[Bro] Looking for a tool detecting abusing IPs

Robin Sommer robin at icir.org
Mon Sep 19 08:38:04 PDT 2011

On Sat, Sep 17, 2011 at 22:00 +0200, you wrote:

> Now we'd like to optimize our setup so that we can cope with most common
> attacks with minimal resources. To do so we want to block IPs abusing
> our server eg by requesting too many page views or sending SYN attacks
> (if the source IP has not been spoofed) etc.

Yes, Bro is an excellent tool for such things. There's the default
scan.bro script which reports TCP scans (also UDP if udp.bro is
loaded; and icmp.bro can find ICMP scans).

Generally, it's pretty straight-forward to add custom logic for
fine-tuning reporting or finding other types of scans. We're also in
the process of adding a new Metrics framework that generalizes
"counting stuff", and it will be able reports scans of all kinds.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list