Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense notification if large amounts of data downloaded

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 5 Posters 884 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nambi
      last edited by nambi

      I know that many hackers and ransomware extortion schemes now download your entire DATA to hold you up as ransom threatening to contact your contacts and exploit you.

      This is different then just encrypting files.

      I was wondering if PFSENSE had a way of notifying the administrator if the system was experiencing large amounts of data being sent out through the firewall.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        I'm not sure there is anything that can do that directly.

        You mean alert on a data total in a given period or a data rate? How do you imagine that measuring?

        Steve

        1 Reply Last reply Reply Quote 0
        • bmeeksB Offline
          bmeeks
          last edited by bmeeks

          You need more "stuff" to detect data exfiltration at the network or firewall level. By that I mean some type of SIEM platform that gets a lot of net flow data and even packet captures from say an IDS/IPS. Accurately detecting data exfiltration is difficult. It is hard to separate an individual tree from the forest in this instance. I say that familiar phrase backwards because in the case of data exfiltration you are looking for a single flow in a sea of other traffic flows.

          Do a Google search using this phrase: "detect data exfiltration". You will get a lot of hits. Several of them should be to research papers describing the difficulties. I found a number of PDF papers from Universities.

          And the widespread use of encryption these days, with most traffic being sent using either SSL or TLS, makes detection of data exfiltration hard. You must resort to indirect indicators in many cases since you can't see the actual packet payloads of encrypted traffic.

          So the bottom line is it can be done, but it is not cheap and easy. It's not as simple as just installing some package or checking a feature box. If it was super easy, all these big corporations would not keep getting their crown jewels (proprietary company information) stolen by ransomeware hackers ... 😁. That is the new "insurance policy" the ransomeware guys use these days. They first exfiltrate the company's secrets before encrypting their data systems. Then, if the victim refuses to pay for the decryption key, the ransomeware guys threaten to publish the stolen data.

          1 Reply Last reply Reply Quote 0
          • M Offline
            maverick_slo
            last edited by

            Well...
            I use XDR which alerts on behavioral anomaly if large upload is detected (per host).
            But additionally I also use zabbix which will send alert if upload is larger than 80Mbit/s for at least 10 minutes (configured this way so that "regular" traffic wont trigger alerts, will be different for every company...)
            But it`s hard and requires deep knowledge of your network and whats OK traffic and whats not.

            bmeeksB 1 Reply Last reply Reply Quote 1
            • NollipfSenseN Offline
              NollipfSense
              last edited by

              Interesting conversations here, indeed.

              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

              1 Reply Last reply Reply Quote 0
              • bmeeksB Offline
                bmeeks @maverick_slo
                last edited by bmeeks

                @maverick_slo said in PFSense notification if large amounts of data downloaded:

                Well...
                I use XDR which alerts on behavioral anomaly if large upload is detected (per host).
                But additionally I also use zabbix which will send alert if upload is larger than 80Mbit/s for at least 10 minutes (configured this way so that "regular" traffic wont trigger alerts, will be different for every company...)
                But it`s hard and requires deep knowledge of your network and whats OK traffic and whats not.

                Yes, there are some host-based solutions. And that is really one of the best places to put such tools because there you can generally still see the data BEFORE it's encrypted.

                I was specifically referring to firewall-based or network-based tools in my earlier reply as that is how I interpreted the OP's question. It's much more difficult at that level due to the encryption and also the magnitude of data flow.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.