ~4k connections, and we are not immune to FPs.
Glad to receive any feedback.
We are not attaching any pcaps because you have a lot of TOR traffic by
your self ;)
Happy hunting!
# initial check for server certificate
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any ( msg: "ET TOR [PTsecurity] cert
serv"; flow: established, to_client; content: "|3082|"; depth: 300;
content: "|308201|"; distance:2; within:3; content: "|a00302010202|";
distance:1; within:6; content: "|7777|"; distance:38; within:2;
fast_pattern; flowbits: set, FB0_01; flowbits: noalert; threshold: type
limit, track by_src, count 1, seconds 30; classtype: trojan-activity;
metadata: autosign, id_0,created_at 2017_8_24; sid: 10001844; rev: 1; )
# first packet from client with SSL app_data of length of 33, 48 or 64 bytes
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
21|"; distance:1; fast_pattern; within:2; stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001460; rev: 3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
30|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001842; rev: 1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
40|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001843; rev: 1;)
# next two fragments are client-server exchange
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #1";flow: established, to_client; content: "|1703|"; depth:2;
byte_test: 2, >=,1420, 1, relative; byte_test: 2, <=,2096, 1, relative;
stream_size: server, <,40000; stream_size: client, <,40000; stream_size:
server, >,0; stream_size: client, >,0; flowbits: isset, FB0_0; flowbits:
unset, FB0_0; flowbits: set, FB0_1; flowbits: noalert; classtype:
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid:
10001461; rev: 6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#2"; flow: established, to_server; content: "|1703|"; depth:2; byte_test:
2, >=,538, 1, relative; byte_test: 2, <=,1052, 1, relative; stream_size:
server, <,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_1; flowbits: unset, FB0_1;
flowbits: set, FB0_2; flowbits: noalert; classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001462; rev: 3;)
# now we are waiting for receiving from server any fragment of 538, 576 or
560 bytes length
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 1a|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: noalert;
flowbits: unset, FB0_2; flowbits: set, FB0_3; classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001463; rev: 3;)
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 40|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2;
flowbits: set, FB0_3; flowbits: noalert; classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001845; rev: 3;)
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 30|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2;
flowbits: set, FB0_3; flowbits: noalert; classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001846; rev: 3;)
# generate alert
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] TOR SSL
connection (Not Exit)"; flow: established, to_server; content: "|1703|";
depth:2; byte_test: 2, >=,538, 1, relative; byte_test: 2, <=,4072, 1,
relative; stream_size: server, <,40000; stream_size: client, <,40000;
stream_size: server, >,0; stream_size: client, >,0; flowbits: isset, FB0_3;
flowbits: unset, FB0_3; classtype: misc-activity; metadata: autosign, id_0,
created_at 2017_7_6; sid: 10001464; rev: 3;)
[Attachment #5 (text/html)]
<div dir="ltr">These are rules for detection connections with TOR entry node based on \
length of SSL app_data fragments. Now you can detect TOR connections using IP \
reputation lists or these rules.<br>Some facts about rules:<br>- 10 rules split in 5 \
groups with description at the beginning of each one;<br>- rules use flowbits under \
the hood: flowbits which was set by previous group are used by next one;<br>- rules \
check 3 things: small content, app_data length using byte_test and registered amount \
of bytes in a stream;<br>- rules contain ports so you can specify which trafic you \
want to inspect or reduce the load on sensor;<br>- only one last rule generates \
alert. All other are suppressed (flowbits: noalert).<br><br>We analyzed ~4k \
connections, and we are not immune to FPs.<br>Glad to receive any feedback.<br>We are \
not attaching any pcaps because you have a lot of TOR traffic by your self \
;)<br>Happy hunting!<br><br># initial check for server certificate<br>alert tcp \
$EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, \
9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -> \
$HOME_NET any ( msg: "ET TOR [PTsecurity] cert serv"; flow: \
established, to_client; content: "|3082|"; depth: 300; content: \
"|308201|"; distance:2; within:3; content: "|a00302010202|"; \
distance:1; within:6; content: "|7777|"; distance:38; within:2; \
fast_pattern; flowbits: set, FB0_01; flowbits: noalert; threshold: type limit, \
track by_src, count 1, seconds 30; classtype: trojan-activity; metadata: \
autosign, id_0,created_at 2017_8_24; sid: 10001844; rev: 1; )<br><br># first packet \
from client with SSL app_data of length of 33, 48 or 64 bytes<br>alert tcp $HOME_NET \
any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, \
9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] \
(msg: "ET TOR [PTsecurity] pkt checker #0"; flow: established, to_server; \
content: "|1703|"; depth:2; content:"|00 21|"; distance:1; \
fast_pattern; within:2; stream_size: server, <,40000; stream_size: client, \
<,40000; stream_size: server, >,0; stream_size: client, >,0; flowbits: set, \
FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: misc-activity; \
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001460; rev: 3;) <br>alert tcp \
$HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, \
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, \
26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker #0"; flow: \
established, to_server; content: "|1703|"; depth:2; content:"|00 \
30|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000; \
stream_size: client, <,40000; stream_size: server, >,0; stream_size: client, \
>,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001842; rev: 1;) \
<br>alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, \
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, \
110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker #0"; flow: \
established, to_server; content: "|1703|"; depth:2; content:"|00 \
40|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000; \
stream_size: client, <,40000; stream_size: server, >,0; stream_size: client, \
>,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001843; rev: 1;) \
<br><br># next two fragments are client-server exchange<br>alert tcp $EXTERNAL_NET \
[4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, \
443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -> $HOME_NET any (msg: \
"ET TOR [PTsecurity] pkt checker #1";flow: established, to_client; content: \
"|1703|"; depth:2; byte_test: 2, >=,1420, 1, relative; byte_test: 2, \
<=,2096, 1, relative; stream_size: server, <,40000; stream_size: client, \
<,40000; stream_size: server, >,0; stream_size: client, >,0; flowbits: \
isset, FB0_0; flowbits: unset, FB0_0; flowbits: set, FB0_1; flowbits: noalert; \
classtype: misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: \
10001461; rev: 6;) <br>alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, \
5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, \
8008, 80, 61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt \
checker #2"; flow: established, to_server; content: "|1703|"; depth:2; \
byte_test: 2, >=,538, 1, relative; byte_test: 2, <=,1052, 1, relative; \
stream_size: server, <,40000; stream_size: client, <,40000; stream_size: \
server, >,0; stream_size: client, >,0; flowbits: isset, FB0_1; flowbits: unset, \
FB0_1; flowbits: set, FB0_2; flowbits: noalert; classtype: misc-activity; metadata: \
autosign, id_0, created_at 2017_7_6; sid: 10001462; rev: 3;) <br><br># now we are \
waiting for receiving from server any fragment of 538, 576 or 560 bytes \
length<br>alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, \
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, \
26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt checker \
#3"; flow: established, to_client; content: "|1703|"; depth:2; \
content:"|02 1a|"; distance:1; within:2; fast_pattern; stream_size: server, \
<,40000; stream_size: client, <,40000; stream_size: server, >,0; \
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: noalert; flowbits: \
unset, FB0_2; flowbits: set, FB0_3; classtype: misc-activity; metadata: autosign, \
id_0, created_at 2017_7_6; sid: 10001463; rev: 3;) <br>alert tcp $EXTERNAL_NET [4480, \
9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, \
10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -> $HOME_NET any (msg: "ET \
TOR [PTsecurity] pkt checker #3"; flow: established, to_client; content: \
"|1703|"; depth:2; content:"|02 40|"; distance:1; within:2; \
fast_pattern; stream_size: server, <,40000; stream_size: client, <,40000; \
stream_size: server, >,0; stream_size: client, >,0; flowbits: isset, FB0_2; \
flowbits: unset, FB0_2; flowbits: set, FB0_3; flowbits: noalert; classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001845; rev: 3;) \
<br>alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, \
9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, \
59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt checker #3"; \
flow: established, to_client; content: "|1703|"; depth:2; content:"|02 \
30|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000; \
stream_size: client, <,40000; stream_size: server, >,0; stream_size: client, \
>,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2; flowbits: set, FB0_3; \
flowbits: noalert; classtype: misc-activity; metadata: autosign, id_0, created_at \
2017_7_6; sid: 10001846; rev: 3;) <br><br># generate alert<br>alert tcp $HOME_NET any \
-> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, \
9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] (msg: \
"ET TOR [PTsecurity] TOR SSL connection (Not Exit)"; flow: established, \
to_server; content: "|1703|"; depth:2; byte_test: 2, >=,538, 1, \
relative; byte_test: 2, <=,4072, 1, relative; stream_size: server, <,40000; \
stream_size: client, <,40000; stream_size: server, >,0; stream_size: client, \
>,0; flowbits: isset, FB0_3; flowbits: unset, FB0_3; classtype: misc-activity; \
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001464; rev: 3;) <br></div>
["tor.rules" (application/octet-stream)]
[Attachment #7 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic