Hi,
i want to see if a tor exit node checks our OWA website.
- I enabled the Plugin “Tor exit Nodes”.
- i create Firewall Rules and i can see everything ist connected (no connection timeout)
- I create a pipeline (all Messages)- i want to view the item: “remote_address” (the IPs from Tor Browser for e.g.)
- i Create a rule “tor_lookup”
rule “02 -tor_lookup”
when
has_field(“remote_address”)
then
let intel = tor_lookup(to_string($message.remote_address));
set_field(“src_addr_is_tor_exit_node”, intel.threat_indicated);
end - The New Field src_addr_is_tor_exit_node is shown in input_messages with “false”
- Problem: if i access our OWA Website with a Tor Browser (different Tests) all Adresses src_addr_is_tor_exit_node were also shown as “false” but i think that is not right. I am using a tor Browser so the IPs (for e.g. FR Language Code, def. a tor exit node) are also shown as false.
So my question are.
- is my rule not correct?
- do i have to make more rules than the one above?
- can i manually check (Bash console) the plugin “Tor Exit Node”?
I would be very pleased if someone give an idea or little help.
Thanks and best regards
celtar