Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

TOR - TOR Traffic

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The method is designed to detect the usage of TOR clients inside the monitored network (for example, the TOR browser, operating systems, and malware that connects to the Internet through TOR) and also for the detection of incoming connections from the TOR network towards the monitored servers. Both detections are performed based on public lists of TOR relays that are maintained by Progress Software. Also, both detections can be configured to report only successful connections to/from the TOR network and exclude unsuccessful connection attempts. For this, you can use the ClientIgnoreUnsuc or ServerIgnoreUnsuc parameters respectively. To specify devices that should be monitored for incoming connections from the TOR network, you must set the MonitoredDevices parameter.

This method consists of the following submethods:

  • ClientDirectAccess: Reports devices in the network that actively connect to the TOR network.

  • ServerAccess: Reports connection attempts from the TOR network to the monitored devices.

Method configuration

We recommend applying this method to client stations and publicly accessible devices in the monitored network. The reason behind monitoring publicly accessible devices is to protect them from infection by malware that communicates with its Command and Control servers through the TOR network. The right place for traffic monitoring is the central switch or the Internet connection line. To regularly update the list of TOR relays, you must not block the communication of the device (probe/collector) to port 443 (HTTPS, standard secured web traffic) on the services.flowmon.com server. Also, the Flowmon services option should be enabled in the settings of the ADS module (see the chapter General Settings of the Module for more information).

Method parameters

ClientDirectAccess

  • ClientIgnoreUnsuc: Ignores unsuccessful attempts of TOR clients to connect to the TOR network.

ServerAccess

  • ServerIgnoreUnsuc: Ignores unsuccessful attempts to connect to the monitored devices from the TOR network.

  • MonitoredDevices: Filter that specifies devices that should be monitored for incoming traffic from the TOR network.

Assigned filter

For the ClientDirectAccess submethod, the filter is used for restricting source IP addresses. The submethod ServerAccess does not use the assigned filter at all.

Interpretation of results

This method can detect devices that connect to the TOR network. The TOR is a popular anonymization service that may be abused by malware to hide malicious network activities and make the detection of its Command and Control servers harder. Also, the TOR network can be used to access content that is actively blocked or published on the so-called Dark Web. Another typical usage is to use TOR to bypass security policies implemented in corporate environments. The method is also intended to detect incoming connections from the TOR network. This may be useful for the early detection of malicious activities conducted through the TOR network.

TitleResults for “How to create a CRG?”Also Available inAlert