# # Define constants # Define script and global variables # redef enum Notice::Type += { # add custom notice types Large_Outgoing_Tx, Very_Large_Outgoing_Tx, }; const maxTx = 52428800; # single conn Tx bytes over which we want to alert on immediately const recordTx = 1024000; # destination hosts to record if over this many bytes # # Send email if Very_Large_Outgoing_Tx # hook Notice::policy(n: Notice::Info) { if ( n$note == Very_Large_Outgoing_Tx ) add n$actions[Notice::ACTION_EMAIL]; } # # Alert on potential compromised internal hosts # event connection_state_remove(c: connection) { if (c$orig$size > recordTx) { # check to see if orig IP is an internal IP if(!Site::is_local_addr(c$id$orig_h)) return; # check to see if dest ip is not an internal IP if(Site::is_local_addr(c$id$resp_h)) return; if (c$orig$size > maxTx) { NOTICE([$note=Very_Large_Outgoing_Tx, $msg=fmt("Orig transmitted %d bytes to resp. Duration %s sec. Connection UID %s.", c$orig$size, c$duration, c$uid), $conn=c]); } else { NOTICE([$note=Large_Outgoing_Tx, $msg=fmt("Orig transmitted %d bytes to resp. Duration %s sec. Connection UID %s.", c$orig$size, c$duration, c$uid), $conn=c]); } } }