Exfiltration of data

Scot · January 23, 2020, 10:01pm

Are there any specific packages for zeek or built in scripts that are used to identify exfiltration of data?

I have loaded the large file package.

But am looking for something that can be searched for specific file names when requested.

I see some data in the files logs as well as in the smb logs.

Looking for something that would identify the file, source, destination.

Thank you.

Neslog · January 23, 2020, 10:07pm

I have not seen much. I have modified files.log to include additional info for my needs. The f variable has a lot of info available.

Topic		Replies	Views
File extraction package Zeek	4	149	May 6, 2022
Detecting Steganography in Images Zeek	1	156	May 6, 2022
Detection Capabilities and Extensions Zeek	1	196	May 6, 2022
Question on Zeek SMB Logs and action "SMB::FILE OPEN" Zeek	1	76	May 6, 2022
Detection of all attacks in pcap file Zeek	6	425	May 6, 2022