With the publicity surrounding the FBI take-down of the deep Web site Silk Road, Tor has become an even greater hot-button issue for IT security departments. LogRhythm makes it possible to detect traffic between your network and Tor.
There are a number of sites that publish lists of Tor exit nodes (connections between the Tor network and the internet) and general hosts associated with the Tor network. We used a PowerShell script to scrape one of these public lists on a weekly basis, and the Auto Import feature of LogRhythm Lists to pull it into a LogRhythm accessible object.
Then we created an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list.
Many organizations may only need a rule like this for auditing purposes, but we have also detected some events that wouldn’t otherwise raise many alarms, such as single attempted VPN authentications.
The odd origin location is a giveaway that the traffic is suspicious, but a single failed authentication wouldn’t typically be a red flag.
This functionality will be released as a Third Party Threat List integration and the associated AI Engine rules will be released in an upcoming LogRhythm Knowledge Base.