[Bro] Large outbound transfer

Robert Rotsted rotsted at reservoir.com
Tue Mar 25 20:18:36 PDT 2014


Michael,

Here is a script that I wrote. It flags connections that:

* Originate locally
* Occur after business hours
* Contain more than 3 Megabytes of sent data
* Contain 10 x more sent data than received data

Feel free to edit the script to fit your needs.

Best,

Bob

On Tue, Mar 25, 2014 at 7:11 PM, Michael Bower <mbower2 at gmail.com> wrote:

> Has anyone written a script to look for large outbound file transfers?
>
> Thanks
>
> --
>
> Mike
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Bob Rotsted
Senior Engineer
Reservoir Labs, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140325/27b90e67/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: after_hours_exfiltrate.bro
Type: application/octet-stream
Size: 3128 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140325/27b90e67/attachment.obj 


More information about the Bro mailing list