Are any of your organizations trusted network assets behaving as TOR relays, bridges, or devices?
To find out, enable Spectre to ingest NetFlow v9 (or netflow from a similar flow-collection infrastructure and also enable a threat intelligence feed containing TOR intelligence data such as iDefense.
Note: The standard Spectre requirements are not inclusive of this integration. Additional storage may be required to index a TOR feed.
Configure the TOR feed as follows:
On Spectre's main menu, browse to Settings > Integrations > Open Source Feeds > TOR.
Enable the threat feed by sliding the toggle button to On.
Input a Polling Interval to indicate the time that should elapse between fetching the latest feed data. Input 24 to poll daily,, for example, of 12 to poll twice a day,.