cancel
Showing results for 
Search instead for 
Did you mean: 
scramirez
Level 7

How to block TOR using HIPs?

How do I block TOR traffic using HIPs 8?

0 Kudos
6 Replies
greatscott
Level 12

Re: How to block TOR using HIPs?

Custom Signature

0 Kudos
scramirez
Level 7

Re: How to block TOR using HIPs?

Can you elaborate?

0 Kudos
greatscott
Level 12

Re: How to block TOR using HIPs?

Go into the HIPS 8.0 IPS Rules Policy within your Policy Catalog in ePolicy Orchestrator. Once in the policy you have the option to select "New" which will bring up the signature wizard from here. You can name the signature whatever you want. I would consider setting the signature to a non blocking severity level, just to test it initially. On the "Subrules" tab, I would create a "New Standard Subrule", this is where you put all your processes. Select your operators, then add an include rule, which would be your processes related to TOR services. Save the sig, save your policy, and monitor if the signature starts firing. As long as you are not generating false positive events, it should be ok to move to a blocking severity level.

0 Kudos
scramirez
Level 7

Re: How to block TOR using HIPs?

Are you familiar with .onion domain and onion routing?     Does it use standard DNS when doing the proxylookup?  If we were to block *.onion domain lookups using HIPS, would that block TOR (or other similar tool) from communicating?

0 Kudos
greatscott
Level 12

Re: How to block TOR using HIPs?

scramirez, the IPS custom signature would only stop TOR processes from running on the system. this should theoretically block the process before any traffic is generated. if you want to stop communication to/from .onion domains, you could accomplish this via the firewall, but not IPS.

0 Kudos
mlmarshall3
Level 7

Re: How to block TOR using HIPs?

You could do this a few ways:

IPS Custom signature, like GreatScott mentions, that blocks read, write and execute access to TOR applications.  This would stop anyone, even system, from accessing the applications and would be the best for systems that already have the suite installed.

DNS Blackhole which I'm less familiar with and can be gotten around by inputing the IP address of the server.

Firewall denial for the applications associated with the suite or the IP range.  Though the latter may block other hosted websites.

Best of luck.

0 Kudos