Snort filtering Tor exit node traffic, configuration help/advise

m.algoe

Hi,

I'm running a Tor relay and I allow traffic to exit from my relay. (https://www.torproject.org/). Tor is good for many things, but it also creates some problems like bad traffic suddently originating from my IP. I put my Tor server behind a pfSense firewall and enabled snort, but without blocking anything just yet and my suspicions where confirmed. Here's a short part of todays log. 192.168.100.2 is my Tor server (NATed).

1	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 13)	 A Network Trojan was Detected	192.168.100.2	45248	->	174.129.242.247	80	1:2404024:2657	04/08-16:04:19
2	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	60887	->	80.84.52.18	80	1:21444:1	04/08-16:01:22
3	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	60810	->	80.84.52.18	80	1:21444:1	04/08-16:01:19
4	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	60804	->	80.84.52.18	80	1:21444:1	04/08-16:01:19
5	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	60792	->	80.84.52.18	80	1:21444:1	04/08-16:01:18
6	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 86)	 A Network Trojan was Detected	192.168.100.2	33287	->	82.208.40.4	80	1:2404170:2657	04/08-15:49:58
7	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 41)	 A Network Trojan was Detected	192.168.100.2	52986	->	208.87.35.105	80	1:2404080:2657	04/08-15:42:32
8	3	TCP	(http_inspect) WEBROOT DIRECTORY TRAVERSAL	 Unknown Traffic	192.168.100.2	48587	->	74.53.101.130	80	119:18:1	04/08-15:23:02
9	3	TCP	(http_inspect) WEBROOT DIRECTORY TRAVERSAL	 Unknown Traffic	192.168.100.2	51651	->	174.123.99.67	80	119:18:1	04/08-15:20:36
10	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 33)	 A Network Trojan was Detected	192.168.100.2	45965	->	199.59.241.231	80	1:2404064:2657	04/08-15:14:54
11	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 4)	 A Network Trojan was Detected	192.168.100.2	54116	->	118.97.191.228	6667	1:2404006:2657	04/08-15:08:57
12	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 99)	 A Network Trojan was Detected	192.168.100.2	53731	->	93.170.52.30	80	1:2404196:2657	04/08-15:04:23
13	1	TCP	ET DROP Known Bot C&C Server Traffic TCP (group 74)	 A Network Trojan was Detected	192.168.100.2	58082	->	72.20.14.204	6667	1:2404146:2657	04/08-15:01:07
14	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	49719	->	80.84.52.18	80	1:21444:1	04/08-14:56:02
15	1	TCP	BOTNET-CNC TDSS outbound connection	 A Network Trojan was Detected	192.168.100.2	49709	->	80.84.52.18	80	1:21444:1	04/08-14:56:02

The log above is a good example of what I'd like to get rid of, but I'm not at all used to working with Snort (or any other IDS/IPS system). What I'd like to do is to either just kill the suspicious sessions and not block any hosts, or to block the destination since I don't want to block my Tor relay.
I tried changing the interface settings to block destination and not source, but it stilll blocks the 192.168.100.2 address only. If I choose to whitelist the Tor server nothing at all gets blocked??

Could someone enlighten me: Is it possibble to do what I want and if then how?

I'm running pfSense 2 with Snort 2.9.1 pkg v. 2.1.1

kevross33

You can use the supress tab to filter the alerts and I would disable the ET-DROP, ET-TOR rules etc. You could use pfblocker and lists like emerging-blocklist and compromised etc .txt files in emergingthreats (firewall and block rules). You could set these to block outbound, inbound or both. Install pfblocker and enable these in the lists as .txt:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs)
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://www.ciarmy.com/list/ci-badguys.txt