cancel
Showing results for 
Search instead for 
Did you mean: 
paul.k
Level 10

Detecting TOR (.onion) domains using correlation rules. Need Regex help

Hello,

I would like to detect when ever my users try to resolve .onion domains to detect attempts at access to TOR network. I am aware there are TOR lists out there, but they change faster than they can be updated.

The .onion requests are blocked at DNS level, but I wish to know whenever an attempt is made.

I am collecting Infoblox DNS logs and I get two fields with searchable data: domain, and DNS - query.

domain field does not support contains, or regex at correlation rule, DNS-query does.

When I try to use contains  or regex .onion or .ONION i get two and half problems.

  1. it catches domains that are have .onion in them not just and in .onion. I tried using *.onion but it did not help.
  2. Events in different cases get missed
    1. I wrote regex but it seems to get inconsistent results. (\./(onion)/i)
    2. If the FQDN hos more a child domain EG: www.something.onion vs. something.onion it does not get caught by the regex

Thank You

0 Kudos
6 Replies
McAfee Employee

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

0 Kudos
syed_rizvi
Level 10

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy Walden wrote:

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

I second that...much cleaner route.

Also, as ​ mentioned, use $ in your regex to search in the end of your string.

0 Kudos
paul.k
Level 10

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy,

Thanks,

It's a thought. I'll try the parser route if that does not work out.

Would still prefer to do it at the correlation engine.

Thank You,

0 Kudos
rth67
Level 12

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Sounds like something the ADM/APM should be able to detect, but I just reviewed the ADM policies and did not find anything relating to TOR traffic.

Sounds like another new Idea / PER to be created.

Of course if you don't have an ADM/APM it wouldn't be of any use anyway.

0 Kudos
acommons
Level 10

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Maybe something like this:

\.(?i)(onion)(?-i)$

The $ forces the .oNiOn to be the last instance in the string. Not sure if the (?i) operator will work but it might give you some clues.

0 Kudos
paul.k
Level 10

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Acommons,

I'll give this a shot thanks.

0 Kudos