[Zeek] Large file detection
Scot Harris
SHARRIS at hollywoodfl.org
Mon Dec 9 13:20:20 PST 2019
Running zeek 3.0.
Installed zeek/theflakes/bro-large_uploads (installed: master) - Raise notices on outgoing files over X bytes in size.
Getting a lot of events logged in notices log files. Fairly certain at this time that these events are due to Cylance application sending data to Cylance cloud services for analysis.
Unable to get a specific list of aws ec2 servers as they are using a lot of them and they change regularly.
Any ideas on how to reduce these notices so the unusual events are more apparent?
Since it is looking at network packets I don't think there is any way to tie the file transfer back to the application.
Examples of the events found in the notices log files below.
_interface
ts
uid
id.orig_h
id.orig_p
id.resp_h
id.resp_p
fuid
file_mime_type
file_desc
proto
note
msg
sub
src
dst
p
n
peer_descr
actions
suppress_for
remote_location.country_code
remote_location.region
remote_location.city
remote_location.latitude
remote_location.longitude
af_packet::eno1
2019-12-09T00:00:59-0500
COFjRo4ZBvf3xSXVK2
10.1.7.205
59028
3.231.142.14
443
-
-
-
tcp
LargeUploads::Very_Large_Outgoing_Tx
Orig transmitted 29666232 bytes to resp. Duration 206837.349578 sec. Source is 07984coh.hollywood.local. Destination is ec2-3-231-142-14.compute-1.amazonaws.com. Connection UID COFjRo4ZBvf3xSXVK2.
Tx start: 12/06/2019 14:33:37 UTC, end: 12/09/2019 00:00:54 UTC
10.1.7.205
3.231.142.14
443
-
worker-1-1
Notice::ACTION_LOG
3600.000000
-
-
-
-
-
af_packet::eno1
2019-12-09T00:01:00-0500
CyrMsW3v1LqtqWVEu2
10.1.100.83
58699
3.224.236.241
443
-
-
-
tcp
LargeUploads::Very_Large_Outgoing_Tx
Orig transmitted 17038390 bytes to resp. Duration 206903.826323 sec. Source is rfidsrv.hollywood.local. Destination is ec2-3-224-236-241.compute-1.amazonaws.com. Connection UID CyrMsW3v1LqtqWVEu2.
Tx start: 12/06/2019 14:32:31 UTC, end: 12/09/2019 00:00:54 UTC
10.1.100.83
3.224.236.241
443
-
worker-2-1
Notice::ACTION_LOG
3600.000000
-
-
-
-
-
af_packet::eno1
2019-12-09T00:01:01-0500
CarVkYRqSh34QSiOl
10.1.23.90
57968
52.200.205.157
443
-
-
-
tcp
LargeUploads::Very_Large_Outgoing_Tx
Orig transmitted 17852337 bytes to resp. Duration 206996.104661 sec. Source is . Destination is ec2-52-200-205-157.compute-1.amazonaws.com. Connection UID CarVkYRqSh34QSiOl.
Tx start: 12/06/2019 14:31:00 UTC, end: 12/09/2019 00:00:56 UTC
10.1.23.90
52.200.205.157
443
-
worker-2-1
Notice::ACTION_LOG
3600.000000
-
-
-
-
-
af_packet::eno1
2019-12-09T00:01:02-0500
CooJjR1HWcj5B6Cwt7
10.1.41.74
58770
35.170.28.255
443
-
-
-
tcp
LargeUploads::Very_Large_Outgoing_Tx
Orig transmitted 16385139 bytes to resp. Duration 205678.150834 sec. Source is 06208coh.hollywood.local. Destination is ec2-35-170-28-255.compute-1.amazonaws.com. Connection UID CooJjR1HWcj5B6Cwt7.
Tx start: 12/06/2019 14:52:59 UTC, end: 12/09/2019 00:00:57 UTC
10.1.41.74
35.170.28.255
443
-
worker-1-2
Notice::ACTION_LOG
3600.000000
-
-
-
-
-
Thank you.
__________________________________________
Scot Harris
Network Engineer
City of Hollywood
Information Technology
P.O. Box 229045
Hollywood, FL 33022-9045
Office: 954-921-3304
E-mail: SHARRIS at hollywoodfl.org
[www.hollywoodfl.org]
Notice: Florida has a broad public records law. All correspondence sent to the City of Hollywood via e-mail may be subject to disclosure as a matter of public record.
__________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191209/6b68bac5/attachment-0001.html
More information about the Zeek
mailing list