Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom signature for TOR Application

Hi,

I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.

I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.

i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)

thanks for your help.                

  • Intrusion Prevention Systems/IDS
2 REPLIES

Custom signature for TOR Application

please try to match TCP port 9001 and 9090 in the signature.

New Member

Custom signature for TOR Application

Hi nkumarsr,

I have cretaed tcp string signature for ports 9001, 9090

and also i have added it in builtin signature 5816/0 and 5816/1

i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.

do u have any other ideas ?

378
Views
3
Helpful
2
Replies