"A server transferring more than 200GB to a single IP? C'mon, firewalls of the 90s detected that."
Do you have examples of firewalls that support this and setup guides? I'm using pfSense but haven't come across anything that would flag traffic in this manner. There is snort I guess? Just curious. Always looking to improve my own protection :)
I am using the FreeBSD firewall, which is simpler than pfSense, so I am pretty certain that this must be possible in most, if not all, firewalls.
For any rule of the firewall, which may match any kind of traffic, you may set the rule to update a counter. The values of the counters will accumulate the total quantity of data transferred until the counters are reset (periodically), and you may choose to store the values in a log for later inspection or you can use a shell script to interrogate the firewall periodically and compare the counter values with thresholds and send alerts when they are exceeded.
As long as the firewall rules include the option for a "count" or similar action, which I believe to be available in all of them, then you can use the firewall to monitor the amount of data that passes through the network.
Even when a firewall does not provide the length of the packets, just counting the number of packets is enough to estimate the maximum amount of data that might have been transferred, because you know the maximum packet sizes on your interfaces.
Do you have examples of firewalls that support this and setup guides? I'm using pfSense but haven't come across anything that would flag traffic in this manner. There is snort I guess? Just curious. Always looking to improve my own protection :)