I spend a lot of time looking at a malware sandbox. Today I saw that most, if not all, of the tor connections associated with active malware uses a self signed cert that begins 'www.'
This is what I saw.:
We already have a feed of known tor nodes provided in Live. But by creating an alert rule you can identify possible Undocumented Tor nodes to be investigated. That rule looks like this:
Rule Name: Undocumented Tor Node
Condition: ssl.ca begins 'www.' && threat.source != 'tor-node-ip'
You can test this rule in your own environment by running a custom query. I'm interested to see what other people find in a live enterprise environment?