Hey @mathias, I'm happy to review and help-- interactive reverse shells/tunnels, large exfil, media type + extension mismatch + active thereafter, NACL variants + iptables/filter state, file extended attributes and where_from fields
05/15/2017, 3:22 PM
Regarding your proposed scenarios: * NACL variants + iptables/filter state: What do you mean here? I use Bro to detect the NACL variant used by an app, but for what purpose do I need the iptables/filter state here?
* file extended attributes and where_from: the intention would be to see where the files that are executed are coming from?
* Large Exfiltration: Why do I need a combination of Bro and osquery to detect this? Wouldn't be Bro already enough?