NF - POLICY - TOR browser V8.X starting up - TOR SSL NAT Check Detected - Typical TOR DNS name

NF – POLICY – TOR browser V8.X starting up – TOR SSL NAT Check Detected – Typical TOR DNS name

This alert is triggered when traffic from an external server on port 8080 to an internal network device (port 1024 or higher) contains a domain name pattern commonly associated with TOR browser activity.

Categories:

Radiflow

ID Number

5021504

Signature

alert tcp $EXTERNAL_NET 8080 -> $HOME_NET 1024: (msg:"NF - POLICY - TOR browser V8.X starting up - TOR SSL NAT Check Detected - Typical TOR DNS name"; flow:from_server,established; pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i"; reference:url,networkforensic.dk; metadata:22092018; classtype:policy-violation; sid:5021504; rev:1;)

Severity

High

Recommendations/Investigative actions

Determine which device is involved in the TOR-related communication and check the internal device for TOR browser installations or other proxy tools. Block or restrict further TOR connections if TOR usage is against network policy or unnecessary.