[Bro] Large outbound transfer
Michael Bower
mbower2 at gmail.com
Tue Mar 25 21:04:34 PDT 2014
These are helpful, thanks!
Mike
On Tue, Mar 25, 2014 at 11:31 PM, scott mcallester <scott at 0x4c.com> wrote:
> I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
> If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway:
>
> @load base/frameworks/notice
>
> module DataExfiltration;
>
> export {
> redef enum Notice::Type += {data_exfiltration_100mb};
> }
>
> event connection_state_remove(c: connection)
> {
> if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
> #test for internal to external
> direction  
> ; &n bsp;
> if(Site::is_local_addr(c$id$orig_h)){
> if( ! Site::is_local_addr(c$id$resp_h)){
> NOTICE([$note=data_exfiltration_100mb,
> $msg="> 100mb of data sent out in a single connection",
> $conn=c]);
> &n
> bsp;  ;
> }
> }
> }
> }
>
>
> And this in local.bro:
>
> @load DataExfiltration
> hook Notice::policy(n: Notice::Info) {
> if ( n$note == DataExfiltration::data_exfiltration_100mb )
> add n$actions[Notice::ACTION_EMAIL];
> n$email_body_sections[|n$email_body_sections|] = fmt("Service:
> %s\nData sent: %s\nData received: %s", join_string_set(n$conn$service,
> ","), n$conn$orig$size, n$conn$resp$size );
> }
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/6719e85f/attachment.html
More information about the Bro
mailing list