Snort filtering Tor exit node traffic, configuration help/advise
-
Hi,
I'm running a Tor relay and I allow traffic to exit from my relay. (https://www.torproject.org/). Tor is good for many things, but it also creates some problems like bad traffic suddently originating from my IP. I put my Tor server behind a pfSense firewall and enabled snort, but without blocking anything just yet and my suspicions where confirmed. Here's a short part of todays log. 192.168.100.2 is my Tor server (NATed).
1 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 13) A Network Trojan was Detected 192.168.100.2 45248 -> 174.129.242.247 80 1:2404024:2657 04/08-16:04:19 2 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 60887 -> 80.84.52.18 80 1:21444:1 04/08-16:01:22 3 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 60810 -> 80.84.52.18 80 1:21444:1 04/08-16:01:19 4 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 60804 -> 80.84.52.18 80 1:21444:1 04/08-16:01:19 5 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 60792 -> 80.84.52.18 80 1:21444:1 04/08-16:01:18 6 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 86) A Network Trojan was Detected 192.168.100.2 33287 -> 82.208.40.4 80 1:2404170:2657 04/08-15:49:58 7 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 41) A Network Trojan was Detected 192.168.100.2 52986 -> 208.87.35.105 80 1:2404080:2657 04/08-15:42:32 8 3 TCP (http_inspect) WEBROOT DIRECTORY TRAVERSAL Unknown Traffic 192.168.100.2 48587 -> 74.53.101.130 80 119:18:1 04/08-15:23:02 9 3 TCP (http_inspect) WEBROOT DIRECTORY TRAVERSAL Unknown Traffic 192.168.100.2 51651 -> 174.123.99.67 80 119:18:1 04/08-15:20:36 10 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 33) A Network Trojan was Detected 192.168.100.2 45965 -> 199.59.241.231 80 1:2404064:2657 04/08-15:14:54 11 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 4) A Network Trojan was Detected 192.168.100.2 54116 -> 118.97.191.228 6667 1:2404006:2657 04/08-15:08:57 12 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 99) A Network Trojan was Detected 192.168.100.2 53731 -> 93.170.52.30 80 1:2404196:2657 04/08-15:04:23 13 1 TCP ET DROP Known Bot C&C Server Traffic TCP (group 74) A Network Trojan was Detected 192.168.100.2 58082 -> 72.20.14.204 6667 1:2404146:2657 04/08-15:01:07 14 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 49719 -> 80.84.52.18 80 1:21444:1 04/08-14:56:02 15 1 TCP BOTNET-CNC TDSS outbound connection A Network Trojan was Detected 192.168.100.2 49709 -> 80.84.52.18 80 1:21444:1 04/08-14:56:02
The log above is a good example of what I'd like to get rid of, but I'm not at all used to working with Snort (or any other IDS/IPS system). What I'd like to do is to either just kill the suspicious sessions and not block any hosts, or to block the destination since I don't want to block my Tor relay.
I tried changing the interface settings to block destination and not source, but it stilll blocks the 192.168.100.2 address only. If I choose to whitelist the Tor server nothing at all gets blocked??Could someone enlighten me: Is it possibble to do what I want and if then how?
I'm running pfSense 2 with Snort 2.9.1 pkg v. 2.1.1
-
You can use the supress tab to filter the alerts and I would disable the ET-DROP, ET-TOR rules etc. You could use pfblocker and lists like emerging-blocklist and compromised etc .txt files in emergingthreats (firewall and block rules). You could set these to block outbound, inbound or both. Install pfblocker and enable these in the lists as .txt:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs)
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://www.ciarmy.com/list/ci-badguys.txt