[tor-talk] Tor honeypot
Flipchan
flipchan at riseup.net
Tue Oct 11 18:03:18 UTC 2016
I was thinking about creating a Tor clone and see the traffic goin to it, something that simulates a Tor relay with a virtual file system
Cannon <cannon at cannon-ciota.info> skrev: (11 oktober 2016 19:48:19 CEST)
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On 10/11/2016 04:17 PM, Flipchan wrote:
>> is ofc not connected to the Tor Network.
>
>What is "ofc" ?
>What would be advantages of having it disconnected from Tor network?
>Having the honeypot not listed in the Tor directory servers would only
>detect scanners or adversaries that identify targets based on port
>number. If I was an adversary I would just refer to the directory
>server for listings of Tor routers instead of doing internet wide scans
>which could take up to a day.
>If concerned about "normal Tor traffic" acting as a cover for malicious
>traffic, then perhaps sort log data through a filter omitting traffic
>based on following criteria:
>
>1. OMIT traffic to/from known Tor Nodes and their listed ports, WHICH
>ALSO INCLUDES traffic pattern matching normal Tor traffic.
>
>So what this filter would do is omit traffic between your honeypot node
>and other Tor nodes, while bringing to attention traffic that is
>connecting to/from non Tor routers or non Tor related ports or traffic
>that may be connecting to other Tor routers/ports but with non standard
>Tor traffic.
>
>So even if an adversary is mass hacking Tor from a Tor router as cover,
>this would likely pick up traffic that is not matching that of standard
>Tor traffic.
>-----BEGIN PGP SIGNATURE-----
>
>iQIcBAEBCgAGBQJX/SVIAAoJEAYDai9lH2mwnhUP/0RVjI7a7Ysc9iDh5bicQWDa
>dV6/fL/enXy0UiryHwA+7tO3is0gctgVmbbFSQNSqSOiDReuRV7KyKW437LsyJoq
>YQE5RtiPga9ZdDxCiw3uHGXRYahH/VfZe7D0I+IkZOQdMbFBqo5kPQjAFYhix58l
>Q9HFazbmuntXhdTuFgpJlctM1j5objyGi9EFg5+cRfKwIkllGvF2y/42M01yeB0H
>9hNpO6KPFm6gHgNQBxJ0VZkP/wXSuYc2n0ae9r+P86Xox6N/xTqJ4ABiwDHGap5u
>A4dotNEoW88f+gJx5/1S5i6PpFzll3/MbfH9gnLgRklrDljWS3GWLYhamhRoVbZx
>XMPO/5wDwPWnm73EDBQJPbdDyVlFziMrf0d+Tjk3UAtCWODURXx4TTi90WRjZCF0
>rVBYqTP9Qn+0/Y5/wE8tPMjjLQqMaVdSPc5PvrZ+m+Hat7q17T4ZpKAedm7IbqME
>G+F51lgqfOLleIabcP76xyEaxoM8jFNcI4oCSCzDLATe+romlE/PNLLlqHGa8VIL
>AYhEhkMwgcHsy6eO+e7jcZx/7qC1jOvrxTYuT81cbgjc5VgPwdI9utyYQ85Qz9sO
>G4az6M2FTHLnY8scGU4NbIsoZfN4RwNu++DLB0mPOr+iHWmSJZSNNOmz5fyhbLQi
>sTWzCCofvLXLyK60RLc9
>=eadK
>-----END PGP SIGNATURE-----
>
>
>--
>
>Cannon
>PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832
>Email: cannon at cannon-ciota.info
>Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU
>Ricochet-IM: ricochet:hfddt2csxnsb2mdq
>
>NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD
>BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
>If this matters to you, use PGP or bitmessage.
>--
>tor-talk mailing list - tor-talk at lists.torproject.org
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Sincerly Flipchan
More information about the tor-talk
mailing list