Go into the HIPS 8.0 IPS Rules Policy within your Policy Catalog in ePolicy Orchestrator. Once in the policy you have the option to select "New" which will bring up the signature wizard from here. You can name the signature whatever you want. I would consider setting the signature to a non blocking severity level, just to test it initially. On the "Subrules" tab, I would create a "New Standard Subrule", this is where you put all your processes. Select your operators, then add an include rule, which would be your processes related to TOR services. Save the sig, save your policy, and monitor if the signature starts firing. As long as you are not generating false positive events, it should be ok to move to a blocking severity level.
Are you familiar with .onion domain and onion routing? Does it use standard DNS when doing the proxylookup? If we were to block *.onion domain lookups using HIPS, would that block TOR (or other similar tool) from communicating?
scramirez, the IPS custom signature would only stop TOR processes from running on the system. this should theoretically block the process before any traffic is generated. if you want to stop communication to/from .onion domains, you could accomplish this via the firewall, but not IPS.
You could do this a few ways:
IPS Custom signature, like GreatScott mentions, that blocks read, write and execute access to TOR applications. This would stop anyone, even system, from accessing the applications and would be the best for systems that already have the suite installed.
DNS Blackhole which I'm less familiar with and can be gotten around by inputing the IP address of the server.
Firewall denial for the applications associated with the suite or the IP range. Though the latter may block other hosted websites.
Best of luck.