I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway:
@load base/frameworks/notice
module DataExfiltration;
export {
redef enum Notice::Type += {data_exfiltration_100mb};
}
event connection_state_remove(c: connection)
{
if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
#test for internal to external direction ; &n bsp;
if(Site::is_local_addr(c$id$orig_h)){
if( ! Site::is_local_addr(c$id$resp_h)){
NOTICE([$note=data_exfiltration_100mb,
$msg="> 100mb of data sent out in a single connection",
$conn=c]);
&n bsp; ;
}
}
}
}
And this in local.bro:
@load DataExfiltration
hook Notice::policy(n: Notice::Info) {
if ( n$note == DataExfiltration::data_exfiltration_100mb )
add n$actions[Notice::ACTION_EMAIL];
n$email_body_sections[|n$email_body_sections|] = fmt(“Service: %s\nData sent: %s\nData received: %s”, join_string_set(n$conn$service, “,”), n$conn$orig$size, n$conn$resp$size );
}