Detect tor

Which is the best TOR detection script in bro ? below on is good , or any other script there


Another thing you could try is, if you use intel framework, then you can feed the intel FW with
the IOCs data for TOR, and load it in Intel, so that you will get logs in intel.log, whenever there’s
a hit on TOR IPs in your network traffic.


ok thanks for your info

If you want valid, low false positive, detection of the public Tor (not TOR)
network use, you can look at the descriptors of the public relays. Get them
from any Tor node you run, or download from the Tor Project site. That will
give you IP addresses and ports over time. A connection to those is very
probably Tor user->network traffic.

A connection to a Tor node's IP on a port that isn't listed as a Tor port at
the time of interest is much less likely to be Tor traffic. That's one of the
failings of intel feeds listing only IPs, as almost all do when it comes to Tor.

Bridges complicate the picture, as they're handed only to a limited subset of
users. There, you may want to consider active measures--connect to the same
port yourself, see if you can evoke a Tor handshake. China's delay on active
probing of the ports was on the order of hours to days when this was most
popular; they may have gotten faster since.

Trying to ID Tor traffic characteristics is not as easy as it used to be. DPI
vendors can often keep up, but it's unlikely they'll share the competitive

Further along the arms race, bridges using pluggable transports like obfs4, or
connections using domain fronting are not going to be easily detected, even by
active probing.


Tor can be detected by looking at the ssl certificates. Because the certificates
are generated by tor, the subject issuer or ssl_hostname can be used to detect

This example matches only if subject and issuer match. I have seen tor connections
module DetectTor;

event ssl_established(c: connection ) &priority=6
                if ( c$ssl?$subject && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl$subject && c$ssl?$issuer && /^CN=www.[0-9a-zA-Z]+.(com|net)$/ == c$ssl$issuer || (c$ssl?$server_name && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl?$server_name )
                                add c$service["tor"];