[Bro] Exfil Framework Released

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Sep 12 11:05:38 PDT 2014

Here's some quick additions to the app-exfil-conn.bro script.

##! Watch all TCP,UDP,ICMP flows for Data Exfil

module Exfil;

export {
    ## Defines which subnets are monitored for data exfiltration
    global watched_subnets_conn: set[subnet] = [] &redef;
    ## Defines which subnet/host sources to ignore
    global ignored_orig_conn: set[subnet] = [,] &redef;
    ## Defines which subnet/host destinations to ignore
    global ignored_resp_conn: set[subnet] = [,] &redef;
    ## Defines whether connections with local destinations should be monitored for data exfiltration
    global ignore_local_dest_conn: bool = T &redef;
    ## Defines the thresholds and polling interval for the exfil framework. See main.bro for more details.
    global settings_conn: Settings &redef;

event connection_established (c: connection) {

    if (ignore_local_dest_conn == T && Site::is_local_addr(c$id$resp_h) == T)

    if (c$id$orig_h !in watched_subnets_conn )

    if (c$id$orig_h in ignored_orig_conn )

    if (c$id$resp_h in ignored_resp_conn )

    Exfil::watch_connection(c , settings_conn);


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Robert Rotsted
Sent: Wednesday, September 10, 2014 3:14 PM
To: Bro Mailing List
Subject: [Bro] Exfil Framework Released

Hi all,

As announced at BroCon, Reservoir Labs just released the Exfil Framework on Github.

The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).

The scripts are located at:

Feel free to reach out to me if you have any questions, comments or suggestions for improvement.



Bob Rotsted
Senior Engineer
Reservoir Labs, Inc.
Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list