So first off a HUGE thank you to Robert Rotsted who posted the original after_hours_exfiltrate.bro. (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-March/007510.html). Here's how I've modified this:
module Exfil;
export {
redef enum Notice::Type += {
Large_File_Upload,
};
}
## Each time a connection is logged execute the following code
event Conn::log_conn(rec: Conn::Info) {
## Ensure orig_bytes and resp_bytes exist, if not, return.
if (! (rec?$orig_bytes || rec?$resp_bytes))
return;
## Is this connection between a local originator and a
## remote responder?
## Are the sent bytes greater that 10 x the received bytes?
## Has the originator sent more than 3 Megabytes?
if ( rec$id$orig_h in Site::local_nets &&
rec$id$resp_h !in Site::local_nets &&
rec$orig_bytes > (20 * rec$resp_bytes) &&
rec$orig_bytes >= 13145728 )
{
NOTICE([$note=Large_File_Upload,
$id=rec$id,
$identifier=cat(rec$uid),
$msg=fmt("Sent Bytes: %s, Received Bytes: %s",
rec$orig_bytes, rec$resp_bytes)]);
}
}
I noticed today an anomaly I guess:
2014-04-03T13:38:45-0600 - x.x.x.x 55023 4.71.33.182 80 - - - tcp Exfil::Large_File_Upload Sent Bytes: 1213381425, Received Bytes: 0 - x.x.x.x 4.71.33.182 80 - bro Notice::ACTION_LOG 3600.000000 F - - - --
2014-04-03T13:38:42-0600 CSZCCe4mZI1T7iJogg x.x.x.x 55023 4.71.33.182 80 tcp - 0.035191 1213381425 0 RSTOS0 T 0 SaR 2 88 1 40 (empty)
I found a RST packet in the capture that matched close to the sent bytes:
Transmission Control Protocol, Src Port: 55023 (55023), Dst Port: http (80), Seq: 1213381426, Len: 0
Did I hose the script by removing the hourly constraint? Thanks for the the assist...this has helped me better understand the scripting (though I'm still just at the copy and paste level :)).
James