########################################################################################## PAS-28: Detect likely Tor Handshakes ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - SSL/TLS Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Time Estimate: 90 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== PAS-26 implemented a list of unresolvable FQDN's extracted from SSL communications. A natural extension to that would be to look for likely connections to a tor entry node (or a bridge). Assuming obfsproxy etc aren't in use, the following should be true for any entry connection - SNI name will be present, start with www. but be unresolvable (and random looking, but not sure we can test for that) - Node will return a certificate with a Common Name following the same rules as above but will _not_ match the name used in SNI - Certificate issuer, again, will follow the rules above but won't match either the SNI or CN Meeting all those requirements means it's _probably_ a connection to Tor, so the dest IP should be checked against a list of known Tor nodes for confirmation (haven't decided yet whether to have the script do that itself). For all unresolvable domains, we'll need to walk ssltraffic on a per-connection basis (because if the IP's change, that's interesting to note too) and match against the ruleset above ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to PAS-26: Generate list of observed unresolvable FQDNs ----------------------------------------------------------------------------------------- Activity ==========