[Bro] Large file ex-filtration revisited
Siwek, Jonathan Luke
jsiwek at illinois.edu
Fri Apr 4 08:50:13 PDT 2014
On Apr 3, 2014, at 5:59 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Ok...I've made the below modification:
>
> if ( rec$id$orig_h in Site::local_nets &&
> rec$id$resp_h in Site::local_nets &&
> rec$orig_bytes > (10 * rec$resp_bytes) &&
> rec$orig_bytes > (10 * rec$resp_ip_bytes) &&
> rec$orig_bytes >= 3145728 )
rec$orig_bytes > (10 * rec$resp_ip_bytes) is probably still going to be true if the calculation of orig_bytes was botched and incorrectly reported as too large. You probably meant rec$orig_ip_bytes > (10 * rec$resp_bytes) ?
Another idea might be to just check for ‘d’ or ‘D’ in the history field to verify the value is sane — absence of ‘d’ or ‘D’ means no payload data was seen, just control packets, so large values of {orig,resp}_bytes can’t possibly make sense.
- Jon
More information about the Bro
mailing list