Has anyone written a script to look for large outbound file transfers?
Thanks
Has anyone written a script to look for large outbound file transfers?
Thanks
Not outbound per se, but we look for large xfers of gridftp and perfsonar to filter such traffic out upstream in our load-balancing and aggregation system.
Michael,
Here is a script that I wrote. It flags connections that:
Originate locally
Occur after business hours
Contain more than 3 Megabytes of sent data
Contain 10 x more sent data than received data
Feel free to edit the script to fit your needs.
Best,
Bob
after_hours_exfiltrate.bro (3.06 KB)
Attached…
Let me know if the inline documentation is not adequate. It isn’t as robust as I’d like, but I haven’t had time to get back to it in the last couple months unfortunately.
Thank you,
Brian Kellogg
suspiciousTx.bro (5.26 KB)
Thanks, this gives me a place to start.