Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I am receiving more and more trouble from running an exit node here. Perhaps we should refuse to support US legislation? On 10/04/2016 06:35 PM, Green Dream wrote: > @keb: > >> It is not our problem if someone uses >> the telecom network to read/write data to a vulnerable server - it is >> the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@keb: > It is not our problem if someone uses > the telecom network to read/write data to a vulnerable server - it is > the vulnerable server's problem to fix. Sounds great, but this is not how it works in the real world. > The ISP (and Tor network) are > only responsible for delivering the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Is the distinction between knowledge after the fact and knowledge at the time of occurence of "bad traffic" not important? I'm all for reducing bad traffic, but where does the line get drawn? I've also been dealing with multiple abuse reports on Digital Ocean. Quite a few common abuse ports are

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

What should a tor exit op do? Ban the user? exits get the traffic from middle nodes and we cant tell (by design) who anyone is. We can block ips but that is not really helping with bots who tries to find vulnerabilities and scan large blocks. markus Sent from my iPad > On 4 Oct 2016, at

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

If I understand that well ... if tor operator is avare, that his tor node is used for illegal activity (when their ISP told them about that) and he's not going to do anything abou that, he wont be guity by complicity? "On 04.10.16 22:37, oco...@email.cz wrote: > Tor and IPS has both it's own

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 04.10.16 22:37, oco...@email.cz wrote: > Tor and IPS has both it's own nature and you shouldn't be punished, if > your intension was just to filter the bad traffic. And who is to decide what constitutes "bad traffic"? I am not a lawyer, but in Germany one of the cornerstones of not being held

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Everything is easy when you hit the base of the problem and you're able to change it. I don't know what kind of community gathers here. Let's see where the discussion leads. Petr "Just for shits and giggles: Do you have a good, easy, workable solution to this complex problem? Markus

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

This is really interesting. I just don't understand, how you can be responsible for the traffic, when you use the IPS. Tor and IPS has both it's own nature and you shouldn't be punished, if your intension was just to filter the bad traffic. Can you be more specific about some real case, when

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Just for shits and giggles: Do you have a good, easy, workable solution to this complex problem? Markus 2016-10-04 22:19 GMT+02:00 : > And I'm not against you (tor admins/operators) ;) > > I'm really glad that this discussion started, let's see, if we can find some >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Okay, I am getting confused. (OSI model here) ATM we are traffic shaping/blocking at layer 3 DNS is layer 7. destination IP and port should be layer 1-4, right? Markus 2016-10-04 22:18 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 10:08:25PM +0200, Markus Koch wrote:

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

And I'm not against you (tor admins/operators) ;) I'm really glad that this discussion started, let's see, if we can find some solution. "Just 2 make 1 thing clear: Its not we against you (ISPs). Working myself years ago at an ISP I know the trouble and I understand the issues. Markus

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 10:08:25PM +0200, Markus Koch wrote: > Thank you very much, interesting. So I could block URLs but not on > deep packet inspection? That's where it starts to get murky: where do headers end and contents begin? It depends what protocol layer you're looking at. Law-makers

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Thank you very much, interesting. So I could block URLs but not on deep packet inspection? Markus 2016-10-04 22:04 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 09:55:01PM +0200, Markus Koch wrote: >> Everyone is running a reduced exit policy ... I only allow HTTP + >>

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 09:55:01PM +0200, Markus Koch wrote: > Everyone is running a reduced exit policy ... I only allow HTTP + > HTTPS and I know nobody who allows port 25 at the end of the day > we all shape our exit traffic. Choosing what to do with your traffic based on headers is

Re: [tor-relays] Tor Services on Amazon

The BEST relay I can see is https://torstatus.blutmagie.de/router_detail.php?FP=3181f36ce226b30bd2845872655d55e7d0b4a846 with whopping 776 KByte/sec 95% of the amazon relays are dead. zero traffic. Markus 2016-10-04 21:53 GMT+02:00 nusenu : >> Awhile ago Tor blocked

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Everyone is running a reduced exit policy ... I only allow HTTP + HTTPS and I know nobody who allows port 25 at the end of the day we all shape our exit traffic. Markus 2016-10-04 21:42 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote:

Re: [tor-relays] Tor Services on Amazon

> Awhile ago Tor blocked relays from running on Amazon AWS (after there was > an attach that originated from Amazon-hosted nodes). Google GCE was also > blocked. See this thread about it from last year when I tried to run a node > on google's cloud: >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote: > The technical problem is that implementing IPS in Tor would be massively > non-trivial.[...] > > The political problem is, what gets blocked by TIPS and what doesn???t? Who > gets to decide? What if some of those brute-force SSH or DOS

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Just 2 make 1 thing clear: Its not we against you (ISPs). Working myself years ago at an ISP I know the trouble and I understand the issues. Markus 2016-10-04 19:49 GMT+02:00 : > Hello, > > I'm the ISP technician who is negotiating with Paul who started this thread. > I just

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Hello, I'm the ISP technician who is negotiating with Paul who started this thread. I just read this whole discussion and I think that there are few things which need to be mentioned. The threat of blocked subnet is real. It happened once to us and we don't want to experience that

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

2016-10-04 19:21 GMT+02:00 Tristan : > I hate Webiron. They never marked any of my IP abuses as resolved, even > though I responded and revised my exit policy within 24 hours of the > complaint. > > Ticket or e-mail? Markus ___

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I hate Webiron. They never marked any of my IP abuses as resolved, even though I responded and revised my exit policy within 24 hours of the complaint. On Oct 4, 2016 12:10 PM, "Markus Koch" wrote: > 100% agreed. > > Just let us kick out the bots ... > >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Am 04.10.2016 um 18:24 schrieb krishna e bera: > What if someone who doesnt like Tor project is deliberately accessing > honeypots in order to get exit nodes shut down? That seems kind of easy, because there are some certain spots where you can assume those pots to be and depending on the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/04/2016 06:23 PM, Tristan wrote: > Wouldn't it be interesting if we could set up some kind of central "Tor > Abuse Center" where all the complaints go, and all the relay operators > can help respond to them. I suppose it would be pretty chaotic though... We actually discussed this briefly

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

What if someone who doesnt like Tor project is deliberately accessing honeypots in order to get exit nodes shut down? We need to establish some sort of legal or political solidarity to tell ISPs to be net neutral with us. It is not our problem if someone uses the telecom network to read/write

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Wouldn't it be interesting if we could set up some kind of central "Tor Abuse Center" where all the complaints go, and all the relay operators can help respond to them. I suppose it would be pretty chaotic though... On Oct 4, 2016 11:18 AM, "pa011" wrote: > Yes its ISP - plus 10

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Yes its ISP - plus 10 times more fire-power both, Markus and me which is 10 times more work, sadly :-( Am 04.10.2016 um 18:12 schrieb Markus Koch: > Short answer: ISP > > I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and > I get weekly mass reports from DigitalOcean. > And

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Short answer: ISP I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and I get weekly mass reports from DigitalOcean. And the thing that pisses me off is: Its all bots or Tax spam or other stuff I got weeks/months ago. Different day, same shitty abuse mail. Markus 2016-10-04

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I don't know what I'm doing different, because I only got 2 complaints in the last 2 months, and that was for SSH and SQL stuff. On Oct 4, 2016 11:01 AM, "pa011" wrote: > Me too Markus -could fill a folder with that tax issue :-(( > Costing a lot of time to answer and restrict the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Me too Markus -could fill a folder with that tax issue :-(( Costing a lot of time to answer and restrict the IPs Plus my ISP moaning with good reason: "It's not just about you, but you're giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs which are potentionaly endagered

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

same shit here: Dear User, We are contacting you because of unusual activity coming from your IP address towards the IT infrastructure of the European Commission. In specific, since 03/10/2016, IP addresses 95.85.45.159 & 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Am 04.10.2016 um 16:48 schrieb krishna e bera: > On 04/10/16 08:48 AM, pa011 wrote: >> One of my main ISP is going mad with the number of abuses he gets from my >> Exits (currently most on port 80). >> He asks me to install "Intrusion Prevention System Software" or shutting >> down the servers.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On Oct 4, 2016, at 7:48 AM, pa011 wrote: > > One of my main ISP is going mad with the number of abuses he gets from my > Exits (currently most on port 80). > He asks me to install "Intrusion Prevention System Software" or shutting down > the servers. > He personally

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 04/10/16 08:48 AM, pa011 wrote: > One of my main ISP is going mad with the number of abuses he gets from my > Exits (currently most on port 80). > He asks me to install "Intrusion Prevention System Software" or shutting down > the servers. You can first ask him for a copy of the complaints

Re: [tor-relays] Tor Services on Amazon

Awhile ago Tor blocked relays from running on Amazon AWS (after there was an attach that originated from Amazon-hosted nodes). Google GCE was also blocked. See this thread about it from last year when I tried to run a node on google's cloud:

[tor-relays] Intrusion Prevention System Software - Snort or Suricata

One of my main ISP is going mad with the number of abuses he gets from my Exits (currently most on port 80). He asks me to install "Intrusion Prevention System Software" or shutting down the servers. He personally recommends Snort or Suricata. As far as I understand implementing such a

Re: [tor-relays] The Onion Box v3.0: Web Interface for your Tor relay

On 03.10.16 18:13, Ralph Wetzel wrote: > I've just created a small modification so that The Box supports now > APScheduler v3.x as well as v2.x. Be aware that this is not heavily > tested - yet works flawless in my development environment. Thanks. The new version works for me with APScheduler 2