This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to monitor TOR (Deep/Dark web access)

Hi,

Is there a way to be alerted when a user accesses the deep or dark web or when using TOR ? How can I configure a filter to see these accesses and email alerts?

Thanks

  • LEM alerts and reports off of the log data given it by a system.  So really the question is:  How would you tell they are using TOR in your environment?

    Do you have an application or device that logs when a certain application is run?  Do you look out for specific ports they're using?  Are you watching for specific domains?

    For instance, if you have a web proxy and they're going out to suspicious domains, that could be captured in the logs or reported to the LEM via syslog and you can configure an alert based off of that data.

    The first step is capturing the event in the first place.  If you have something that monitors web traffic or outbound connections such as a firewall or proxy or some other device that would generate an event that would indicate someone is using TOR or going to the deep web.