[Bro] Large outbound transfer
scott mcallester
scott at 0x4c.com
Tue Mar 25 20:31:33 PDT 2014
I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway:
@load base/frameworks/notice
module DataExfiltration;
export {
redef enum Notice::Type += {data_exfiltration_100mb};
}
event connection_state_remove(c: connection)
{
if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
#test for internal to external
direction
if(Site::is_local_addr(c$id$orig_h)){
if( ! Site::is_local_addr(c$id$resp_h)){
NOTICE([$note=data_exfiltration_100mb,
$msg="> 100mb of data sent out in a single connection",
$conn=c]);
}
}
}
}
And this in local.bro:
@load DataExfiltration
hook Notice::policy(n: Notice::Info) {
if ( n$note == DataExfiltration::data_exfiltration_100mb )
add n$actions[Notice::ACTION_EMAIL];
n$email_body_sections[|n$email_body_sections|] = fmt("Service:
%s\nData sent: %s\nData received: %s", join_string_set(n$conn$service,
","), n$conn$orig$size, n$conn$resp$size );
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/4229c7f5/attachment.html
More information about the Bro
mailing list