Exfil Framework Released

Hi all,

As announced at BroCon, Reservoir Labs just released the Exfil
Framework on Github.

The Exfil Framework is a suite of Bro scripts that detect file uploads
in TCP connections. The Exfil Framework can detect file uploads in
most TCP sessions including sessions that have encrypted payloads

The scripts are located at:

Feel free to reach out to me if you have any questions, comments or
suggestions for improvement.



Good stuff...thanks Bob.


Thank you for this, very much.

I planned on writing something similar and have not had the time. Glad I didn't as yours is better than mine would have been to start with.

These are some thoughts I have and plan to include in your scripts on my NSMs at some point.

1. A global ignore list of IPs for sources that are used for file uploads.

Export {
    global ignored_sources_conn: set[subnet] = [,] &redef;

event connection_established (c: connection) {
    if (c$id$orig_h in ignored_sources_conn )

2. Another global variable under which the estimated file size does not raise a notice.
3. Another global variable that tracks how many uploads any given source sends in X amount of time above which a notice is raised no matter how large the uploaded files were.

I do the above in my rudimentary exfil script that simply looks at total upload size on connection end and have found it very useful.

I've been running your scripts on two of our busiest Inet connections for the past couple hours and have seen no appreciable uptick in cpu or memory usage on Bro 2.3. I have it set to watch all RFC1918 connections to the Inet.

Thanks again,

Here's some quick additions to the app-exfil-conn.bro script.

##! Watch all TCP,UDP,ICMP flows for Data Exfil

module Exfil;

export {
    ## Defines which subnets are monitored for data exfiltration
    global watched_subnets_conn: set[subnet] = [] &redef;
    ## Defines which subnet/host sources to ignore
    global ignored_orig_conn: set[subnet] = [,] &redef;
    ## Defines which subnet/host destinations to ignore
    global ignored_resp_conn: set[subnet] = [,] &redef;
    ## Defines whether connections with local destinations should be monitored for data exfiltration
    global ignore_local_dest_conn: bool = T &redef;
    ## Defines the thresholds and polling interval for the exfil framework. See main.bro for more details.
    global settings_conn: Settings &redef;

event connection_established (c: connection) {

    if (ignore_local_dest_conn == T && Site::is_local_addr(c$id$resp_h) == T)

    if (c$id$orig_h !in watched_subnets_conn )

    if (c$id$orig_h in ignored_orig_conn )

    if (c$id$resp_h in ignored_resp_conn )

    Exfil::watch_connection(c , settings_conn);