Skip to main content
Splunk Lantern

TOR traffic

This search looks for network traffic that runs through The Onion Router (TOR). TOR is a benign anonymity network which can be abused during ransomware attacks to provide camouflage for attackers.

Data required 

Network protocol data

Procedure

  1. To run this search, you'll need to be ingesting data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search also requires the Network_Traffic data model to be populated. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Network_Traffic WHERE ("All_Traffic.app"=tor "All_Traffic.action"=allowed) BY "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.action" 
| rename "All_Traffic.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Network_Traffic WHERE ("All_Traffic.app"=tor "All_Traffic.action"=allowed) BY "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.action"  Query the Network Traffic data model object to search for TOR traffic, and sort by source IP, destination IP, destination port and action.
| rename "All_Traffic.*" AS "*" Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

TOR has a number of legitimate uses, from allowing sensitive information to be protected and securely shared, to helping improve data privacy and security. You should check any results showing TOR usage against established policies and processes within your organization to assess whether legitimate usage is occurring.

If you see clear evidence of ransomware in these search results, you will want to start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.