Re: IRC problems with Tor

2008-10-28 Thread David J. Bianco 
The idea is that you then configure your IRC client to use 10.40.40.40
(or whatever IP you chose) as the server's IP address.  From your description,
I couldn't tell if you had also done that or not.  If not, that's probably
the reason it's not working.

David

Grozdan wrote:
 I then went to the freenode site and looked up information on how to make 
 freenode work with Tor. In the documentation, it said to add the below line 
 to my torrc file - http://freenode.net/irc_servers.shtml#tor
 
 mapaddress  10.40.40.40  mejokbp2brhw4omd.onion
 
 and then to restart Tor, which I did. But I keep getting the same response 
 from freenode and it doesn't allow me to connect at all.

Re: More GSoC Ideas

2008-03-24 Thread David J. Bianco 
Jonathan Addington wrote:

 2. On *nix systems, make it easy for snort to filter out tor traffic
 on a protocol level. I realize there are plenty of legal uses for
 BitTorrent, Gnutella, etc., but most of them do not require anonymity
 in a strong sense. That is, they can get the same content through http
 (most of the time) anyway, and downloading a Linux distribution (or
 whatever) won't be flagged by most governments/agencies/whatever. It's
 my bandwidth, I have the right to let *others'* use it as I see fit.
 

You probably don't need a whole project for this.  There are already
some Snort rules to detect Tor usage, and if you can detect it, you're
98% of the way to asking Snort to ignore it.

For example, Emerging Threats has a set of snort rules in their policy
section that detect Tor.  Here's one:

alert tcp $HOME_NET any - $EXTERNAL_NET any (msg:ET POLICY TOR 1.0\
Server Key Retrieval; flow:established,to_server;  \
content:|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|;\
threshold:type limit, track by_src, count 1, seconds 60;\   
classtype:policy-violation; reference:url,tor.eff.org;  \
sid:2002950; rev:4;)

Now, you can easily cause this rule to set a flowbit when it fires.  Flow
bits are pretty much just what they sound like: a user-definable status
bit that you can turn on or off for specific network flows (sessions).
In this case, we can add a flowbit call is_tor:

alert tcp $HOME_NET any - $EXTERNAL_NET any (msg:ET POLICY TOR 1.0\
Server Key Retrieval; flow:established,to_server;  \
content:|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|;\
threshold:type limit, track by_src, count 1, seconds 60;\   
flowbits:set,is_tor; flowbits:noalert;  \
classtype:policy-violation; reference:url,tor.eff.org;  \
sid:2002950; rev:4;)

Notice the extra flowbits:set,is_tor; flowbits:noalert; line there.
that takes care of both setting the bit and of making sure that this rule
itself doesn't cause an alert to be generated.

For the second part, we can set up a pass rule that will tell snort to
avoid processing that traffic through the rules engine, but only if the
flowbit is_tor is set:

pass tcp any any - any any (msg:PASS Tor traffic;\
flowbits:isset,is_tor;  sid:100; rev:1;)

Granted, that first rule may not be the only way to detect Tor traffic, or
even the best way anymore (I'm not sure of the current status of the Tor
protocol).  Also, as written, the ET rule is specifically looking for
clients on your network talking to Tor servers on the Internet, but the
general technique should still hold.  If Snort can detect the Tor traffic,
it can also easily be made to ignore the traffic without having to write
custom code.

David

Re: List of NODES in IP form

2006-10-10 Thread David J. Bianco 
I wrote a little script a while ago that may be useful to you:

http://infosecpotpourri.blogspot.com/2006/08/listing-active-tor-servers.html

Whenever you run it, the script queries one of the authoritative
directory servers and dumps that server's list of known nodes.  A
quick-and-dirty hack, to be sure, but maybe useful to you, even if just
as a starting point for your own code.

David

Mr. Blue wrote:
 Hello,
 
 this is my first post here.
 
 So, client(user) obtains a list of Tor nodes from a
 directory server.
 Now I'm developing web-apps in PHP 5 and I would like
 someone to tell me, 
 how to get all IPs of those Tor nodes and put them in
 a .txt file.
 (each IP of a node on a new line in .txt file)
 
 When that .txt file is created my PHP script can start
 utilizing it.
 
 Thanks for a help in advance
 
 Oh, one more question...
 When I use tor and check my IP with some web service,
 it is actualy showing IP of a last node.
 Is that correct? ...or not?
 
 Thx...!
 
 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com