[Bro] Large outbound transfer

Michael Bower mbower2 at gmail.com
Tue Mar 25 21:04:34 PDT 2014


These are helpful, thanks!

Mike


On Tue, Mar 25, 2014 at 11:31 PM, scott mcallester <scott at 0x4c.com> wrote:

>  I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
> If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway:
>
> @load base/frameworks/notice
>
> module DataExfiltration;
>
> export {
>         redef enum Notice::Type += {data_exfiltration_100mb};
>         }
>
> event connection_state_remove(c: connection)
> {
>           if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
>                   #test for internal to external
> direction                                                                                                                                                                  &nbsp
> ; &n bsp;
>                   if(Site::is_local_addr(c$id$orig_h)){
>                           if( ! Site::is_local_addr(c$id$resp_h)){
>                         NOTICE([$note=data_exfiltration_100mb,
>                 $msg="> 100mb of data sent out in a single connection",
>                 $conn=c]);
>                                                                                                                                                                     &n
> bsp;&nbsp ;
>         }
>         }
> }
> }
>
>
> And this in local.bro:
>
> @load DataExfiltration
> hook Notice::policy(n: Notice::Info) {
>   if ( n$note == DataExfiltration::data_exfiltration_100mb )
>       add n$actions[Notice::ACTION_EMAIL];
>       n$email_body_sections[|n$email_body_sections|] = fmt("Service:
> %s\nData sent: %s\nData received: %s", join_string_set(n$conn$service,
> ","), n$conn$orig$size, n$conn$resp$size );
>   }
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/6719e85f/attachment.html 


More information about the Bro mailing list