Graylog plugin tor exit nodes always false (graylog 2.4.4)


#1

Hi,

i want to see if a tor exit node checks our OWA website.

  1. I enabled the Plugin “Tor exit Nodes”.
  2. i create Firewall Rules and i can see everything ist connected (no connection timeout)
  3. I create a pipeline (all Messages)- i want to view the item: “remote_address” (the IPs from Tor Browser for e.g.)
  4. i Create a rule “tor_lookup”
    rule “02 -tor_lookup”
    when
    has_field(“remote_address”)
    then
    let intel = tor_lookup(to_string($message.remote_address));
    set_field(“src_addr_is_tor_exit_node”, intel.threat_indicated);
    end
  5. The New Field src_addr_is_tor_exit_node is shown in input_messages with “false”
  6. Problem: if i access our OWA Website with a Tor Browser (different Tests) all Adresses src_addr_is_tor_exit_node were also shown as “false” but i think that is not right. I am using a tor Browser so the IPs (for e.g. FR Language Code, def. a tor exit node) are also shown as false.

So my question are.

  • is my rule not correct?
  • do i have to make more rules than the one above?
  • can i manually check (Bash console) the plugin “Tor Exit Node”?

I would be very pleased if someone give an idea or little help.

Thanks and best regards
celtar


(Jochen) #2

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.