alert tcp $HOME_NET any -> $EXTERNAL_NET 9030 (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize: nfcapd; content: "/9030, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev: 5;)
-- Main.Sagan-Wiki-Add - 2015-10-21
New revisions of 5002301 will be below...
alert tcp $HOME_NET any -> $EXTERNAL_NET 9030 (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize; content: "/9030, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev: 6;)
-- Main.Sagan-Wiki-Add - 2016-8-30