2 of 2 people found this helpful
The signature "P2P: Tor-Privoxy Tunnel Detected" can be set to blocking mode to attempt blocking Tor communications. However Tor encryption may change and depending on what application is generating the TOR traffic, it will just look like SSL so connections may not be blocked with this signature.
This is a problem, specially if you are looking to block outbound connections - I believe a better approach to block Tor is to work at the endpoint level, by limiting permissions to users so they cannot install TOR apps, or having some sort of application control/EDR system that can prevent/kill known TOR apps and connections when detected at the endpoint.
If you are looking to block inbound TOR comms, then you can use the many sites available online that will provide you the proxy IP Addresses TOR uses - and you can create FW rules or specific UDS/SNORT sigs to block incoming connections from those IPs