4

I'm looking for a possible way to identify Tor Browser activity using QRadar. We have Firewall integrated & IPS (Without Application Control. Hence not a possible option). I went through the link https://www.dan.me.uk/tornodes but not able to synchronize the link all the time with QRadar.

Do you have any recommendation to detect the Tor Browser activity in an environment using Firewall logs integrated in QRadar? I don't have access to the firewall. So can't make any changes in firewall. I can only make changes in QRadar.

As Tor uses port 443, 9001 & 9030, is there a way to synchronize the content of the URL https://www.dan.me.uk/tornodes or any other way to detect Tor Browser activity in the network.

I don't want to block. I only want to detect using QRadar.

Shiva
  • 41
  • 3
  • 1
    Legitimate HTTPS traffic also uses 443. Don't set any alerts based on the port number alone. – Ivan Jun 21 '17 at 16:59

4 Answers4

3

I have done this very thing before, the best method I found was to create a job to periodically pull the IP’s from the tor exit node list, this list can be used to test your rule set against.

The list can be found here.

These scripts can help with converting them into a CSV file to be pulled by your SIEM.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
1

If you are feeding the traffic logs to your SIEM you can use that and compare with a list of tor nodes. (something like BRO IDS)

But since any list of tor nodes is going to be changing/incomplete, you would probably want to look at detecting through other ways. This could be behavioral based, tor ssl certs identified on your network, or other host based tools.

Detecting tor traffic can be hard which is by design. I don't think there is one specific cut and dry way to detect the traffic. Combining other methods of detection would be ideal.

I know this doesn't really answer your specific question, but if you are determined to spot tor traffic you may need to look into other options.

bigC5012
  • 143
  • 7
1

Create a reference set for IP addresses with a time to live that is a little more than an hour and call it like "Tor Exit Nodes". Using cron and wget download the list of tor exit nodes hourly. Possibly you need to tidy up the IP addresses so that you have 1 IP address per line. Load the file hourly into your reference set like so: /opt/qradar/bin/ReferenceSetUtil.sh load "Tor Exit Nodes" /path/to/file/with/tor/nodes. Then you build a new rule with a test that checks if the destination IP occurs in the reference set and create whatever response to that you like.

Z-Blocker
  • 21
  • 2
0

The easiest way to do this would be to slipstream some sort of data transformer into the pipeline between your network devices and QRadar. It seems QRadar itself supports this to some extent, or you could use Logstash or something of its ilk as an intermediary.

The problem with batch processing or trying to resolve them after the fact is that it introduces latency, which may or may not work if your org is demanding a real-time response to these events.

For each log line, you parse out the IP address, cross-reference it with the current list of known Tor nodes and append a Boolean flag to the data (is_tor: true|false).

I would recommend you also take it a step further-- if you're concerned about Tor, you should also be concerned about anonymous proxies, and those lists are harder to find for free. I highly suggest subscribing to a commercial service (Maxmind, et al) that provides these up-to-date lists and enrich your data based off of theirs.

Ivan
  • 6,288
  • 3
  • 18
  • 22