RSA Admin

Detecting Tor Nodes?

Discussion created by RSA Admin Employee on Oct 25, 2013

I spend a lot of time looking at a malware sandbox.  Today I saw that most, if not all, of the tor connections associated with active malware uses a self signed cert that begins 'www.'


This is what I saw.:



We already have a feed of known tor nodes provided in Live.  But by creating an alert rule you can identify possible Undocumented Tor nodes to be investigated.  That rule looks like this:


Rule Name: Undocumented Tor Node

Condition: begins 'www.' && threat.source != 'tor-node-ip'


You can test this rule in your own environment by running a custom query.  I'm interested to see what other people find in a live enterprise environment?