[Bro] Large file ex-filtration revisited
James Lay
jlay at slave-tothe-box.net
Thu Apr 3 15:59:42 PDT 2014
On 2014-04-03 16:45, James Lay wrote:
> On 2014-04-03 16:18, Siwek, Jonathan Luke wrote:
>> On Apr 3, 2014, at 4:39 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>>> 2014-04-03T13:38:42-0600 CSZCCe4mZI1T7iJogg x.x.x.x
>>> 55023 4.71.33.182 80 tcp - 0.035191
>>> 1213381425 0 RSTOS0 T 0 SaR 2 88
>>> 1 40 (empty)
>>
>> This looks like it may be a “half-open” TCP connection, and Bro may
>> report inaccurate {orig,resp}_bytes unless you’re running a
>> development version from the git repo which has a fix for this
>> situation. What version of Bro are you running?
>>
>> A way to improve your detection with only script changes could be to
>> include {orig,resp}_ip_bytes in the criteria. The difference is
>> that
>> field counts total bytes of IP packets, not just payload data. It’s
>> also more sensitive to packet loss, where {orig,resp}_bytes should
>> still work since it’s monitoring the TCP sequence space.
>>
>> - Jon
>
> Thanks Jon,
>
> I'm on 2.2 here. I'm going to start fiddling with the script
> now...thanks again for the help and response.
>
> James
Ok...I've made the below modification:
if ( rec$id$orig_h in Site::local_nets &&
rec$id$resp_h in Site::local_nets &&
rec$orig_bytes > (10 * rec$resp_bytes) &&
rec$orig_bytes > (10 * rec$resp_ip_bytes) &&
rec$orig_bytes >= 3145728 )
{
This works in dev when sending a large file, so going to test this out
in production....thank you.
James
More information about the Bro
mailing list