[Bro] Exfil Framework Released

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Sep 12 10:18:28 PDT 2014 

Thank you for this, very much.

I planned on writing something similar and have not had the time.  Glad I didn't as yours is better than mine would have been to start with.


These are some thoughts I have and plan to include in your scripts on my NSMs at some point.

1.   A global ignore list of IPs for sources that are used for file uploads.

Export {
...
    global ignored_sources_conn: set[subnet] = [1.1.1.1/32, 2.3.4.0/24] &redef;
...
}

event connection_established (c: connection) {
...
    if (c$id$orig_h in ignored_sources_conn )
        return;
...
}

2.  Another global variable under which the estimated file size does not raise a notice.
3.  Another global variable that tracks how many uploads any given source sends in X amount of time above which a notice is raised no matter how large the uploaded files were.

I do the above in my rudimentary exfil script that simply looks at total upload size on connection end and have found it very useful.

I've been running your scripts on two of our busiest Inet connections for the past couple hours and have seen no appreciable uptick in cpu or memory usage on Bro 2.3.  I have it set to watch all RFC1918 connections to the Inet.


Thanks again,
Brian


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Robert Rotsted
Sent: Wednesday, September 10, 2014 3:14 PM
To: Bro Mailing List
Subject: [Bro] Exfil Framework Released

Hi all,

As announced at BroCon, Reservoir Labs just released the Exfil Framework on Github.

The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).

The scripts are located at:
https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework

Feel free to reach out to me if you have any questions, comments or suggestions for improvement.

Best,

Bob

--
Bob Rotsted
Senior Engineer
Reservoir Labs, Inc.
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list