Tor will be blocked as soon as SSL Scanning is turned on. In case you have a short tcpdump of sample traffic, feel free to attach it and I'll be happy to check if we can craft a policy around that w/o the need of SSL scanner.
for me this looks like binary data. I am not sure whether you have captured the Client<->MWG communication and a beginning of a session. I believe that the TOR Client would drop a CONNECT request before it can speak SSL, this is not shown in the dump.
Maybe you can try to shutdown TOR, start the tcpdump on all interfaces, start the TOR Client, wait until ot connected, stop the tcpdump and send it over.
As far as I remember TOR simply sends CONNECT requests to various IP addresses. The IPs used in the example trace are all uncategorized. Maybe we could create a rule that enables SSL Scanner or blocks requests that
- connect directly to an IP address, rather than a hostname
- connect to IP addresses which are NOT in trusted categories or are uncategorized
- do not have a User-Agent (I believe TOR does not send a user-agent)
In this case you will most likely still pass "legit" traffic, as normally requests do not go to IP addresses but to hostnames. When they go to an IP address (which may be true in some cases) we still check the category. Probably there is a slight risk of having false positives, but it should block TOR.
I looked into the dump and compared it with some traces I did on my network. It seems that the client tries to connect to a various IP address and also trying different ports. I think first of all you should double check that the TOR traffic is really passing MWG. If I remember correctly I thing you are running MWG in one of the transparent modes, which means that non-HTTP ports are not filtered through MWG.
Until I set up very tight firewall rules on my gateway I was able to connect to TOR even when blocking ALL traffic that goes through.
Do you have a client PC to test with? Do you think you can create a rule that looks like
Client.IP equals <ip of test client> then Block
? By doing so it should no longer be possible to access the internet from this client. One this is achieved try to launch TOR again and check. If it does no longer connect - good. If it still connects TOR bypasses MWG and we won't have any chance to block it.
Yo´re right. I haven´t be able to block it even getting a rule to block all my client IP traffic.
Over the MWG we´ve got MEF, maybe we could try something on them.