[Bro] Large file ex-filtration revisited

James Lay jlay at slave-tothe-box.net
Fri Apr 4 08:36:09 PDT 2014 

On 2014-04-03 16:59, James Lay wrote:
> On 2014-04-03 16:45, James Lay wrote:
>> On 2014-04-03 16:18, Siwek, Jonathan Luke wrote:
>>> On Apr 3, 2014, at 4:39 PM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>>> 2014-04-03T13:38:42-0600        CSZCCe4mZI1T7iJogg      x.x.x.x
>>>> 55023   4.71.33.182     80      tcp     -       0.035191
>>>> 1213381425      0       RSTOS0  T       0       SaR     2       88
>>>> 1       40      (empty)
>>>
>>> This looks like it may be a “half-open” TCP connection, and Bro may
>>> report inaccurate {orig,resp}_bytes unless you’re running a
>>> development version from the git repo which has a fix for this
>>> situation.  What version of Bro are you running?
>>>
>>> A way to improve your detection with only script changes could be 
>>> to
>>> include {orig,resp}_ip_bytes in the criteria.  The difference is
>>> that
>>> field counts total bytes of IP packets, not just payload data.  
>>> It’s
>>> also more sensitive to packet loss, where {orig,resp}_bytes should
>>> still work since it’s monitoring the TCP sequence space.
>>>
>>> - Jon
>>
>> Thanks Jon,
>>
>> I'm on 2.2 here.  I'm going to start fiddling with the script
>> now...thanks again for the help and response.
>>
>> James
>
> Ok...I've made the below modification:
>
>      if ( rec$id$orig_h in Site::local_nets &&
>           rec$id$resp_h in Site::local_nets &&
>           rec$orig_bytes > (10 * rec$resp_bytes) &&
>           rec$orig_bytes > (10 * rec$resp_ip_bytes) &&
>           rec$orig_bytes >= 3145728 )
>
>      {
>
> This works in dev when sending a large file, so going to test this 
> out
> in production....thank you.
>
> James

Well shoot..still seeing these:

1396617228.413862       -       x.x.x.x    51859   x.x.x.x  80      -   
    -       -       tcp     Exfil::Large_File_Upload        Sent Bytes: 
1029838798, Received Bytes: 0       -       x.x.x.x    x.x.x.x  80      
-       bro     Notice::ACTION_LOG      3600.000000     F       -       
-       -       -    -

1396620769.215111       -       x.x.x.x    53522   x.x.x.x  80      -   
    -       -       tcp     Exfil::Large_File_Upload        Sent Bytes: 
569497424, Received Bytes: 0        -       x.x.x.x    x.x.x.x  80      
-       bro     Notice::ACTION_LOG      3600.000000     F       -       
-       -       -    -

2014-04-04T07:13:45-0600        CGZlLW2nctAkETr18c      x.x.x.x    
51859   x.x.x.x  80      tcp     -       0.064546        1029838798      
0       RSTOS0  T       0       SaR     2       92      1       52      
(empty)
2014-04-04T08:12:46-0600        C7E5mt24LSdkhFVcI5      x.x.x.x    
53522   x.x.x.x  80      tcp     -       0.064791        569497424       
0       RSTOS0  T       0       SaR     2       92      1       52      
(empty)

Should I just take the plunge to the latest git?  Side question...how 
to get the bro id (CGZlLW2nctAkETr18c) in the notice file?  I have:

  NOTICE([$note=Large_File_Upload,
                 $id=rec$id,
                 $identifier=cat(rec$uid),
                 $msg=fmt("Sent Bytes: %s, Received Bytes: %s",
                          rec$orig_bytes, rec$resp_bytes)]);

Thank you.

James

More information about the Bro mailing list