6 Replies Latest reply on Sep 26, 2016 11:31 AM by paul.k

    Detecting TOR (.onion) domains using correlation rules. Need Regex help




      I would like to detect when ever my users try to resolve .onion domains to detect attempts at access to TOR network. I am aware there are TOR lists out there, but they change faster than they can be updated.


      The .onion requests are blocked at DNS level, but I wish to know whenever an attempt is made.


      I am collecting Infoblox DNS logs and I get two fields with searchable data: domain, and DNS - query.


      domain field does not support contains, or regex at correlation rule, DNS-query does.


      When I try to use contains  or regex .onion or .ONION i get two and half problems.


      1. it catches domains that are have .onion in them not just and in .onion. I tried using *.onion but it did not help.
      2. Events in different cases get missed
        1. I wrote regex but it seems to get inconsistent results. (\./(onion)/i)
        2. If the FQDN hos more a child domain EG: www.something.onion vs. something.onion it does not get caught by the regex



      Thank You