[Bro] Large file ex-filtration revisited
Robert Rotsted
rotsted at reservoir.com
Fri Apr 4 07:38:50 PDT 2014
James,
Glad to hear that the script was helpful!
--bob
On Thu, Apr 3, 2014 at 2:39 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> So first off a HUGE thank you to Robert Rotsted who posted the original
> after_hours_exfiltrate.bro.
> (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-March/007510.html).
> Here's how I've modified this:
>
> module Exfil;
>
> export {
>
> redef enum Notice::Type += {
> Large_File_Upload,
> };
> }
>
>
> ## Each time a connection is logged execute the following code
> event Conn::log_conn(rec: Conn::Info) {
>
> ## Ensure orig_bytes and resp_bytes exist, if not, return.
> if (! (rec?$orig_bytes || rec?$resp_bytes))
> return;
>
> ## Is this connection between a local originator and a
> ## remote responder?
> ## Are the sent bytes greater that 10 x the received bytes?
> ## Has the originator sent more than 3 Megabytes?
> if ( rec$id$orig_h in Site::local_nets &&
> rec$id$resp_h !in Site::local_nets &&
> rec$orig_bytes > (20 * rec$resp_bytes) &&
> rec$orig_bytes >= 13145728 )
> {
>
> NOTICE([$note=Large_File_Upload,
> $id=rec$id,
> $identifier=cat(rec$uid),
> $msg=fmt("Sent Bytes: %s, Received Bytes: %s",
> rec$orig_bytes, rec$resp_bytes)]);
> }
>
> }
>
> I noticed today an anomaly I guess:
>
>
> 2014-04-03T13:38:45-0600 - x.x.x.x 55023 4.71.33.182
> 80 - - - tcp Exfil::Large_File_Upload
> Sent Bytes: 1213381425, Received Bytes: 0 - x.x.x.x
> 4.71.33.182 80 - bro Notice::ACTION_LOG
> 3600.000000 F - - - --
>
>
> 2014-04-03T13:38:42-0600 CSZCCe4mZI1T7iJogg x.x.x.x
> 55023 4.71.33.182 80 tcp - 0.035191
> 1213381425 0 RSTOS0 T 0 SaR 2 88
> 1 40 (empty)
>
>
> I found a RST packet in the capture that matched close to the sent
> bytes:
>
> Transmission Control Protocol, Src Port: 55023 (55023), Dst Port: http
> (80), Seq: 1213381426, Len: 0
>
> Did I hose the script by removing the hourly constraint? Thanks for
> the the assist...this has helped me better understand the scripting
> (though I'm still just at the copy and paste level :)).
>
> James
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Bob Rotsted
Senior Engineer
Reservoir Labs, Inc.
503-225-0583 x138
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140404/1ea779aa/attachment.html
More information about the Bro
mailing list