Large outbound transfer

Has anyone written a script to look for large outbound file transfers?


Not outbound per se, but we look for large xfers of gridftp and perfsonar to filter such traffic out upstream in our load-balancing and aggregation system.


Here is a script that I wrote. It flags connections that:

  • Originate locally

  • Occur after business hours

  • Contain more than 3 Megabytes of sent data

  • Contain 10 x more sent data than received data

Feel free to edit the script to fit your needs.



after_hours_exfiltrate.bro (3.06 KB)


Let me know if the inline documentation is not adequate. It isn’t as robust as I’d like, but I haven’t had time to get back to it in the last couple months unfortunately.

Thank you,

Brian Kellogg

suspiciousTx.bro (5.26 KB)

Thanks, this gives me a place to start.