Solved: FireSIGHT - Tor_exit_nodes List - Can I view all IP's within?

carson · ‎05-26-2017

I've been trying to use the preexisting security intelligence for tor_exit_nodes and I need to provide a list of all Sourcefire identified TOR exit traffic on a network going to a specific server.

The problem I am encountering is that I cannot figure out how to access/view the list of IP's within the tor_exit_nodes in the automatically updated SI list.

FireSIGHT 5.4

Marvin Rhoads · ‎05-26-2017

The listing of addresses that are considered TOR exit nodes (in the Cisco Security Feed) can be seen on the FMC cli by going to /var/sf/iprep_download on the FMC and looking at the appropriate file there.

If you want to see all connections identified as coming from a TOR exit node, you can filter your Connection Events views for that. If it's something you do often, you can make it a bookmark and get to it with a single click.

View solution in original post

Marvin Rhoads · ‎05-26-2017

The listing of addresses that are considered TOR exit nodes (in the Cisco Security Feed) can be seen on the FMC cli by going to /var/sf/iprep_download on the FMC and looking at the appropriate file there.

If you want to see all connections identified as coming from a TOR exit node, you can filter your Connection Events views for that. If it's something you do often, you can make it a bookmark and get to it with a single click.

carson · ‎05-26-2017

Thanks a ton for providing directory info; exactly what I needed.