[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] TOR rules without IPs.
From:       Attack Detection <attackdetectionteam () gmail ! com>
Date:       2017-08-25 18:04:55
Message-ID: CALJOUfY-2s0OWwC=Qe=0pUzGgSV4NtDKRP2m=6qp-DDMtMgtEg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


These are rules for detection connections with TOR entry node based on
length of SSL app_data fragments. Now you can detect TOR connections using
IP reputation lists or these rules.
Some facts about rules:
- 10 rules split in 5 groups with description at the beginning of each one;
- rules use flowbits under the hood: flowbits which was set by previous
group are used by next one;
- rules check 3 things: small content, app_data length using byte_test and
registered amount of bytes in a stream;
- rules contain ports so you can specify which trafic you want to inspect
or reduce the load on sensor;
- only one last rule generates alert. All other are suppressed (flowbits:
noalert).

We analyzed ~4k connections, and we are not immune to FPs.
Glad to receive any feedback.
We are not attaching any pcaps because you have a lot of TOR traffic by
your self ;)
Happy hunting!

# initial check for server certificate
alert tcp  $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any   ( msg: "ET TOR [PTsecurity] cert
serv";  flow: established, to_client;  content: "|3082|"; depth: 300;
content: "|308201|"; distance:2; within:3; content: "|a00302010202|";
distance:1; within:6; content: "|7777|"; distance:38; within:2;
fast_pattern; flowbits: set, FB0_01; flowbits: noalert;  threshold: type
limit, track by_src, count 1, seconds 30;  classtype: trojan-activity;
metadata: autosign, id_0,created_at 2017_8_24; sid: 10001844;  rev: 1; )

# first packet from client with SSL app_data of length of 33, 48 or 64 bytes
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
21|"; distance:1; fast_pattern; within:2;  stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001460; rev: 3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
30|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001842; rev: 1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#0"; flow: established, to_server; content: "|1703|"; depth:2; content:"|00
40|"; distance:1; within:2; fast_pattern; stream_size: server, <,40000;
stream_size: client, <,40000; stream_size: server, >,0; stream_size:
client, >,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits:
noalert; classtype: misc-activity; metadata: autosign, id_0, created_at
2017_7_6; sid: 10001843; rev: 1;)

# next two fragments are client-server exchange
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #1";flow: established, to_client; content: "|1703|"; depth:2;
byte_test: 2, >=,1420, 1, relative; byte_test: 2, <=,2096, 1, relative;
stream_size: server, <,40000; stream_size: client, <,40000; stream_size:
server, >,0; stream_size: client, >,0; flowbits: isset, FB0_0; flowbits:
unset, FB0_0; flowbits: set, FB0_1; flowbits: noalert;  classtype:
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid:
10001461; rev: 6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] pkt checker
#2"; flow: established, to_server; content: "|1703|"; depth:2; byte_test:
2, >=,538, 1, relative; byte_test: 2, <=,1052, 1, relative; stream_size:
server, <,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_1; flowbits: unset, FB0_1;
flowbits: set, FB0_2; flowbits: noalert;  classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001462; rev: 3;)

# now we are waiting for receiving from server any fragment of 538, 576 or
560 bytes length
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 1a|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: noalert;
flowbits: unset, FB0_2; flowbits: set, FB0_3;  classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001463; rev: 3;)
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 40|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2;
flowbits: set, FB0_3; flowbits: noalert;  classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001845; rev: 3;)
alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001,
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110,
60784, 26103, 59001] -> $HOME_NET any (msg: "ET TOR [PTsecurity] pkt
checker #3"; flow: established, to_client; content: "|1703|"; depth:2;
content:"|02 30|"; distance:1; within:2; fast_pattern; stream_size: server,
<,40000; stream_size: client, <,40000; stream_size: server, >,0;
stream_size: client, >,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2;
flowbits: set, FB0_3; flowbits: noalert;  classtype: misc-activity;
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001846; rev: 3;)

# generate alert
alert tcp $HOME_NET any -> $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21,
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80,
61014, 110, 60784, 26103, 59001] (msg: "ET TOR [PTsecurity] TOR SSL
connection (Not Exit)"; flow: established, to_server; content: "|1703|";
depth:2; byte_test: 2, >=,538, 1, relative; byte_test: 2, <=,4072, 1,
relative; stream_size: server, <,40000; stream_size: client, <,40000;
stream_size: server, >,0; stream_size: client, >,0; flowbits: isset, FB0_3;
flowbits: unset, FB0_3; classtype: misc-activity; metadata: autosign, id_0,
created_at 2017_7_6; sid: 10001464; rev: 3;)

[Attachment #5 (text/html)]

<div dir="ltr">These are rules for detection connections with TOR entry node based on \
length of SSL app_data fragments. Now you can detect TOR connections using IP \
reputation lists or these rules.<br>Some facts about rules:<br>- 10 rules split in 5 \
groups with description at the beginning of each one;<br>- rules use flowbits under \
the hood: flowbits which was set by previous group are used by next one;<br>- rules \
check 3 things: small content, app_data length using byte_test and registered amount \
of bytes in a stream;<br>- rules contain ports so you can specify which trafic you \
want to inspect or reduce the load on sensor;<br>- only one last rule generates \
alert. All other are suppressed (flowbits: noalert).<br><br>We analyzed ~4k \
connections, and we are not immune to FPs.<br>Glad to receive any feedback.<br>We are \
not attaching any pcaps because you have a lot of TOR traffic by your self \
;)<br>Happy hunting!<br><br># initial check for server certificate<br>alert tcp   \
$EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, \
9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -&gt; \
$HOME_NET any     ( msg: &quot;ET TOR [PTsecurity] cert serv&quot;;   flow: \
established, to_client;   content: &quot;|3082|&quot;; depth: 300; content: \
&quot;|308201|&quot;; distance:2; within:3; content: &quot;|a00302010202|&quot;; \
distance:1; within:6; content: &quot;|7777|&quot;; distance:38; within:2; \
fast_pattern; flowbits: set, FB0_01; flowbits: noalert;   threshold: type limit, \
track by_src, count 1, seconds 30;   classtype: trojan-activity;   metadata: \
autosign, id_0,created_at 2017_8_24; sid: 10001844;   rev: 1; )<br><br># first packet \
from client with SSL app_data of length of 33, 48 or 64 bytes<br>alert tcp $HOME_NET \
any -&gt; $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, \
9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] \
(msg: &quot;ET TOR [PTsecurity] pkt checker #0&quot;; flow: established, to_server; \
content: &quot;|1703|&quot;; depth:2; content:&quot;|00 21|&quot;; distance:1; \
fast_pattern; within:2;   stream_size: server, &lt;,40000; stream_size: client, \
&lt;,40000; stream_size: server, &gt;,0; stream_size: client, &gt;,0; flowbits: set, \
FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: misc-activity; \
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001460; rev: 3;) <br>alert tcp \
$HOME_NET any -&gt; $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, \
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, \
26103, 59001] (msg: &quot;ET TOR [PTsecurity] pkt checker #0&quot;; flow: \
established, to_server; content: &quot;|1703|&quot;; depth:2; content:&quot;|00 \
30|&quot;; distance:1; within:2; fast_pattern; stream_size: server, &lt;,40000; \
stream_size: client, &lt;,40000; stream_size: server, &gt;,0; stream_size: client, \
&gt;,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001842; rev: 1;) \
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, \
4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, \
110, 60784, 26103, 59001] (msg: &quot;ET TOR [PTsecurity] pkt checker #0&quot;; flow: \
established, to_server; content: &quot;|1703|&quot;; depth:2; content:&quot;|00 \
40|&quot;; distance:1; within:2; fast_pattern; stream_size: server, &lt;,40000; \
stream_size: client, &lt;,40000; stream_size: server, &gt;,0; stream_size: client, \
&gt;,0; flowbits: set, FB0_0; flowbits: isset, FB0_01; flowbits: noalert; classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001843; rev: 1;) \
<br><br># next two fragments are client-server exchange<br>alert tcp $EXTERNAL_NET \
[4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, \
443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -&gt; $HOME_NET any (msg: \
&quot;ET TOR [PTsecurity] pkt checker #1&quot;;flow: established, to_client; content: \
&quot;|1703|&quot;; depth:2; byte_test: 2, &gt;=,1420, 1, relative; byte_test: 2, \
&lt;=,2096, 1, relative; stream_size: server, &lt;,40000; stream_size: client, \
&lt;,40000; stream_size: server, &gt;,0; stream_size: client, &gt;,0; flowbits: \
isset, FB0_0; flowbits: unset, FB0_0; flowbits: set, FB0_1; flowbits: noalert;   \
classtype: misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: \
10001461; rev: 6;) <br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET [4480, 9090, 3971, \
5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, \
8008, 80, 61014, 110, 60784, 26103, 59001] (msg: &quot;ET TOR [PTsecurity] pkt \
checker #2&quot;; flow: established, to_server; content: &quot;|1703|&quot;; depth:2; \
byte_test: 2, &gt;=,538, 1, relative; byte_test: 2, &lt;=,1052, 1, relative; \
stream_size: server, &lt;,40000; stream_size: client, &lt;,40000; stream_size: \
server, &gt;,0; stream_size: client, &gt;,0; flowbits: isset, FB0_1; flowbits: unset, \
FB0_1; flowbits: set, FB0_2; flowbits: noalert;   classtype: misc-activity; metadata: \
autosign, id_0, created_at 2017_7_6; sid: 10001462; rev: 3;) <br><br># now we are \
waiting for receiving from server any fragment of 538, 576 or 560 bytes \
length<br>alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, \
9002, 9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, \
26103, 59001] -&gt; $HOME_NET any (msg: &quot;ET TOR [PTsecurity] pkt checker \
#3&quot;; flow: established, to_client; content: &quot;|1703|&quot;; depth:2; \
content:&quot;|02 1a|&quot;; distance:1; within:2; fast_pattern; stream_size: server, \
&lt;,40000; stream_size: client, &lt;,40000; stream_size: server, &gt;,0; \
stream_size: client, &gt;,0; flowbits: isset, FB0_2; flowbits: noalert; flowbits: \
unset, FB0_2; flowbits: set, FB0_3;   classtype: misc-activity; metadata: autosign, \
id_0, created_at 2017_7_6; sid: 10001463; rev: 3;) <br>alert tcp $EXTERNAL_NET [4480, \
9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, 9009, 9010, 9011, 443, 444, \
10183, 8008, 80, 61014, 110, 60784, 26103, 59001] -&gt; $HOME_NET any (msg: &quot;ET \
TOR [PTsecurity] pkt checker #3&quot;; flow: established, to_client; content: \
&quot;|1703|&quot;; depth:2; content:&quot;|02 40|&quot;; distance:1; within:2; \
fast_pattern; stream_size: server, &lt;,40000; stream_size: client, &lt;,40000; \
stream_size: server, &gt;,0; stream_size: client, &gt;,0; flowbits: isset, FB0_2; \
flowbits: unset, FB0_2; flowbits: set, FB0_3; flowbits: noalert;   classtype: \
misc-activity; metadata: autosign, id_0, created_at 2017_7_6; sid: 10001845; rev: 3;) \
<br>alert tcp $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, \
9003, 9004, 9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, \
59001] -&gt; $HOME_NET any (msg: &quot;ET TOR [PTsecurity] pkt checker #3&quot;; \
flow: established, to_client; content: &quot;|1703|&quot;; depth:2; content:&quot;|02 \
30|&quot;; distance:1; within:2; fast_pattern; stream_size: server, &lt;,40000; \
stream_size: client, &lt;,40000; stream_size: server, &gt;,0; stream_size: client, \
&gt;,0; flowbits: isset, FB0_2; flowbits: unset, FB0_2; flowbits: set, FB0_3; \
flowbits: noalert;   classtype: misc-activity; metadata: autosign, id_0, created_at \
2017_7_6; sid: 10001846; rev: 3;) <br><br># generate alert<br>alert tcp $HOME_NET any \
-&gt; $EXTERNAL_NET [4480, 9090, 3971, 5001, 9101, 21, 4375, 9001, 9002, 9003, 9004, \
9009, 9010, 9011, 443, 444, 10183, 8008, 80, 61014, 110, 60784, 26103, 59001] (msg: \
&quot;ET TOR [PTsecurity] TOR SSL connection (Not Exit)&quot;; flow: established, \
to_server; content: &quot;|1703|&quot;; depth:2; byte_test: 2, &gt;=,538, 1, \
relative; byte_test: 2, &lt;=,4072, 1, relative; stream_size: server, &lt;,40000; \
stream_size: client, &lt;,40000; stream_size: server, &gt;,0; stream_size: client, \
&gt;,0; flowbits: isset, FB0_3; flowbits: unset, FB0_3; classtype: misc-activity; \
metadata: autosign, id_0, created_at 2017_7_6; sid: 10001464; rev: 3;) <br></div>


["tor.rules" (application/octet-stream)]
[Attachment #7 (text/plain)]

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic