Using Logger 6.0 LOOKUP - Looking for Tor Traffic

Blog Post created by aaron.kramer@hpe.com on Feb 12, 2015

One of the easy to understand features in Logger 6.0 is the LOOKUP Search Operator.

Here's an example to find the 'Needle in the Haystack'.


The LOOKUP search operator is a way to join values from inside Logger, with values from an external source. The way this is done is to load the values from the external source into a LOOKUP table in Logger, and then use the LOOKUP search operator in a Logger interactive search query. I have attached a list from Feb 2015 to this post if you want the fast path to the LOOKUP. Just download the CSV from this post and load it into your Logger.


One example is with Tor, aka "The Onion Router". (more here: Tor (anonymity network) - Wikipedia, the free encyclopedia )


The Use Case is to search for any communications into or out of a corporate network from in or out of the Tor network. VERY recent malware is identified as using the Tor network for communications. December 2014: New "LusyPOS" Malware Uses Tor For C&C Communications  | SecurityWeek.Com


The first step is to obtain the list of Tor IP Addresses. These are called Tor Exit Nodes. Various places on the internet keep updated lists, and these lists can be updated as often as every 30 minutes.




Using a utility in unix called curl, you could get the raw list like this:

/usr/bin/curl -o tornodes.csv --verbose https://www.dan.me.uk/tornodes

After some formatting, the file to load into Logger needs to be CSV, and have field names in the header row. The first few lines of a valid file look like this


Once loaded into Logger, the table would be listed like this:


The View of the table in Logger shows the first few rows of the table like this:




Then in Logger, go to the LOOKUP section, and Add a LOOKUP table. Once the table has been added, now a search using the Tor nodes can be done.

The search for Tor communications looks something like this:




This Logger search is searching all of Logger events, then piping the results to the LOOKUP operation.

- use the table named TorNodes

- find any sourceAddress in Logger that is also a TorExitNodeAddress and display all the columns from the matching entry in the Table.