Exfil Framework Released

Robert_Rotsted · September 10, 2014, 7:14pm

Hi all,

As announced at BroCon, Reservoir Labs just released the Exfil
Framework on Github.

The Exfil Framework is a suite of Bro scripts that detect file uploads
in TCP connections. The Exfil Framework can detect file uploads in
most TCP sessions including sessions that have encrypted payloads
(SCP,SFTP,HTTPS).

The scripts are located at:
https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework

Feel free to reach out to me if you have any questions, comments or
suggestions for improvement.

Best,

Bob

James_inthe_box · September 10, 2014, 7:39pm

Good stuff...thanks Bob.

James

Kellogg_Brian_GS_IT · September 12, 2014, 5:18pm

Thank you for this, very much.

I planned on writing something similar and have not had the time. Glad I didn't as yours is better than mine would have been to start with.

These are some thoughts I have and plan to include in your scripts on my NSMs at some point.

1. A global ignore list of IPs for sources that are used for file uploads.

Export {
...
global ignored_sources_conn: set[subnet] = [1.1.1.1/32, 2.3.4.0/24] &redef;
...
}

event connection_established (c: connection) {
...
if (c$id$orig_h in ignored_sources_conn )
return;
...
}

2. Another global variable under which the estimated file size does not raise a notice.
3. Another global variable that tracks how many uploads any given source sends in X amount of time above which a notice is raised no matter how large the uploaded files were.

I do the above in my rudimentary exfil script that simply looks at total upload size on connection end and have found it very useful.

I've been running your scripts on two of our busiest Inet connections for the past couple hours and have seen no appreciable uptick in cpu or memory usage on Bro 2.3. I have it set to watch all RFC1918 connections to the Inet.

Thanks again,
Brian

Kellogg_Brian_GS_IT · September 12, 2014, 6:05pm

Here's some quick additions to the app-exfil-conn.bro script.

##! Watch all TCP,UDP,ICMP flows for Data Exfil

module Exfil;

export {
    ## Defines which subnets are monitored for data exfiltration
    global watched_subnets_conn: set[subnet] = [10.0.0.0/8] &redef;
    ## Defines which subnet/host sources to ignore
    global ignored_orig_conn: set[subnet] = [10.1.1.1/32, 10.3.4.0/24] &redef;
    ## Defines which subnet/host destinations to ignore
    global ignored_resp_conn: set[subnet] = [110.1.143.77/32, 9.3.4.0/24] &redef;
    ## Defines whether connections with local destinations should be monitored for data exfiltration
    global ignore_local_dest_conn: bool = T &redef;
    ## Defines the thresholds and polling interval for the exfil framework. See main.bro for more details.
    global settings_conn: Settings &redef;
}

event connection_established (c: connection) {

if (ignore_local_dest_conn == T && Site::is_local_addr(c$id$resp_h) == T)
return;

if (c$id$orig_h !in watched_subnets_conn )
return;

if (c$id$orig_h in ignored_orig_conn )
return;

if (c$id$resp_h in ignored_resp_conn )
return;

Exfil::watch_connection(c , settings_conn);

}

Topic		Replies	Views
SMB connections Zeek	6	97	May 6, 2022
Large file ex-filtration revisited Zeek	7	99	May 6, 2022
Exfil scripts Zeek	1	83	May 6, 2022
http-ext-identified-files Zeek	4	172	May 6, 2022
Guest blog: The Intelligence Framework Update Zeek	1	60	May 6, 2022

Exfil Framework Released

Related topics