Any tips, guides, searches how detect TOR traffic?
I found only:
1) ES Content Update
| tstats 'summariesonly' count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | 'ctime(firstTime)' | 'ctime(lastTime)' | 'drop_dm_object_name("All_Traffic")'
2) Splunk Security Essentials for Ransomware
index=* ((tag=network tag=communicate) OR (sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa OR sourcetype=stream* )) app=tor src_ip=* | table _time src_ip src_port dest_ip dest_port bytes app
But I don't understand why the not work. I'm very green noob in Splunk and only studying and after my manipulating with these rules I did not get results.
Maybe there are some other rules about which I do not know.
↧