[Bro] Large file ex-filtration revisited
James Lay
jlay at slave-tothe-box.net
Thu Apr 3 15:45:46 PDT 2014
On 2014-04-03 16:18, Siwek, Jonathan Luke wrote:
> On Apr 3, 2014, at 4:39 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> 2014-04-03T13:38:42-0600 CSZCCe4mZI1T7iJogg x.x.x.x
>> 55023 4.71.33.182 80 tcp - 0.035191
>> 1213381425 0 RSTOS0 T 0 SaR 2 88
>> 1 40 (empty)
>
> This looks like it may be a “half-open” TCP connection, and Bro may
> report inaccurate {orig,resp}_bytes unless you’re running a
> development version from the git repo which has a fix for this
> situation. What version of Bro are you running?
>
> A way to improve your detection with only script changes could be to
> include {orig,resp}_ip_bytes in the criteria. The difference is that
> field counts total bytes of IP packets, not just payload data. It’s
> also more sensitive to packet loss, where {orig,resp}_bytes should
> still work since it’s monitoring the TCP sequence space.
>
> - Jon
Thanks Jon,
I'm on 2.2 here. I'm going to start fiddling with the script
now...thanks again for the help and response.
James
More information about the Bro
mailing list