RSA Admin

Detecting Tor Nodes?

Discussion created by RSA Admin Employee on Oct 25, 2013

I spend a lot of time looking at a malware sandbox.  Today I saw that most, if not all, of the tor connections associated with active malware uses a self signed cert that begins 'www.'

 

This is what I saw.:

 

71048

We already have a feed of known tor nodes provided in Live.  But by creating an alert rule you can identify possible Undocumented Tor nodes to be investigated.  That rule looks like this:

 

Rule Name: Undocumented Tor Node

Condition:  ssl.ca begins 'www.' && threat.source != 'tor-node-ip'

 

You can test this rule in your own environment by running a custom query.  I'm interested to see what other people find in a live enterprise environment?

Outcomes