[Bro] Large file ex-filtration revisited

Thu Apr 3 15:18:08 PDT 2014

On Apr 3, 2014, at 4:39 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> 2014-04-03T13:38:42-0600        CSZCCe4mZI1T7iJogg      x.x.x.x    
> 55023   4.71.33.182     80      tcp     -       0.035191        
> 1213381425      0       RSTOS0  T       0       SaR     2       88      
> 1       40      (empty)

This looks like it may be a “half-open” TCP connection, and Bro may report inaccurate {orig,resp}_bytes unless you’re running a development version from the git repo which has a fix for this situation.  What version of Bro are you running?

A way to improve your detection with only script changes could be to include {orig,resp}_ip_bytes in the criteria.  The difference is that field counts total bytes of IP packets, not just payload data.  It’s also more sensitive to packet loss, where {orig,resp}_bytes should still work since it’s monitoring the TCP sequence space.

- Jon