I have found a thread on a forum on how to block/ alert for Tor connections
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:10; within:20; threshold:type limit, track by_src, count 1, seconds 120; classtype[:P]olicy-violation; reference:url,tor.eff.org; sid:2001728; rev:4[[[[[;)]]]]]
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Server Key Retrival"; flow:established,to_server;content:"|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|"; threshold:type limit, track by_src, count 1, seconds 60; classtype[:P]olicy-violation; reference:url,tor.eff.org; sid:2002950; rev:2[[[[[;)]]]]]
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Status Update"; flow:established,to_server;content:"|47 45 54 20 2f 74 6f 72 2f 73 74 61 74 75 73 2f|"; threshold:type limit, track by_src, count 1, seconds 60; classtype[:P]olicy-violation; reference:url,tor.eff.org; sid:2002951; rev:2[[[[[;)]]]]]
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"|54 4f 52|"; content:"|3C 69 64 65 6E 74 69 74 79 3E|"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; classtype[:P]olicy-violation; reference:url,tor.eff.org; sid:2002952; rev:2[[[[[;)]]]]]
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"|54 4f 52|"; content:"|3C 69 64 65 6E 74 69 74 79 3E|"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; classtype[:P]olicy-violation; reference:url,tor.eff.org; sid:2002953; rev:2[[[[[;)]]]]]
Is there another way to do so?
This thread was automatically locked due to age.
