05-26-2017 06:42 AM - edited 03-10-2019 06:50 AM
I've been trying to use the preexisting security intelligence for tor_exit_nodes and I need to provide a list of all Sourcefire identified TOR exit traffic on a network going to a specific server.
The problem I am encountering is that I cannot figure out how to access/view the list of IP's within the tor_exit_nodes in the automatically updated SI list.
FireSIGHT 5.4
Solved! Go to Solution.
05-26-2017 09:23 AM
The listing of addresses that are considered TOR exit nodes (in the Cisco Security Feed) can be seen on the FMC cli by going to /var/sf/iprep_download on the FMC and looking at the appropriate file there.
If you want to see all connections identified as coming from a TOR exit node, you can filter your Connection Events views for that. If it's something you do often, you can make it a bookmark and get to it with a single click.
05-26-2017 09:23 AM
The listing of addresses that are considered TOR exit nodes (in the Cisco Security Feed) can be seen on the FMC cli by going to /var/sf/iprep_download on the FMC and looking at the appropriate file there.
If you want to see all connections identified as coming from a TOR exit node, you can filter your Connection Events views for that. If it's something you do often, you can make it a bookmark and get to it with a single click.
05-26-2017 09:28 AM
Thanks a ton for providing directory info; exactly what I needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide