Seth, thanks for the great tips! I took all your ...

2008-11-06T14:42:51.898-05:00

Seth, thanks for the great tips! I took all your suggestions, and have uploaded a new, more concise, version. As a bonus, I hooked into just a single event this time, the new_connection event, so the script now works for ICMP and anything else Bro detects.

Hi David, thanks for writing this script. I've fo...

2008-11-03T23:14:36.301-05:00

Hi David, thanks for writing this script. I've found that some of the small scripts like will tend to be some of the most incredibly useful scripts you use.

To make the script a little nicer, you could change it to only throw a single notice: "UnexpectedOutgoingConnection". You could reduce the check_restricted_outgoing_tcp and check_restricted_outgoing_udp functions into just check_restricted_outgoing since the code for those two is almost completely duplicate and the protocol information would still be contained when you throw the notice because you're attaching the actual connection record. If you're still interesting in including the protocol type in the message of the notice, you can get the protocol type with the
get_conn_transport_proto function (e.g. get_conn_transport_proto(c$id) )

It looks like you could probably remove the "const CONN_ATTEMPTED", etc. definitions from the beginning too, those don't seem to be used for anything. Other than those little things, I don't see anything else worth pointing out.

It's a nice script, I might start down this path too. In my environment it's somewhat difficult to determine what hosts should and shouldn't be doing certain activities but that's no reason not to give it a try.

Comments on Infosec Potpourri: Detecting outgoing connections from sensitive netw...

Seth, thanks for the great tips! I took all your ...

Hi David, thanks for writing this script. I've fo...