[Zeek] Large file detection

Michał Purzyński michalpurzynski1 at gmail.com
Mon Dec 9 13:44:02 PST 2019 

Just an idea without a code

You could have a lookup table created from ssl events that keeps the list or recent IP addresses associated with your vendor, recognized by x509 certificate details and then a avoid alerting if there’s a March.


> On Dec 9, 2019, at 1:25 PM, Scot Harris <SHARRIS at hollywoodfl.org> wrote:
> 
> 
> Running zeek 3.0.
>  
> Installed zeek/theflakes/bro-large_uploads (installed: master) - Raise notices on outgoing files over X bytes in size.
>  
> Getting a lot of events logged in notices log files.  Fairly certain at this time that these events are due to Cylance application sending data to Cylance cloud services for analysis.
>  
> Unable to get a specific list of aws ec2 servers as they are using a lot of them and they change regularly.
>  
> Any ideas on how to reduce these notices  so the unusual events are more apparent?
>  
> Since it is looking at network packets I don’t think there is any way to tie the file transfer back to the application.
>  
> Examples of the events found in the notices log files below.
>  
>  
>  
>  
>  
> _interface
> ts
> uid
> id.orig_h
> id.orig_p
> id.resp_h
> id.resp_p
> fuid
> file_mime_type
> file_desc
> proto
> note
> msg
> sub
> src
> dst
> p
> n
> peer_descr
> actions
> suppress_for
> remote_location.country_code
> remote_location.region
> remote_location.city
> remote_location.latitude
> remote_location.longitude
> af_packet::eno1
> 2019-12-09T00:00:59-0500
> COFjRo4ZBvf3xSXVK2
> 10.1.7.205
> 59028
> 3.231.142.14
> 443
> -
> -
> -
> tcp
> LargeUploads::Very_Large_Outgoing_Tx
> Orig transmitted 29666232 bytes to resp. Duration 206837.349578 sec. Source is 07984coh.hollywood.local. Destination is ec2-3-231-142-14.compute-1.amazonaws.com. Connection UID COFjRo4ZBvf3xSXVK2.
> Tx start: 12/06/2019 14:33:37 UTC, end: 12/09/2019 00:00:54 UTC
> 10.1.7.205
> 3.231.142.14
> 443
> -
> worker-1-1
> Notice::ACTION_LOG
> 3600.000000
> -
> -
> -
> -
> -
> af_packet::eno1
> 2019-12-09T00:01:00-0500
> CyrMsW3v1LqtqWVEu2
> 10.1.100.83
> 58699
> 3.224.236.241
> 443
> -
> -
> -
> tcp
> LargeUploads::Very_Large_Outgoing_Tx
> Orig transmitted 17038390 bytes to resp. Duration 206903.826323 sec. Source is rfidsrv.hollywood.local. Destination is ec2-3-224-236-241.compute-1.amazonaws.com. Connection UID CyrMsW3v1LqtqWVEu2.
> Tx start: 12/06/2019 14:32:31 UTC, end: 12/09/2019 00:00:54 UTC
> 10.1.100.83
> 3.224.236.241
> 443
> -
> worker-2-1
> Notice::ACTION_LOG
> 3600.000000
> -
> -
> -
> -
> -
> af_packet::eno1
> 2019-12-09T00:01:01-0500
> CarVkYRqSh34QSiOl
> 10.1.23.90
> 57968
> 52.200.205.157
> 443
> -
> -
> -
> tcp
> LargeUploads::Very_Large_Outgoing_Tx
> Orig transmitted 17852337 bytes to resp. Duration 206996.104661 sec. Source is . Destination is ec2-52-200-205-157.compute-1.amazonaws.com. Connection UID CarVkYRqSh34QSiOl.
> Tx start: 12/06/2019 14:31:00 UTC, end: 12/09/2019 00:00:56 UTC
> 10.1.23.90
> 52.200.205.157
> 443
> -
> worker-2-1
> Notice::ACTION_LOG
> 3600.000000
> -
> -
> -
> -
> -
> af_packet::eno1
> 2019-12-09T00:01:02-0500
> CooJjR1HWcj5B6Cwt7
> 10.1.41.74
> 58770
> 35.170.28.255
> 443
> -
> -
> -
> tcp
> LargeUploads::Very_Large_Outgoing_Tx
> Orig transmitted 16385139 bytes to resp. Duration 205678.150834 sec. Source is 06208coh.hollywood.local. Destination is ec2-35-170-28-255.compute-1.amazonaws.com. Connection UID CooJjR1HWcj5B6Cwt7.
> Tx start: 12/06/2019 14:52:59 UTC, end: 12/09/2019 00:00:57 UTC
> 10.1.41.74
> 35.170.28.255
> 443
> -
> worker-1-2
> Notice::ACTION_LOG
> 3600.000000
> -
> -
> -
> -
> -
>  
>  
> Thank you.
>  
> __________________________________________
> Scot Harris
> Network Engineer
> City of Hollywood
> Information Technology
> 
> P.O. Box 229045
> Hollywood, FL 33022-9045
> Office: 954-921-3304
> E-mail: SHARRIS at hollywoodfl.org
> 
> Notice: Florida has a broad public records law. All correspondence sent to the City of Hollywood via e-mail may be subject to disclosure as a matter of public record.
> __________________________________________
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191209/4a12fdd5/attachment-0001.html

More information about the Zeek mailing list