This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network. However, the entry will demonstrate how to create a set of Tor server IP addresses to parse network flow using SiLK (System for Internet-Level Knowledge) in order to determine if the network flow is a match. It is assumed you have downloaded, compiled and installed SiLK, YaF, and libfixbuf. Please see prior posts on this topic or the respective documentation for installation help if needed.
We need to obtain the current list of Tor servers and place them in a
file. We will then parse the destination IP addresses which will be
placed into a SiLK set using the SiLK rwsetbuild
command. Creating an
IP set will allow us to use rwfilter to specify what IP addresses
should match outgoing network traffic. A Perl script from here makes
quick work of downloading the current Tor server list.
#!/usr/bin/perl
#
# Fetch the list of known Tor servers (from an existing Tor server) and
# display some of the basic info for each router.
use LWP::Simple;
# Hostname of an existing Tor router. We use one of the directory authorities
# since that's pretty much what they're for.
$INITIAL_TOR_SERVER = "193.23.244.244"; # http://dannenberg.ccc.de/tor/status/all
$DIR_PORT = 80;
# Fetch the list of servers
$content = get("http://$INITIAL_TOR_SERVER:$DIR_PORT/tor/status/all");
@lines = split /\n/,$content;
foreach $router (@lines) {
if($router =~ m/^r\s+(\S+)\s+(\S+)\s+(\S+)\s+(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(\S+)\s+(\d+)\s+(\d+)$/) {
($name, $address, $or_port, $directory_port, $update_time) =
($1, $5, $6, $7, $4);
print "$name | $address | $or_port | $directory_port | $update_time\n";
}
}
Now that we have the current Tor server list, we can parse the Tor IP addresses. While you can modify the Perl script to only display the Tor server IP addresses, I still like to sort and parse for unique addresses as there are could be duplicates. You could also specify what type of Tor IP addresses you would like, i.e. exit, active, etc. Further, it is not bad to have a reference to determine what ports are associated with which addresses. Useful for more advanced queries.
$ awk -F "|" '{ print $2 }' exit-addresses | awk '{sub(/^[ \t]+/, "")};1' |sort|uniq > tor.txt
We convert the file containing the Tor server IP addresses to a set using the following command:
$ rwsetbuild tor.txt tor-servers.set
Typically, network flow would have already been captured for retrospective analysis, but for example sake, we will use a packet capture which already contains Tor traffic. We first convert our captured traffic to a YaF formatted file. This example PCAP may be downloaded from CloudShark.
$ /usr/local/bin/yaf --in tor.pcap --out ~/tor.yaf --filter="port 443" --applabel --applabel-rules=/usr/local/etc/yafApplabelRules.conf --max-payload=4000 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --plugin-opts="443" --lock &
Next, we convert the YaF format file to an IPFIX formatted file.
$ rwipfix2silk --silk-output=tor.rw tor.yaf
This rwfilter query parses for the data we are looking for and places in a binary file. We can write to standard out but I usually end up running additional queries using tools such as rwcut and rwstats so it is much faster to work from the smaller binary file, verse running the original query again.
$ rwfilter --start-date=2013/12/30 --end-date=2013/12/30 --dipset=tor-servers.set --proto=0- --type=all --pass=tor2.bin tor.rw
We parse the SiLK records we are interested in seeing to standard out via the rwcut command. Note the use of the cut command to minimize the white-space prefixing the output.
$ rwcut tor2.bin|cut -c26-
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
10.0.0.126| 198.27.97.223|38946| 443| 6| 30| 8497|FS PA |2013/12/30T20:20:21.336| 76.182|2013/12/30T20:21:37.518| S0|
198.27.97.223| 10.0.0.126| 443|38946| 6| 32| 28802|FS PA |2013/12/30T20:20:21.381| 76.137|2013/12/30T20:21:37.518| S0|
10.0.0.126| 96.127.153.58|42529| 443| 6| 27| 8341|FS PA |2013/12/30T20:20:22.190| 75.341|2013/12/30T20:21:37.531| S0|
96.127.153.58| 10.0.0.126| 443|42529| 6| 30| 26678|FS PA |2013/12/30T20:20:22.232| 75.299|2013/12/30T20:21:37.531| S0|
10.0.0.126| 192.151.147.5|44384| 443| 6| 14| 3502|FS PA |2013/12/30T20:20:26.486| 71.052|2013/12/30T20:21:37.538| S0|
192.151.147.5| 10.0.0.126| 443|44384| 6| 14| 4819|FS PA |2013/12/30T20:20:26.535| 71.003|2013/12/30T20:21:37.538| S0|
10.0.0.126| 66.18.12.197|49341| 443| 6| 28| 8475|FS PA |2013/12/30T20:20:21.426| 76.125|2013/12/30T20:21:37.551| S0|
66.18.12.197| 10.0.0.126| 443|49341| 6| 29| 26805|FS PA |2013/12/30T20:20:21.471| 76.080|2013/12/30T20:21:37.551| S0|
10.0.0.126| 64.62.249.222|40742| 443| 6| 30| 8159|FS PA |2013/12/30T20:20:21.375| 76.208|2013/12/30T20:21:37.583| S0|
64.62.249.222| 10.0.0.126| 443|40742| 6| 32| 28493|FS PA |2013/12/30T20:20:21.461| 76.122|2013/12/30T20:21:37.583| S0|
10.0.0.126| 212.83.158.173|40825| 443| 6| 28| 8394|FS PA |2013/12/30T20:20:22.079| 75.506|2013/12/30T20:21:37.585| S0|
212.83.158.173| 10.0.0.126| 443|40825| 6| 31| 28867|FS PA |2013/12/30T20:20:22.180| 75.405|2013/12/30T20:21:37.585| S0|
10.0.0.126| 212.83.155.250|55603| 443| 6| 29| 8454|FS PA |2013/12/30T20:20:22.196| 75.389|2013/12/30T20:21:37.585| S0|
212.83.155.250| 10.0.0.126| 443|55603| 6| 31| 27840|FS PA |2013/12/30T20:20:22.290| 75.295|2013/12/30T20:21:37.585| S0|
10.0.0.126| 212.83.140.45|46797| 443| 6| 29| 8455|FS PA |2013/12/30T20:20:21.342| 76.245|2013/12/30T20:21:37.587| S0|
212.83.140.45| 10.0.0.126| 443|46797| 6| 30| 26648|FS PA |2013/12/30T20:20:21.439| 76.148|2013/12/30T20:21:37.587| S0|
10.0.0.126| 212.83.158.50|50935| 443| 6| 31| 8567|FS PA |2013/12/30T20:20:21.396| 76.191|2013/12/30T20:21:37.587| S0|
212.83.158.50| 10.0.0.126| 443|50935| 6| 30| 26145|FS PA |2013/12/30T20:20:21.492| 76.095|2013/12/30T20:21:37.587| S0|
10.0.0.126| 212.83.158.40|33170| 443| 6| 29| 8459|FS PA |2013/12/30T20:20:22.088| 75.506|2013/12/30T20:21:37.594| S0|
212.83.158.40| 10.0.0.126| 443|33170| 6| 33| 28930|FS PA |2013/12/30T20:20:23.199| 74.395|2013/12/30T20:21:37.594| S0|
10.0.0.126| 212.83.158.5|37960| 443| 6| 27| 8342|FS PA |2013/12/30T20:20:21.415| 76.187|2013/12/30T20:21:37.602| S0|
212.83.158.5| 10.0.0.126| 443|37960| 6| 32| 26758|FS PA |2013/12/30T20:20:21.517| 76.085|2013/12/30T20:21:37.602| S0|
10.0.0.126| 31.7.186.228|44997| 443| 6| 26| 8294|FS PA |2013/12/30T20:20:21.377| 76.227|2013/12/30T20:21:37.604| S0|
31.7.186.228| 10.0.0.126| 443|44997| 6| 34| 29440|FS PA |2013/12/30T20:20:21.486| 76.118|2013/12/30T20:21:37.604| S0|
10.0.0.126| 216.66.85.146|50817| 443| 6| 15| 3379|FS PA |2013/12/30T20:21:34.492| 3.114|2013/12/30T20:21:37.606| S0|
216.66.85.146| 10.0.0.126| 443|50817| 6| 15| 6866|FS PA |2013/12/30T20:21:34.590| 3.016|2013/12/30T20:21:37.606| S0|
10.0.0.126| 178.254.35.132|50724| 443| 6| 20| 5347|FS PA |2013/12/30T20:20:33.494| 64.117|2013/12/30T20:21:37.611| S0|
178.254.35.132| 10.0.0.126| 443|50724| 6| 23| 16358|FS PA |2013/12/30T20:20:33.595| 64.016|2013/12/30T20:21:37.611| S0|
10.0.0.126| 188.40.98.96|54796| 443| 6| 30| 8565|FS PA |2013/12/30T20:20:21.380| 76.231|2013/12/30T20:21:37.611| S0|
188.40.98.96| 10.0.0.126| 443|54796| 6| 32| 27966|FS PA |2013/12/30T20:20:21.494| 76.117|2013/12/30T20:21:37.611| S0|
10.0.0.126| 80.100.45.156|60680| 443| 6| 30| 8578|FS PA |2013/12/30T20:20:21.386| 76.228|2013/12/30T20:21:37.614| S0|
80.100.45.156| 10.0.0.126| 443|60680| 6| 31| 28447|FS PA |2013/12/30T20:20:21.496| 76.118|2013/12/30T20:21:37.614| S0|
10.0.0.126| 91.143.91.174|39275| 443| 6| 23| 8209|FS PA |2013/12/30T20:20:22.185| 75.435|2013/12/30T20:21:37.620| S0|
91.143.91.174| 10.0.0.126| 443|39275| 6| 33| 28626|FS PA |2013/12/30T20:20:22.312| 75.308|2013/12/30T20:21:37.620| S0|
10.0.0.126| 85.17.122.80|43989| 443| 6| 29| 8457|FS PA |2013/12/30T20:20:21.418| 76.202|2013/12/30T20:21:37.620| S0|
85.17.122.80| 10.0.0.126| 443|43989| 6| 32| 28409|FS PA |2013/12/30T20:20:21.539| 76.081|2013/12/30T20:21:37.620| S0|
10.0.0.126| 88.159.20.120|49609| 443| 6| 31| 8633|FS PA |2013/12/30T20:20:21.412| 76.208|2013/12/30T20:21:37.620| S0|
88.159.20.120| 10.0.0.126| 443|49609| 6| 34| 29194|FS PA |2013/12/30T20:20:21.513| 76.107|2013/12/30T20:21:37.620| S0|
10.0.0.126| 37.59.150.178|47658| 443| 6| 30| 8516|FS PA |2013/12/30T20:20:21.399| 76.223|2013/12/30T20:21:37.622| S0|
37.59.150.178| 10.0.0.126| 443|47658| 6| 33| 29412|FS PA |2013/12/30T20:20:21.513| 76.109|2013/12/30T20:21:37.622| S0|
10.0.0.126| 91.219.237.229|35498| 443| 6| 15| 3616|FS PA |2013/12/30T20:21:34.489| 3.134|2013/12/30T20:21:37.623| S0|
91.219.237.229| 10.0.0.126| 443|35498| 6| 14| 7664|FS PA |2013/12/30T20:21:34.614| 3.009|2013/12/30T20:21:37.623| S0|
10.0.0.126| 95.211.225.167|57656| 443| 6| 27| 8359|FS PA |2013/12/30T20:20:21.345| 76.280|2013/12/30T20:21:37.625| S0|
95.211.225.167| 10.0.0.126| 443|57656| 6| 33| 27948|FS PA |2013/12/30T20:20:21.475| 76.150|2013/12/30T20:21:37.625| S0|
10.0.0.126| 82.96.35.7|58655| 443| 6| 15| 3563|FS PA |2013/12/30T20:21:34.486| 3.147|2013/12/30T20:21:37.633| S0|
82.96.35.7| 10.0.0.126| 443|58655| 6| 13| 7445|FS PA |2013/12/30T20:21:34.629| 3.004|2013/12/30T20:21:37.633| S0|
10.0.0.126| 83.140.59.2|45720| 443| 6| 22| 8160|FS PA |2013/12/30T20:20:21.745| 75.888|2013/12/30T20:21:37.633| S0|
83.140.59.2| 10.0.0.126| 443|45720| 6| 30| 27422|FS PA |2013/12/30T20:20:21.887| 75.746|2013/12/30T20:21:37.633| S0|
10.0.0.126| 82.96.35.8|42995| 443| 6| 28| 8414|FS PA |2013/12/30T20:20:21.339| 76.302|2013/12/30T20:21:37.641| S0|
82.96.35.8| 10.0.0.126| 443|42995| 6| 33| 28927|FS PA |2013/12/30T20:20:21.479| 76.162|2013/12/30T20:21:37.641| S0|
10.0.0.126| 93.180.156.45|47282| 443| 6| 33| 8671|FS PA |2013/12/30T20:20:21.421| 76.223|2013/12/30T20:21:37.644| S0|
93.180.156.45| 10.0.0.126| 443|47282| 6| 39| 31370|FS PA |2013/12/30T20:20:21.562| 76.082|2013/12/30T20:21:37.644| S0|
10.0.0.126| 81.218.109.195|60000| 443| 6| 29| 8460|FS PA |2013/12/30T20:20:21.383| 76.277|2013/12/30T20:21:37.660| S0|
81.218.109.195| 10.0.0.126| 443|60000| 6| 32| 27852|FS PA |2013/12/30T20:20:21.535| 76.125|2013/12/30T20:21:37.660| S0|
10.0.0.126| 31.172.30.4|35914| 443| 6| 36| 8922|FS PA |2013/12/30T20:20:22.146| 75.538|2013/12/30T20:21:37.684| S0|
31.172.30.4| 10.0.0.126| 443|35914| 6| 34| 32082|FS PA |2013/12/30T20:20:22.271| 75.413|2013/12/30T20:21:37.684| S0|
10.0.0.126| 50.7.194.122|38522| 443| 6| 20| 5384|FS PA |2013/12/30T20:20:33.487| 64.202|2013/12/30T20:21:37.689| S0|
50.7.194.122| 10.0.0.126| 443|38522| 6| 17| 9223|FS PA |2013/12/30T20:20:33.671| 64.018|2013/12/30T20:21:37.689| S0|
With the next query, we adjust the type of traffic we want to look at to only outgoing traffic to the Tor servers instead of the previously displayed bi-directional traffic.
$ rwfilter --dipset=tor-servers.set --proto=0- --type=out --pass=tor.bin tor.rw
Again, we parse the SiLK records. Again, note the use of the cut command to minimize the white-space prefix the first column of data. The reason for this is there are additional columns of data not displayed by default. Checkout the rwcut man page for other columns data that may be of interest.
$ rwcut tor.bin |cut -c30-
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
10.0.0.126| 198.27.97.223|38946| 443| 6| 30| 8497|FS PA |2013/12/30T20:20:21.336| 76.182|2013/12/30T20:21:37.518| S0|
10.0.0.126| 96.127.153.58|42529| 443| 6| 27| 8341|FS PA |2013/12/30T20:20:22.190| 75.341|2013/12/30T20:21:37.531| S0|
10.0.0.126| 192.151.147.5|44384| 443| 6| 14| 3502|FS PA |2013/12/30T20:20:26.486| 71.052|2013/12/30T20:21:37.538| S0|
10.0.0.126| 66.18.12.197|49341| 443| 6| 28| 8475|FS PA |2013/12/30T20:20:21.426| 76.125|2013/12/30T20:21:37.551| S0|
10.0.0.126| 64.62.249.222|40742| 443| 6| 30| 8159|FS PA |2013/12/30T20:20:21.375| 76.208|2013/12/30T20:21:37.583| S0|
10.0.0.126| 212.83.158.173|40825| 443| 6| 28| 8394|FS PA |2013/12/30T20:20:22.079| 75.506|2013/12/30T20:21:37.585| S0|
10.0.0.126| 212.83.155.250|55603| 443| 6| 29| 8454|FS PA |2013/12/30T20:20:22.196| 75.389|2013/12/30T20:21:37.585| S0|
10.0.0.126| 212.83.140.45|46797| 443| 6| 29| 8455|FS PA |2013/12/30T20:20:21.342| 76.245|2013/12/30T20:21:37.587| S0|
10.0.0.126| 212.83.158.50|50935| 443| 6| 31| 8567|FS PA |2013/12/30T20:20:21.396| 76.191|2013/12/30T20:21:37.587| S0|
10.0.0.126| 212.83.158.40|33170| 443| 6| 29| 8459|FS PA |2013/12/30T20:20:22.088| 75.506|2013/12/30T20:21:37.594| S0|
10.0.0.126| 212.83.158.5|37960| 443| 6| 27| 8342|FS PA |2013/12/30T20:20:21.415| 76.187|2013/12/30T20:21:37.602| S0|
10.0.0.126| 31.7.186.228|44997| 443| 6| 26| 8294|FS PA |2013/12/30T20:20:21.377| 76.227|2013/12/30T20:21:37.604| S0|
10.0.0.126| 216.66.85.146|50817| 443| 6| 15| 3379|FS PA |2013/12/30T20:21:34.492| 3.114|2013/12/30T20:21:37.606| S0|
10.0.0.126| 178.254.35.132|50724| 443| 6| 20| 5347|FS PA |2013/12/30T20:20:33.494| 64.117|2013/12/30T20:21:37.611| S0|
10.0.0.126| 188.40.98.96|54796| 443| 6| 30| 8565|FS PA |2013/12/30T20:20:21.380| 76.231|2013/12/30T20:21:37.611| S0|
10.0.0.126| 80.100.45.156|60680| 443| 6| 30| 8578|FS PA |2013/12/30T20:20:21.386| 76.228|2013/12/30T20:21:37.614| S0|
10.0.0.126| 91.143.91.174|39275| 443| 6| 23| 8209|FS PA |2013/12/30T20:20:22.185| 75.435|2013/12/30T20:21:37.620| S0|
10.0.0.126| 85.17.122.80|43989| 443| 6| 29| 8457|FS PA |2013/12/30T20:20:21.418| 76.202|2013/12/30T20:21:37.620| S0|
10.0.0.126| 88.159.20.120|49609| 443| 6| 31| 8633|FS PA |2013/12/30T20:20:21.412| 76.208|2013/12/30T20:21:37.620| S0|
10.0.0.126| 37.59.150.178|47658| 443| 6| 30| 8516|FS PA |2013/12/30T20:20:21.399| 76.223|2013/12/30T20:21:37.622| S0|
10.0.0.126| 91.219.237.229|35498| 443| 6| 15| 3616|FS PA |2013/12/30T20:21:34.489| 3.134|2013/12/30T20:21:37.623| S0|
10.0.0.126| 95.211.225.167|57656| 443| 6| 27| 8359|FS PA |2013/12/30T20:20:21.345| 76.280|2013/12/30T20:21:37.625| S0|
10.0.0.126| 82.96.35.7|58655| 443| 6| 15| 3563|FS PA |2013/12/30T20:21:34.486| 3.147|2013/12/30T20:21:37.633| S0|
10.0.0.126| 83.140.59.2|45720| 443| 6| 22| 8160|FS PA |2013/12/30T20:20:21.745| 75.888|2013/12/30T20:21:37.633| S0|
10.0.0.126| 82.96.35.8|42995| 443| 6| 28| 8414|FS PA |2013/12/30T20:20:21.339| 76.302|2013/12/30T20:21:37.641| S0|
10.0.0.126| 93.180.156.45|47282| 443| 6| 33| 8671|FS PA |2013/12/30T20:20:21.421| 76.223|2013/12/30T20:21:37.644| S0|
10.0.0.126| 81.218.109.195|60000| 443| 6| 29| 8460|FS PA |2013/12/30T20:20:21.383| 76.277|2013/12/30T20:21:37.660| S0|
10.0.0.126| 31.172.30.4|35914| 443| 6| 36| 8922|FS PA |2013/12/30T20:20:22.146| 75.538|2013/12/30T20:21:37.684| S0|
10.0.0.126| 50.7.194.122|38522| 443| 6| 20| 5384|FS PA |2013/12/30T20:20:33.487| 64.202|2013/12/30T20:21:37.689| S0|
Lastly, we take a look at the reverse entries. As you can see, it is apparent that some of the hosts have Tor tertiary domain names which suggests that some of the flows may be destined for Tor servers.
$ rwcut tor.bin |rwresolve |cut -c30-
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
10.0.0.126|198.27.97.223.vpsrealm.com|38946| 443| 6| 30| 8497|FS PA |2013/12/30T20:20:21.336| 76.182|2013/12/30T20:21:37.518| S0|
10.0.0.126|xxviii.example.tld|42529| 443| 6| 27| 8341|FS PA |2013/12/30T20:20:22.190| 75.341|2013/12/30T20:21:37.531| S0|
10.0.0.126|tor.koehn.com|44384| 443| 6| 14| 3502|FS PA |2013/12/30T20:20:26.486| 71.052|2013/12/30T20:21:37.538| S0|
10.0.0.126| 66.18.12.197|49341| 443| 6| 28| 8475|FS PA |2013/12/30T20:20:21.426| 76.125|2013/12/30T20:21:37.551| S0|
10.0.0.126|hecustomer.10gigabitethernet8-1.core1.pao1.he.net|40742| 443| 6| 30| 8159|FS PA |2013/12/30T20:20:21.375| 76.208|2013/12/30T20:21:37.583| S0|
10.0.0.126|n5.servbr.net|40825| 443| 6| 28| 8394|FS PA |2013/12/30T20:20:22.079| 75.506|2013/12/30T20:21:37.585| S0|
10.0.0.126|n15.servbr.net|55603| 443| 6| 29| 8454|FS PA |2013/12/30T20:20:22.196| 75.389|2013/12/30T20:21:37.585| S0|
10.0.0.126|212-83-140-45.rev.poneytelecom.eu|46797| 443| 6| 29| 8455|FS PA |2013/12/30T20:20:21.342| 76.245|2013/12/30T20:21:37.587| S0|
10.0.0.126|n13.servbr.net|50935| 443| 6| 31| 8567|FS PA |2013/12/30T20:20:21.396| 76.191|2013/12/30T20:21:37.587| S0|
10.0.0.126|n12.servbr.net|33170| 443| 6| 29| 8459|FS PA |2013/12/30T20:20:22.088| 75.506|2013/12/30T20:21:37.594| S0|
10.0.0.126|n10.servbr.net|37960| 443| 6| 27| 8342|FS PA |2013/12/30T20:20:21.415| 76.187|2013/12/30T20:21:37.602| S0|
10.0.0.126| 31.7.186.228|44997| 443| 6| 26| 8294|FS PA |2013/12/30T20:20:21.377| 76.227|2013/12/30T20:21:37.604| S0|
10.0.0.126|hecustomer.10gigabitethernet1-2.core1.ams1.he.net|50817| 443| 6| 15| 3379|FS PA |2013/12/30T20:21:34.492| 3.114|2013/12/30T20:21:37.606| S0|
10.0.0.126|v37433.1blu.de|50724| 443| 6| 20| 5347|FS PA |2013/12/30T20:20:33.494| 64.117|2013/12/30T20:21:37.611| S0|
10.0.0.126|static.188-40-98-96.clients.your-server.de|54796| 443| 6| 30| 8565|FS PA |2013/12/30T20:20:21.380| 76.231|2013/12/30T20:21:37.611| S0|
10.0.0.126|a80-100-45-156.adsl.xs4all.nl|60680| 443| 6| 30| 8578|FS PA |2013/12/30T20:20:21.386| 76.228|2013/12/30T20:21:37.614| S0|
10.0.0.126|91.143.91.174|39275| 443| 6| 23| 8209|FS PA |2013/12/30T20:20:22.185| 75.435|2013/12/30T20:21:37.620| S0|
10.0.0.126| 85.17.122.80|43989| 443| 6| 29| 8457|FS PA |2013/12/30T20:20:21.418| 76.202|2013/12/30T20:21:37.620| S0|
10.0.0.126|120-20-159-88.business.edutel.nl|49609| 443| 6| 31| 8633|FS PA |2013/12/30T20:20:21.412| 76.208|2013/12/30T20:21:37.620| S0|
10.0.0.126|37-59-150-178.static-ip.hostplanet.me|47658| 443| 6| 30| 8516|FS PA |2013/12/30T20:20:21.399| 76.223|2013/12/30T20:21:37.622| S0|
10.0.0.126|sa0111.azar-a.net|35498| 443| 6| 15| 3616|FS PA |2013/12/30T20:21:34.489| 3.134|2013/12/30T20:21:37.623| S0|
10.0.0.126|greendale.badexample.net|57656| 443| 6| 27| 8359|FS PA |2013/12/30T20:20:21.345| 76.280|2013/12/30T20:21:37.625| S0|
10.0.0.126|luftgitarr.mooo.se|58655| 443| 6| 15| 3563|FS PA |2013/12/30T20:21:34.486| 3.147|2013/12/30T20:21:37.633| S0|
10.0.0.126|kimya.mooo.se|45720| 443| 6| 22| 8160|FS PA |2013/12/30T20:20:21.745| 75.888|2013/12/30T20:21:37.633| S0|
10.0.0.126|junis.mooo.se|42995| 443| 6| 28| 8414|FS PA |2013/12/30T20:20:21.339| 76.302|2013/12/30T20:21:37.641| S0|
10.0.0.126|tor.b0red.de|47282| 443| 6| 33| 8671|FS PA |2013/12/30T20:20:21.421| 76.223|2013/12/30T20:21:37.644| S0|
10.0.0.126|195.ab4.interhost.co.il|60000| 443| 6| 29| 8460|FS PA |2013/12/30T20:20:21.383| 76.277|2013/12/30T20:21:37.660| S0|
10.0.0.126|tor21.anonymizer.ccc.de|35914| 443| 6| 36| 8922|FS PA |2013/12/30T20:20:22.146| 75.538|2013/12/30T20:21:37.684| S0|
10.0.0.126|torsrvl.snydernet.net|38522| 443| 6| 20| 5384|FS PA |2013/12/30T20:20:33.487| 64.202|2013/12/30T20:21:37.689| S0|
Or we can use the rwuniq command to list the unique destinations, again piping through rwresolve:
$ rwuniq --fields=2 --no-columns tor.bin |rwresolve
dIP|Records|
luftgitarr.mooo.se|1|
tor.b0red.de|1|
junis.mooo.se|1|
31.7.186.228|1|
tor21.anonymizer.ccc.de|1|
xxviii.example.tld|1|
tor.koehn.com|1|
n15.servbr.net|1|
a80-100-45-156.adsl.xs4all.nl|1|
n13.servbr.net|1|
120-20-159-88.business.edutel.nl|1|
91.143.91.174|1|
195.ab4.interhost.co.il|1|
37-59-150-178.static-ip.hostplanet.me|1|
sa0111.azar-a.net|1|
static.188-40-98-96.clients.your-server.de|1|
n5.servbr.net|1|
torsrvl.snydernet.net|1|
198.27.97.223.vpsrealm.com|1|
66.18.12.197|1|
v37433.1blu.de|1|
hecustomer.10gigabitethernet1-2.core1.ams1.he.net|1|
212-83-140-45.rev.poneytelecom.eu|1|
kimya.mooo.se|1|
85.17.122.80|1|
n12.servbr.net|1|
greendale.badexample.net|1|
n10.servbr.net|1|
hecustomer.10gigabitethernet8-1.core1.pao1.he.net|1|
In conclusion, using SiLK we can provide retrospective analysis to determine if traffic may be destined for Tor servers. While not a definitive method of detection as there could be false-positives due to hosting of legitimate services on Tor servers, it is a quick method to get some insight. As usual, please leave a comment below if you have any questions or comments.
Comments
comments powered by Disqus