cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
paul.k
Level 10
Report Inappropriate Content
Message 1 of 7

Detecting TOR (.onion) domains using correlation rules. Need Regex help

Hello,

I would like to detect when ever my users try to resolve .onion domains to detect attempts at access to TOR network. I am aware there are TOR lists out there, but they change faster than they can be updated.

The .onion requests are blocked at DNS level, but I wish to know whenever an attempt is made.

I am collecting Infoblox DNS logs and I get two fields with searchable data: domain, and DNS - query.

domain field does not support contains, or regex at correlation rule, DNS-query does.

When I try to use contains  or regex .onion or .ONION i get two and half problems.

  1. it catches domains that are have .onion in them not just and in .onion. I tried using *.onion but it did not help.
  2. Events in different cases get missed
    1. I wrote regex but it seems to get inconsistent results. (\./(onion)/i)
    2. If the FQDN hos more a child domain EG: www.something.onion vs. something.onion it does not get caught by the regex

Thank You

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy Walden wrote:

I think I would just use the regex in the parser and parse these out as their own events. Feel free to post a sample of a log with a .onion address if you would like help with the parser. Thanks.

I second that...much cleaner route.

Also, as ​ mentioned, use $ in your regex to search in the end of your string.

paul.k
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Andy,

Thanks,

It's a thought. I'll try the parser route if that does not work out.

Would still prefer to do it at the correlation engine.

Thank You,

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Sounds like something the ADM/APM should be able to detect, but I just reviewed the ADM policies and did not find anything relating to TOR traffic.

Sounds like another new Idea / PER to be created.

Of course if you don't have an ADM/APM it wouldn't be of any use anyway.

acommons
Level 11
Report Inappropriate Content
Message 6 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Maybe something like this:

\.(?i)(onion)(?-i)$

The $ forces the .oNiOn to be the last instance in the string. Not sure if the (?i) operator will work but it might give you some clues.

paul.k
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Detecting TOR (.onion) domains using correlation rules. Need Regex help

Acommons,

I'll give this a shot thanks.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community