cancel
Showing results for 
Search instead for 
Did you mean: 
paul.k
Level 10
Report Inappropriate Content
Message 1 of 7

Detecting TOR (.onion) domains using correlation rules. Need Regex help

Hello,

I would like to detect when ever my users try to resolve .onion domains to detect attempts at access to TOR network. I am aware there are TOR lists out there, but they change faster than they can be updated.

The .onion requests are blocked at DNS level, but I wish to know whenever an attempt is made.

I am collecting Infoblox DNS logs and I get two fields with searchable data: domain, and DNS - query.

domain field does not support contains, or regex at correlation rule, DNS-query does.

When I try to use contains  or regex .onion or .ONION i get two and half problems.

  1. it catches domains that are have .onion in them not just and in .onion. I tried using *.onion but it did not help.
  2. Events in different cases get missed
    1. I wrote regex but it seems to get inconsistent results. (\./(onion)/i)
    2. If the FQDN hos more a child domain EG: www.something.onion vs. something.onion it does not get caught by the regex

Thank You

6 Replies
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy Walden wrote:

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

I second that...much cleaner route.

Also, as ​ mentioned, use $ in your regex to search in the end of your string.

paul.k
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy,

Thanks,

It's a thought. I'll try the parser route if that does not work out.

Would still prefer to do it at the correlation engine.

Thank You,

rth67
Level 12
Report Inappropriate Content
Message 5 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Sounds like something the ADM/APM should be able to detect, but I just reviewed the ADM policies and did not find anything relating to TOR traffic.

Sounds like another new Idea / PER to be created.

Of course if you don't have an ADM/APM it wouldn't be of any use anyway.

Highlighted

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Maybe something like this:

\.(?i)(onion)(?-i)$

The $ forces the .oNiOn to be the last instance in the string. Not sure if the (?i) operator will work but it might give you some clues.

paul.k
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Acommons,

I'll give this a shot thanks.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community