Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I am more of a fan of closing certain URL paths. So we could at least stop these very old Apache directory bug attacks. Or forbid accessing whatever.com/admin/ Markus 2016-10-09 2:03 GMT+02:00 teor : > >> On 9 Oct 2016, at 11:00, Markus Koch

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On 9 Oct 2016, at 11:00, Markus Koch wrote: > > Would not help. These are bots, you can slow them down but this will > not stop them at all. Ah, but the point isn't to stop the bots, it's to stop the abuse complaints by coming in under the abuse report automated

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

True, but slowing them down could still be useful. At any rate, Suricata is a no-go for low-end relays that only have 500MB of RAM. It just hammers the pagefile. On Sat, Oct 8, 2016 at 7:00 PM, Markus Koch wrote: > Would not help. These are bots, you can slow them

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Would not help. These are bots, you can slow them down but this will not stop them at all. Markus 2016-10-09 1:57 GMT+02:00 teor : > >> On 7 Oct 2016, at 05:07, Green Dream wrote: >> >> If we're going to change anything I think it needs to happen

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On 7 Oct 2016, at 05:07, Green Dream wrote: > > If we're going to change anything I think it needs to happen within > Tor software. Operators could leverage the existing "Exitpolicy > reject" rules, or Tor could add functionality there if it's missing. > Whatever we

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@oconor: > Let me ask you a short question. Have you ever worked with IPS? Yes. Please see my later email in this thread. I have experience with Snort, Bro and proprietary IPS/IDS systems from Cisco and Palo Alto. I also worked at a university's network operations helpdesk, where we received

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

...@gmail.com> > Komu: tor-relays@lists.torproject.org > Datum: 6. 10. 2016 17:02:19 > Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or > Suricata or no IPS at all > > I may have just found a bigger problem: I can't access the Suricata > ru

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

You can't access suricata directly? -- Původní zpráva -- Od: Tristan <supersluet...@gmail.com> Komu: tor-relays@lists.torproject.org Datum: 6. 10. 2016 17:02:19 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all &qu

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

Původní zpráva -- > Od: Tristan <supersluet...@gmail.com> > Komu: tor-relays@lists.torproject.org > Datum: 6. 10. 2016 16:50:33 > Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or > Suricata or no IPS at all > > Suricata allows direct access via

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

of any of the customers (in our case). -- Původní zpráva -- Od: Tristan <supersluet...@gmail.com> Komu: tor-relays@lists.torproject.org Datum: 6. 10. 2016 16:50:33 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

Suricata allows direct access via the Tor network, Snort's website gave me multiple failed Captchas before I could access anything. I'm going to do some further research before I even think about implementing anything. How does one detect false positives when running an IPS? Do you just

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

On 06.10.16 16:24, oco...@email.cz wrote: > The subject of this thread is: Intrusion Prevention System Software - > Snort or Suricata Fixed that for you. ;-) > If the only thing you wanted to say was, that you're against that, > we're probably done ;) Stating that I oppose the idea of IPS as

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

that, we're probably done ;) -- Původní zpráva -- Od: Ralph Seichter <tor-relays...@horus-it.de> Komu: tor-relays@lists.torproject.org Datum: 6. 10. 2016 15:39:55 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata "On 06.10.16

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 06.10.16 14:45, oco...@email.cz wrote: > It's apparent, that you're definitely not going to solve that ... > you're more into searching reasons why not to do that, than possibility > how to do that :) It is not my job to solve "that", whatever that is exactly. ;-) > (btw you haven't

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On Oct 6, 2016, at 7:45 AM, wrote: > > - The traffic going out of tor exit nodes in our network is even worse that > the one which is comming out of the internet. Paul who started this thread > has constant flow over 50kpps. It consists mostly from various

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 06.10.16 14:29, Mirimir wrote: > What matters for "complaining parties" is that they're getting crap > from some exit relay. So they complain. Sure, and I don't have a problem with that. If I get complaints, I tell the CP about Tor, and point them to the relevant information. All good until

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

relays@lists.torproject.org Datum: 6. 10. 2016 13:39:54 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata "On 06.10.16 12:57, oco...@email.cz wrote: > You probably will invest your time, but the ISP won't. The amount of > the problems is multiplying.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/06/2016 05:39 AM, Ralph Seichter wrote: > On 06.10.16 12:57, oco...@email.cz wrote: > >> You probably will invest your time, but the ISP won't. The amount of >> the problems is multiplying. Tor should evolve, or it will extinct >> like dinosaurs. > > I don't think that Tor has a problem.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 06.10.16 12:57, oco...@email.cz wrote: > You probably will invest your time, but the ISP won't. The amount of > the problems is multiplying. Tor should evolve, or it will extinct > like dinosaurs. I don't think that Tor has a problem. It works as designed. One might say that service providers

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

ět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata "On 06.10.16 12:12, oco...@email.cz wrote: > There is a possibility of parsing log of IPS a do actions with the > policies. I don't trust any IPS that I have seen so far to come up with smart enough ex

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 06.10.16 12:12, oco...@email.cz wrote: > There is a possibility of parsing log of IPS a do actions with the > policies. I don't trust any IPS that I have seen so far to come up with smart enough exit policies. If I were to use an IPS to dynamically limit inbound traffic (on a non-Tor server)

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Dream <greendream...@gmail.com> Komu: tor-relays@lists.torproject.org Datum: 5. 10. 2016 23:18:55 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata "@Tristan: > there must be something we can do about this as relay > operators. No, we

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/05/2016 10:43 PM, Green Dream wrote: for i in subdir/*; do ssh host mkdir -p "$i"; done with an ssh-agent would look pretty exactly the same to the exit node. >>> >>> OK, so I left out the "Permission denied, please try again." bits :) >> >> The exit node doesn't see that -

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

There is a possibility of parsing log of IPS a do actions with the policies. "On 05.10.2016 16:03, Andreas Krey wrote: > Everything to the OR port needs to pass in, esp. when you act as a > guard, and fail2banning the ssh port, hmm. Everything else is closed > anyway. What I meant is that I can

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Or you simply block port 22 and everyone everyone lived happily ever after. I do not care about a script kiddie trying to hack something. Bots are what I am afraid of, you get the same abuse over and over and over. Markus 2016-10-06 6:43 GMT+02:00 Green Dream : >>> >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

>> > for i in subdir/*; do ssh host mkdir -p "$i"; done >> > >> > with an ssh-agent would look pretty exactly the same to the exit node. >> >> OK, so I left out the "Permission denied, please try again." bits :) > > The exit node doesn't see that - that's the point of ssh. It can > at best look

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Wed, 05 Oct 2016 14:52:53 +, Mirimir wrote: ... > >> no? Why should "... ssh foo@w.x.y.z ... ssh bar@w.x.y.z ... ssh > >> baz@w.x.y.z ..." get through, if it destroys exits? Maybe someone could ... > > for i in subdir/*; do ssh host mkdir -p "$i"; done > > > > with an ssh-agent would

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 05/10/16 06:20 PM, Green Dream wrote: Criminals using Tor is not a new problem. It's addressed as the first question in the Abuse FAQ, here: https://www.torproject.org/docs/faq-abuse.html.en#WhatAboutCriminals and it's discussed by the EFF here:

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Well, this sentence from the EFF gives me some peace of mind: "You are not helping criminals by using Tor any more than you are helping criminals by using the Internet." I still wish there was a better way to handle things, but at this point I'm just begging the question. On Wed, Oct 5, 2016 at

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> I'm being to think there is no real solution to the problem. As long as Tor > serves its purpose of providing uncensored access to the Internet, bad guys > will always abuse it, and the operators will almost always be at odds with > their ISP. Anything we try to do to block abuse will destroy

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Then what _can_ we do? Because as it stands, Tor is the perfect tool for criminals, and your stand is "do nothing." An ISP can trace illegal activity to a user, we can't. Even if Tor is considered an ISP in that sense, the rules vary by country, maybe even by provider. I'm being to think there is

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@Markus Okay, so you are offended by the phrase "it's that simple". Sorry, if I could remove that sentence I would. I didn't mean to imply that running an exit was trivial or easy. Otherwise, I stand by my argument -- automated filtering or blocking is not the right answer. The co-founder of Tor

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

No, you are not. Its not that simple as "just find a ISP" The Tor network is made up of volunteers, so you need a: 1. ISP with more than laughable traffic limits 2. Tor friendly 3. Cheap 4. and with traffic connections that the Tor network likes Thats not easy. OVH (the biggest in Tor) is

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 05.10.16 23:18, Green Dream wrote: > Yes we need to be responsive to abuse complaints, but no, we don't > have to implement IPS systems or proactively block traffic just to > appease an ISP who gets stressed out by automated abuse complaints. That. Blocking traffic should be a last resort,

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> You are ignoring completely reality, aren't you? No, I'm describing the status quo, how Tor already operates. "Don't run IPS/Snort on exits" has been a long standing response from the Tor folks. It looks to me like that response is essentially unchanged.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> > > No, we don't need to do anything. Tor has been running under these > principles of uncensored access for a long time. Find an ISP that > understands Tor, appreciates the nature of the service and its value, > and is willing to work with you in a reasonable manner on abuse > complaints. It's

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@Tristan: > there must be something we can do about this as relay > operators. No, we don't need to do anything. Tor has been running under these principles of uncensored access for a long time. Find an ISP that understands Tor, appreciates the nature of the service and its value, and is

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/05/2016 02:39 PM, Andreas Krey wrote: > On Wed, 05 Oct 2016 13:48:19 +, Mirimir wrote: > ... >> exits unpredictably unreliable. On the other hand, IPS that only blocked >> automated crap would be a win for real users, relay operators and ISPs, >> no? Why should "... ssh foo@w.x.y.z ...

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Wed, 05 Oct 2016 13:48:19 +, Mirimir wrote: ... > exits unpredictably unreliable. On the other hand, IPS that only blocked > automated crap would be a win for real users, relay operators and ISPs, > no? Why should "... ssh foo@w.x.y.z ... ssh bar@w.x.y.z ... ssh > baz@w.x.y.z ..." get

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/05/2016 12:58 PM, Green Dream wrote: > @Mirimir: > > >>> IPS aren't perfect - they let some unwanted traffic through, and >>> block other traffic that is totally ok. > > >> That is an issue. But there are many exits, so eventually users should >> find one that works well enough for their

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Be that as it may, there must be *something* we can do about this as relay operators. If you get caught doing something illegal on your home Internet connection, there are warnings, and eventually consequences (like being disconnected). Just because you run a Tor relay doesn't mean the rules don't

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

These are getting rare. It is much easier to get a seedbox than a tor exit. I had even bulletproof ISPs who dont want to host exits. Believe me, I was chatting /mailing ISPs for days and its a mess. Markus PS: Tor changed years ago the exit policy and since then Tor is not anymore one big

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@Mirimir: >> IPS aren't perfect - they let some unwanted traffic through, and >> block other traffic that is totally ok. > That is an issue. But there are many exits, so eventually users should > find one that works well enough for their purposes. Re-read what you said and think about this

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 05.10.2016 16:03, Andreas Krey wrote: > Everything to the OR port needs to pass in, esp. when you act as a > guard, and fail2banning the ssh port, hmm. Everything else is closed > anyway. What I meant is that I can see a use for automation when it comes to securing a server -- not necessarily

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Wed, 05 Oct 2016 15:40:49 +, Ralph Seichter wrote: ... > I can see what motivates you. Personally, I can't think of a scenario > where I would use automation to set outbound traffic policies (inbound > traffic is a different matter, fail2ban comes to mind). How this? Everything to the OR

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 05.10.2016 14:06, oco...@email.cz wrote: > Unfortunately for us (as an ISP) it's not just about passing these > messages. If we don't want to be accused from not stopping something > illegal we knew about, we need some feedback - what have been done to > prevent this to happen in the future.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

:37 Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata "Okay, I´ll volunteer as an guinea pig if you are okay with it, I´ll get 2 VPSs and you do your Snort magic on them. Worst case is that we all know it isnt working and we have learned something :) Mark

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Okay, I´ll volunteer as an guinea pig if you are okay with it, I´ll get 2 VPSs and you do your Snort magic on them. Worst case is that we all know it isnt working and we have learned something :) Markus 2016-10-05 14:06 GMT+02:00 : It's really time consuming and that's > why

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Nope I'm speaking generally about frauds we have to solve. Just few cases were connected directly to offenders who run tor on fake ID and use it purpousely as a cover for illegal activity. Other cases usualy use tor as a medium to anonymize their activity (unfortunately no IPS would help here).

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Unfortunately for us (as an ISP) it's not just about passing these messages. If we don't want to be accused from not stopping something illegal we knew about, we need some feedback - what have been done to prevent this to happen in the future. If there is no feedback, we usualy disconnect the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Different viewpoint: I pay $5 + Taxes (WTF?) for an droplet with DigitalOcean I pay $7,5 for a VPS with Hostwinds Someone has to get the abuse mail, check where to send them and then make this issue as solved. From an economic standpoint this is a shitty idea. I cost them more than I pay. Even

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 05.10.16 13:16, Markus Koch wrote: > reality is many sites will not block Tor traffic but will send > (automated) abuse mails over and over and over again. True, sadly. And like you said it is their right not to block Tor based traffic. But it is your right not to heed their ongoing

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

usualy bitcoins ... but there were also many cases of strawperson accounts via stolen ID card or other techniques. We solve that almost on daily basis with police. "> - During my praxis, I've met only like 10% of customers (tor exit node) with > real data - unfortunately ISP is not the one

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Sounds great, but the reality is many sites will not block Tor traffic but will send (automated) abuse mails over and over and over again. Had this with a bank in South Korea who sent weekly abuse mails with "we will sue you in the USA, we will sue you in South Kora and we will never ending suing

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 04.10.2016 23:55, oco...@email.cz wrote: > If I understand that well ... if tor operator is avare, that his tor > node is used for illegal activity (when their ISP told them about that) > and he's not going to do anything abou that, he wont be guity by > complicity? Like I said, I am no

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> - During my praxis, I've met only like 10% of customers (tor exit node) with > real data - unfortunately ISP is not the one who can judge that - we have to > trust our customer > TIL that I am an idiot for using my real data. How do they pay? With all of my webhosting companies I pay with

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Let's take it from the end. - nowadays we use IPS to filter over 130k webhosting accounts. It's up to the admin who set what exactly should be filtered. It's definitely not about the used sw. - I don't know how this BadExit evaluation thing works - if it values nodes automatically by

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/05/2016 01:27 AM, teor wrote: > >> On 5 Oct 2016, at 18:10, >> wrote: >> >> We're back to IPS, which can drop the specific malicious traffic. >> I've been speaking with the lawyer few minutes ago. He told me >> that there is a pressure to put all the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On 5 Oct 2016, at 18:10, wrote: > > We're back to IPS, which can drop the specific malicious traffic. I've been > speaking with the lawyer few minutes ago. He told me that there is a pressure > to put all the responsibility for the traffic to the ISPs.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

We're back to IPS, which can drop the specific malicious traffic. I've been speaking with the lawyer few minutes ago. He told me that there is a pressure to put all the responsibility for the traffic to the ISPs. Well ... what are the ISPs most probably going to do ... ? They can ban all tor

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I am receiving more and more trouble from running an exit node here. Perhaps we should refuse to support US legislation? On 10/04/2016 06:35 PM, Green Dream wrote: > @keb: > >> It is not our problem if someone uses >> the telecom network to read/write data to a vulnerable server - it is >> the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

@keb: > It is not our problem if someone uses > the telecom network to read/write data to a vulnerable server - it is > the vulnerable server's problem to fix. Sounds great, but this is not how it works in the real world. > The ISP (and Tor network) are > only responsible for delivering the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Is the distinction between knowledge after the fact and knowledge at the time of occurence of "bad traffic" not important? I'm all for reducing bad traffic, but where does the line get drawn? I've also been dealing with multiple abuse reports on Digital Ocean. Quite a few common abuse ports are

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

What should a tor exit op do? Ban the user? exits get the traffic from middle nodes and we cant tell (by design) who anyone is. We can block ips but that is not really helping with bots who tries to find vulnerabilities and scan large blocks. markus Sent from my iPad > On 4 Oct 2016, at

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

If I understand that well ... if tor operator is avare, that his tor node is used for illegal activity (when their ISP told them about that) and he's not going to do anything abou that, he wont be guity by complicity? "On 04.10.16 22:37, oco...@email.cz wrote: > Tor and IPS has both it's own

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 04.10.16 22:37, oco...@email.cz wrote: > Tor and IPS has both it's own nature and you shouldn't be punished, if > your intension was just to filter the bad traffic. And who is to decide what constitutes "bad traffic"? I am not a lawyer, but in Germany one of the cornerstones of not being held

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Everything is easy when you hit the base of the problem and you're able to change it. I don't know what kind of community gathers here. Let's see where the discussion leads. Petr "Just for shits and giggles: Do you have a good, easy, workable solution to this complex problem? Markus

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

This is really interesting. I just don't understand, how you can be responsible for the traffic, when you use the IPS. Tor and IPS has both it's own nature and you shouldn't be punished, if your intension was just to filter the bad traffic. Can you be more specific about some real case, when

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Just for shits and giggles: Do you have a good, easy, workable solution to this complex problem? Markus 2016-10-04 22:19 GMT+02:00 : > And I'm not against you (tor admins/operators) ;) > > I'm really glad that this discussion started, let's see, if we can find some >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Okay, I am getting confused. (OSI model here) ATM we are traffic shaping/blocking at layer 3 DNS is layer 7. destination IP and port should be layer 1-4, right? Markus 2016-10-04 22:18 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 10:08:25PM +0200, Markus Koch wrote:

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

And I'm not against you (tor admins/operators) ;) I'm really glad that this discussion started, let's see, if we can find some solution. "Just 2 make 1 thing clear: Its not we against you (ISPs). Working myself years ago at an ISP I know the trouble and I understand the issues. Markus

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 10:08:25PM +0200, Markus Koch wrote: > Thank you very much, interesting. So I could block URLs but not on > deep packet inspection? That's where it starts to get murky: where do headers end and contents begin? It depends what protocol layer you're looking at. Law-makers

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Thank you very much, interesting. So I could block URLs but not on deep packet inspection? Markus 2016-10-04 22:04 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 09:55:01PM +0200, Markus Koch wrote: >> Everyone is running a reduced exit policy ... I only allow HTTP + >>

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 09:55:01PM +0200, Markus Koch wrote: > Everyone is running a reduced exit policy ... I only allow HTTP + > HTTPS and I know nobody who allows port 25 at the end of the day > we all shape our exit traffic. Choosing what to do with your traffic based on headers is

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Everyone is running a reduced exit policy ... I only allow HTTP + HTTPS and I know nobody who allows port 25 at the end of the day we all shape our exit traffic. Markus 2016-10-04 21:42 GMT+02:00 Roger Dingledine : > On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote:

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote: > The technical problem is that implementing IPS in Tor would be massively > non-trivial.[...] > > The political problem is, what gets blocked by TIPS and what doesn???t? Who > gets to decide? What if some of those brute-force SSH or DOS

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Just 2 make 1 thing clear: Its not we against you (ISPs). Working myself years ago at an ISP I know the trouble and I understand the issues. Markus 2016-10-04 19:49 GMT+02:00 : > Hello, > > I'm the ISP technician who is negotiating with Paul who started this thread. > I just

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Hello, I'm the ISP technician who is negotiating with Paul who started this thread. I just read this whole discussion and I think that there are few things which need to be mentioned. The threat of blocked subnet is real. It happened once to us and we don't want to experience that

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

2016-10-04 19:21 GMT+02:00 Tristan : > I hate Webiron. They never marked any of my IP abuses as resolved, even > though I responded and revised my exit policy within 24 hours of the > complaint. > > Ticket or e-mail? Markus ___

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I hate Webiron. They never marked any of my IP abuses as resolved, even though I responded and revised my exit policy within 24 hours of the complaint. On Oct 4, 2016 12:10 PM, "Markus Koch" wrote: > 100% agreed. > > Just let us kick out the bots ... > >

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Am 04.10.2016 um 18:24 schrieb krishna e bera: > What if someone who doesnt like Tor project is deliberately accessing > honeypots in order to get exit nodes shut down? That seems kind of easy, because there are some certain spots where you can assume those pots to be and depending on the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 10/04/2016 06:23 PM, Tristan wrote: > Wouldn't it be interesting if we could set up some kind of central "Tor > Abuse Center" where all the complaints go, and all the relay operators > can help respond to them. I suppose it would be pretty chaotic though... We actually discussed this briefly

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

What if someone who doesnt like Tor project is deliberately accessing honeypots in order to get exit nodes shut down? We need to establish some sort of legal or political solidarity to tell ISPs to be net neutral with us. It is not our problem if someone uses the telecom network to read/write

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Wouldn't it be interesting if we could set up some kind of central "Tor Abuse Center" where all the complaints go, and all the relay operators can help respond to them. I suppose it would be pretty chaotic though... On Oct 4, 2016 11:18 AM, "pa011" wrote: > Yes its ISP - plus 10

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Yes its ISP - plus 10 times more fire-power both, Markus and me which is 10 times more work, sadly :-( Am 04.10.2016 um 18:12 schrieb Markus Koch: > Short answer: ISP > > I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and > I get weekly mass reports from DigitalOcean. > And

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Short answer: ISP I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and I get weekly mass reports from DigitalOcean. And the thing that pisses me off is: Its all bots or Tax spam or other stuff I got weeks/months ago. Different day, same shitty abuse mail. Markus 2016-10-04

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

I don't know what I'm doing different, because I only got 2 complaints in the last 2 months, and that was for SSH and SQL stuff. On Oct 4, 2016 11:01 AM, "pa011" wrote: > Me too Markus -could fill a folder with that tax issue :-(( > Costing a lot of time to answer and restrict the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Me too Markus -could fill a folder with that tax issue :-(( Costing a lot of time to answer and restrict the IPs Plus my ISP moaning with good reason: "It's not just about you, but you're giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs which are potentionaly endagered

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

same shit here: Dear User, We are contacting you because of unusual activity coming from your IP address towards the IT infrastructure of the European Commission. In specific, since 03/10/2016, IP addresses 95.85.45.159 & 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and the

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

Am 04.10.2016 um 16:48 schrieb krishna e bera: > On 04/10/16 08:48 AM, pa011 wrote: >> One of my main ISP is going mad with the number of abuses he gets from my >> Exits (currently most on port 80). >> He asks me to install "Intrusion Prevention System Software" or shutting >> down the servers.

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

> On Oct 4, 2016, at 7:48 AM, pa011 wrote: > > One of my main ISP is going mad with the number of abuses he gets from my > Exits (currently most on port 80). > He asks me to install "Intrusion Prevention System Software" or shutting down > the servers. > He personally

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

On 04/10/16 08:48 AM, pa011 wrote: > One of my main ISP is going mad with the number of abuses he gets from my > Exits (currently most on port 80). > He asks me to install "Intrusion Prevention System Software" or shutting down > the servers. You can first ask him for a copy of the complaints

[tor-relays] Intrusion Prevention System Software - Snort or Suricata

One of my main ISP is going mad with the number of abuses he gets from my Exits (currently most on port 80). He asks me to install "Intrusion Prevention System Software" or shutting down the servers. He personally recommends Snort or Suricata. As far as I understand implementing such a