Information about TOR RULES

Hello People,

I have some doubts about the tor.rules

“timestamp”:“2021-02-09T13:39:00.702395-0300”,“flow_id”:2016412967417787,“in_iface”:“eth1”,“event_type”:“alert”,“src_ip”:“104.244.72.188”,“src_port”:443,“dest_ip”:“x.x.x.x”,“dest_port”:45636,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.TorIP”]},“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2522147,“rev”:4286,“signature”:“ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148”,“category”:“Misc Attack”,“severity”:2,“metadata”:{“updated_at”:[“2020_12_21”],“created_at”:[“2008_12_01”],“signature_severity”:[“Audit”],“tag”:[“TOR”],“deployment”:[“Perimeter”],“attack_target”:[“Any”],“affected_product”:[“Any”]}},“flow”:{“pkts_toserver”:1,“pkts_toclient”:0,“bytes_toserver”:597,“bytes_toclient”:0,“start”:“2021-02-09T13:39:00.702395-0300”},“payload”:“FwMDAhprl5SqgsQLGaZ+FSPTQQU/ZQCwKUXaXiSC87T6NhM46ImK+S2rbil4TAd2BMCasPgQgqHRTKBLEYsTHkNVoYnQhaSa6wvRCU4w3sScB2tHvfiGqBPRQwi1gVMOHloBPev1glmn+27ZlGDM2YruRWfzA9e/nQbqmmUe6/mXz2wQPFglV2wa6/P+7idqx/mVZHPTFOv8ZPJbHynQlbhPhlRNv7k+O4xiOBDObf0w20lRqx7a8J1AeEf5KeF5TjRg4ppPD8EkE/S4RtLV1aOV8XB1H9X9y/E6VoSf107tRoLWXLRIpSmpuuDJdJ21tBCRuk1Qbu5iWI8EtZR9/SUYkOncDqvYExO9ElFJwoWyrS741T50Z4xbrouMkeulZzjAusHniileXVGhfhYrS/JT9AcMnZO1eYTbAutv6RdOHNxivWvmYOSCgCUNPiNC6UDAqfVL8E51MziH5rZd6PUoJmtoWFU+PD09o6qzPiJLku1Yl/dotaaQk+KZYbGcu88RWV5BuGMd1He9ImSjbmZefJK09Ulw0liAMypPKZYAT3RJ6HaPxrWORA3ZxilK9CotlcGA853kukIvo35P8RNz2HmsTPYnXo6xp+Cok5cts5ScC2USD76ac3WiZGrYh9EhV4eeIiaUo9j6iXOdLTMgcWHF/BdFfw3nZ0H/WZyE2y0XutPutQFwCQblKq8ZqFNvZIf9HxO1yBpPTMzW”,“stream”:0,“packet”:“AFBWsIwOgHEf9Js9CABFBAJH+8NAADQGIfpo9Ei8j2vl0wG7skRv/SZwkoZSn1AYBSxtUwAAFwMDAhprl5SqgsQLGaZ+FSPTQQU/ZQCwKUXaXiSC87T6NhM46ImK+S2rbil4TAd2BMCasPgQgqHRTKBLEYsTHkNVoYnQhaSa6wvRCU4w3sScB2tHvfiGqBPRQwi1gVMOHloBPev1glmn+27ZlGDM2YruRWfzA9e/nQbqmmUe6/mXz2wQPFglV2wa6/P+7idqx/mVZHPTFOv8ZPJbHynQlbhPhlRNv7k+O4xiOBDObf0w20lRqx7a8J1AeEf5KeF5TjRg4ppPD8EkE/S4RtLV1aOV8XB1H9X9y/E6VoSf107tRoLWXLRIpSmpuuDJdJ21tBCRuk1Qbu5iWI8EtZR9/SUYkOncDqvYExO9ElFJwoWyrS741T50Z4xbrouMkeulZzjAusHniileXVGhfhYrS/JT9AcMnZO1eYTbAutv6RdOHNxivWvmYOSCgCUNPiNC6UDAqfVL8E51MziH5rZd6PUoJmtoWFU+PD09o6qzPiJLku1Yl/dotaaQk+KZYbGcu88RWV5BuGMd1He9ImSjbmZefJK09Ulw0liAMypPKZYAT3RJ6HaPxrWORA3ZxilK9CotlcGA853kukIvo35P8RNz2HmsTPYnXo6xp+Cok5cts5ScC2USD76ac3WiZGrYh9EhV4eeIiaUo9j6iXOdLTMgcWHF/BdFfw3nZ0H/WZyE2y0XutPutQFwCQblKq8ZqFNvZIf9HxO1yBpPTMzW”,“packet_info”:{“linktype”:1}}

I would like to know if the rule just get when the “TOR IPs” make a communication with my network or vice versa ?

Thank You

in that case you have to modify the rule, since it’s intention is to trigger on incoming packets from those IPs.