[tor-talk] Tor honeypot
Cannon
cannon at cannon-ciota.info
Tue Oct 11 17:48:19 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 10/11/2016 04:17 PM, Flipchan wrote:
> is ofc not connected to the Tor Network.
What is "ofc" ?
What would be advantages of having it disconnected from Tor network? Having the honeypot not listed in the Tor directory servers would only detect scanners or adversaries that identify targets based on port number. If I was an adversary I would just refer to the directory server for listings of Tor routers instead of doing internet wide scans which could take up to a day.
If concerned about "normal Tor traffic" acting as a cover for malicious traffic, then perhaps sort log data through a filter omitting traffic based on following criteria:
1. OMIT traffic to/from known Tor Nodes and their listed ports, WHICH ALSO INCLUDES traffic pattern matching normal Tor traffic.
So what this filter would do is omit traffic between your honeypot node and other Tor nodes, while bringing to attention traffic that is connecting to/from non Tor routers or non Tor related ports or traffic that may be connecting to other Tor routers/ports but with non standard Tor traffic.
So even if an adversary is mass hacking Tor from a Tor router as cover, this would likely pick up traffic that is not matching that of standard Tor traffic.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX/SVIAAoJEAYDai9lH2mwnhUP/0RVjI7a7Ysc9iDh5bicQWDa
dV6/fL/enXy0UiryHwA+7tO3is0gctgVmbbFSQNSqSOiDReuRV7KyKW437LsyJoq
YQE5RtiPga9ZdDxCiw3uHGXRYahH/VfZe7D0I+IkZOQdMbFBqo5kPQjAFYhix58l
Q9HFazbmuntXhdTuFgpJlctM1j5objyGi9EFg5+cRfKwIkllGvF2y/42M01yeB0H
9hNpO6KPFm6gHgNQBxJ0VZkP/wXSuYc2n0ae9r+P86Xox6N/xTqJ4ABiwDHGap5u
A4dotNEoW88f+gJx5/1S5i6PpFzll3/MbfH9gnLgRklrDljWS3GWLYhamhRoVbZx
XMPO/5wDwPWnm73EDBQJPbdDyVlFziMrf0d+Tjk3UAtCWODURXx4TTi90WRjZCF0
rVBYqTP9Qn+0/Y5/wE8tPMjjLQqMaVdSPc5PvrZ+m+Hat7q17T4ZpKAedm7IbqME
G+F51lgqfOLleIabcP76xyEaxoM8jFNcI4oCSCzDLATe+romlE/PNLLlqHGa8VIL
AYhEhkMwgcHsy6eO+e7jcZx/7qC1jOvrxTYuT81cbgjc5VgPwdI9utyYQ85Qz9sO
G4az6M2FTHLnY8scGU4NbIsoZfN4RwNu++DLB0mPOr+iHWmSJZSNNOmz5fyhbLQi
sTWzCCofvLXLyK60RLc9
=eadK
-----END PGP SIGNATURE-----
--
Cannon
PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832
Email: cannon at cannon-ciota.info
Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU
Ricochet-IM: ricochet:hfddt2csxnsb2mdq
NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
If this matters to you, use PGP or bitmessage.
More information about the tor-talk
mailing list