Ntp.org and ip (TOR)

  • Hi All,

    So i have everything up and running, pfsense with snort. Everything works great!
    (in the process of going from 'conventional' iptables to pfsense.

    I was testing everything on a private network isolated from our office and installed snort.

    After putting the rules to work i got incoming traffic from and got an alert description of
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 635 every 30 seconds or so.

    Is ntp.org using a tor relay router ? Or am i being paranoid ? After i turned of NTP the alerts disappeared. Of course it can be an innocent
    NTP update, but it got me scared a bit.

    Anyone else gets this or like i say am i paranoid ? I matched up the MD5 checksum on installing.


  • Could be a false positive.  I have not seen that alert, but then I target only a few specific external NTP servers as sync partners.  Have you tried a Google search on that alert text?  There may be some info out there from other Emerging Threats users.


  • LAYER 8 Global Moderator

    Do you have your ntp in a pool?  You could have a client routing his traffic through tor and asking your pool member for an update.  Once you turned off ntp, pool would notice your down and your score would drop and you would no longer be listed in the pool.

    Clients would then stop asking you for ntp.

    Just tested and that IP is running ntp

    server, port 123
    stratum 2, precision -23, leap 00, trust 000
    refid [], delay 0.13458, dispersion 0.00037
    transmitted 4, in filter 4
    reference time:    da08918c.6f3d004a  Tue, Dec  1 2015 15:37:16.434
    originate timestamp: da089268.cd066679  Tue, Dec  1 2015 15:40:56.800
    transmit timestamp:  da089268.bf1e265c  Tue, Dec  1 2015 15:40:56.746
    filter delay:  0.13460  0.13757  0.13658  0.13458

    So it might be listed in the ntp pool as well and you were asking it for updates.

    Yup just checked and that IP is in the pool by trying to add it and got back that is already a member
    " is already listed in the pool. Email us your username to have it moved to this account"

  • If you're pointing to *.pool.ntp.org, that's just a pool of servers from anyone who wants to be included. It's likely some of those are also Tor relays, as they tend to be servers that provide public services. is one of those. Nothing to be concerned about.

  • LAYER 8 Global Moderator

    yup very common stuff..  You have to keep in mind when you turn on something like snort..  There is going to be lots and lots of noise ;)  you really have to tweak the rule sets to look for the stuff that is actual concern..  And then once you do that you might not see anything…

    Other than as a learning tool, I don't see much use for a ids in a home setup..  Unless you do manage to let one of your machines get infected pretty much all your going to see is noise..