[Bro] Large file ex-filtration revisited
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Apr 3 15:18:08 PDT 2014
On Apr 3, 2014, at 4:39 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 2014-04-03T13:38:42-0600 CSZCCe4mZI1T7iJogg x.x.x.x
> 55023 4.71.33.182 80 tcp - 0.035191
> 1213381425 0 RSTOS0 T 0 SaR 2 88
> 1 40 (empty)
This looks like it may be a “half-open” TCP connection, and Bro may report inaccurate {orig,resp}_bytes unless you’re running a development version from the git repo which has a fix for this situation. What version of Bro are you running?
A way to improve your detection with only script changes could be to include {orig,resp}_ip_bytes in the criteria. The difference is that field counts total bytes of IP packets, not just payload data. It’s also more sensitive to packet loss, where {orig,resp}_bytes should still work since it’s monitoring the TCP sequence space.
- Jon
More information about the Bro
mailing list