[Bro] Large file ex-filtration revisited

Robert Rotsted rotsted at reservoir.com
Fri Apr 4 07:38:50 PDT 2014


James,

Glad to hear that the script was helpful!

--bob


On Thu, Apr 3, 2014 at 2:39 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> So first off a HUGE thank you to Robert Rotsted who posted the original
> after_hours_exfiltrate.bro.
> (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-March/007510.html).
> Here's how I've modified this:
>
> module Exfil;
>
> export {
>
>      redef enum Notice::Type += {
>           Large_File_Upload,
>       };
> }
>
>
> ## Each time a connection is logged execute the following code
> event Conn::log_conn(rec: Conn::Info) {
>
>      ## Ensure orig_bytes and resp_bytes exist, if not, return.
>      if (! (rec?$orig_bytes || rec?$resp_bytes))
>          return;
>
>      ## Is this connection between a local originator and a
>      ## remote responder?
>      ## Are the sent bytes greater that 10 x the received bytes?
>      ## Has the originator sent more than 3 Megabytes?
>      if ( rec$id$orig_h in Site::local_nets &&
>           rec$id$resp_h !in Site::local_nets &&
>           rec$orig_bytes > (20 * rec$resp_bytes) &&
>           rec$orig_bytes >= 13145728 )
>      {
>
>          NOTICE([$note=Large_File_Upload,
>                  $id=rec$id,
>                  $identifier=cat(rec$uid),
>                  $msg=fmt("Sent Bytes: %s, Received Bytes: %s",
>                           rec$orig_bytes, rec$resp_bytes)]);
>      }
>
> }
>
> I noticed today an anomaly I guess:
>
>
> 2014-04-03T13:38:45-0600        -       x.x.x.x    55023   4.71.33.182
>    80      -       -       -       tcp     Exfil::Large_File_Upload
>   Sent Bytes: 1213381425, Received Bytes: 0       -       x.x.x.x
> 4.71.33.182     80      -       bro     Notice::ACTION_LOG
> 3600.000000     F       -       -       -    --
>
>
> 2014-04-03T13:38:42-0600        CSZCCe4mZI1T7iJogg      x.x.x.x
> 55023   4.71.33.182     80      tcp     -       0.035191
> 1213381425      0       RSTOS0  T       0       SaR     2       88
> 1       40      (empty)
>
>
> I found a RST packet in the capture that matched close to the sent
> bytes:
>
> Transmission Control Protocol, Src Port: 55023 (55023), Dst Port: http
> (80), Seq: 1213381426, Len: 0
>
> Did I hose the script by removing the hourly constraint?  Thanks for
> the the assist...this has helped me better understand the scripting
> (though I'm still just at the copy and paste level :)).
>
> James
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Bob Rotsted
Senior Engineer
Reservoir Labs, Inc.
503-225-0583 x138
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140404/1ea779aa/attachment.html 


More information about the Bro mailing list