Matt Willems
Threat Intelligence Engineer

How Can You Detect Traffic Between Your Network and Tor?

With the publicity surrounding the FBI take-down of the deep Web site Silk Road, Tor has become an even greater hot-button issue for IT security departments. LogRhythm makes it possible to detect traffic between your network and Tor.

There are a number of sites that publish lists of Tor exit nodes (connections between the Tor network and the internet) and general hosts associated with the Tor network. We used a PowerShell script to scrape one of these public lists on a weekly basis, and the Auto Import feature of LogRhythm Lists to pull it into a LogRhythm accessible object.

LogRhythm blog

LogRhythm blog

Then we created an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list.

LogRhythm blog

Many organizations may only need a rule like this for auditing purposes, but we have also detected some events that wouldn’t otherwise raise many alarms, such as single attempted VPN authentications.

The odd origin location is a giveaway that the traffic is suspicious, but a single failed authentication wouldn’t typically be a red flag.

LogRhythm blog

This functionality will be released as a Third Party Threat List integration and the associated AI Engine rules will be released in an upcoming LogRhythm Knowledge Base.