Large outbound transfer

I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway: 

@load base/frameworks/notice

module DataExfiltration;

export {
redef enum Notice::Type += {data_exfiltration_100mb};

event connection_state_remove(c: connection)
if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
#test for internal to external direction ; &n bsp;
if( ! Site::is_local_addr(c$id$resp_h)){
$msg="> 100mb of data sent out in a single connection",
&n bsp; ;

And this in local.bro:

@load DataExfiltration
hook Notice::policy(n: Notice::Info) {
if ( n$note == DataExfiltration::data_exfiltration_100mb )
add n$actions[Notice::ACTION_EMAIL];
n$email_body_sections[|n$email_body_sections|] = fmt(“Service: %s\nData sent: %s\nData received: %s”, join_string_set(n$conn$service, “,”), n$conn$orig$size, n$conn$resp$size );

These are helpful, thanks!


If you need to take actions based on conditions of an ongoing connection, you can possibly use the ConnPolling [1] module to do it. An example usage of it is a gridftp detection script that ships w/ Bro [2].

- Jon