You can't access suricata directly?
-- Původní zpráva --
Od: Tristan
Komu: tor-relays@lists.torproject.org
Datum: 6. 10. 2016 17:02:19
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
Suricata or no IPS at all
"
I may have just found a bigger pro
Our implementation of suricata is a little different. We've got one as IPS
(just few rules) and second as IDS (all rules (block of rules) are switched
on). In the log of IDS we determine which chains should be filtered and then
we filter them one by one on IPS. The main thing is to not to cut of
The subject of this thread is: Intrusion Prevention System Software - Snort
or Suricata
I'll be more than glad, if we can have some productive discussion about
these two contemporaly IPS and their implementation along with tor. If the
only thing you wanted to say was, that you're against that
It's apparent, that you're definitely not going to solve that ... you're
more into searching reasons why not to do that, than possibility how to do
that :) (btw you haven't mentioned you IPS experiences)
I just say facts
- the amount of malicious traffic is rising (during last 5 years it's
What have you been working with? :) When the IPS is working wrong, it's
because of the admin ... :)
You probably will invest your time, but the ISP won't. The amount of the
problems is multiplying. Tor should evolve, or it will extinct like
dinosaurs.
I think that this IPS should be done
You still propably don't see that it consumes a lot of time to deal even
with automaticly generated messages. During last years all network attacks
graduates, if you're not going to solve that, every wise ISP is going to
refuse to host you.
-- Původní zpráva --
Od: Green Dream
Let me ask you a short question. Have you ever worked with IPS?
-- Původní zpráva --
Od: Green Dream
Komu: tor-relays@lists.torproject.org
Datum: 5. 10. 2016 20:58:36
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
Suricata
"@Mirimir:
>> IPS
There is a possibility of parsing log of IPS a do actions with the policies.
"On 05.10.2016 16:03, Andreas Krey wrote:
> Everything to the OR port needs to pass in, esp. when you act as a
> guard, and fail2banning the ssh port, hmm. Everything else is closed
> anyway.
What I meant is that I can
I wish I had spare time for doing that magic ... I think, that easier
solution for me as an ISP is to shut the node down.
-- Původní zpráva --
Od: Markus Koch
Komu: tor-relays
Datum: 5. 10. 2016 15:07:37
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort
Nope I'm speaking generally about frauds we have to solve. Just few cases
were connected directly to offenders who run tor on fake ID and use it
purpousely as a cover for illegal activity. Other cases usualy use tor as a
medium to anonymize their activity (unfortunately no IPS would help here).
Unfortunately for us (as an ISP) it's not just about passing these messages.
If we don't want to be accused from not stopping something illegal we knew
about, we need some feedback - what have been done to prevent this to happen
in the future. If there is no feedback, we usualy disconnect the serv
usualy bitcoins ... but there were also many cases of strawperson accounts
via stolen ID card or other techniques. We solve that almost on daily basis
with police.
"> - During my praxis, I've met only like 10% of customers (tor exit node)
with
> real data - unfortunately ISP is not the one who
Let's take it from the end.
- nowadays we use IPS to filter over 130k webhosting accounts. It's up to
the admin who set what exactly should be filtered. It's definitely not about
the used sw.
- I don't know how this BadExit evaluation thing works - if it values nodes
automatically by acces
We're back to IPS, which can drop the specific malicious traffic. I've been
speaking with the lawyer few minutes ago. He told me that there is a
pressure to put all the responsibility for the traffic to the ISPs. Well ...
what are the ISPs most probably going to do ... ? They can ban all tor exit
If I understand that well ... if tor operator is avare, that his tor node is
used for illegal activity (when their ISP told them about that) and he's not
going to do anything abou that, he wont be guity by complicity?
"On 04.10.16 22:37, oco...@email.cz wrote:
> Tor and IPS has both it's own na
Everything is easy when you hit the base of the problem and you're able to
change it. I don't know what kind of community gathers here. Let's see where
the discussion leads.
Petr
"Just for shits and giggles:
Do you have a good, easy, workable solution to this complex problem?
Markus
2016-1
This is really interesting. I just don't understand, how you can be
responsible for the traffic, when you use the IPS. Tor and IPS has both it's
own nature and you shouldn't be punished, if your intension was just to
filter the bad traffic. Can you be more specific about some real case, when
thi
And I'm not against you (tor admins/operators) ;)
I'm really glad that this discussion started, let's see, if we can find some
solution.
"Just 2 make 1 thing clear: Its not we against you (ISPs).
Working myself years ago at an ISP I know the trouble and I understand
the issues.
Markus
201
Hello,
I'm the ISP technician who is negotiating with Paul who started this thread.
I just read this whole discussion and I think that there are few things
which need to be mentioned.
The threat of blocked subnet is real. It happened once to us and we don't
want to experience that anymor
19 matches
Mail list logo