[Bro] Bro Slow-Attack Script

Md Monk mdmonk at gmail.com
Sun Jan 8 20:46:25 PST 2012


(sry for the top posting)
I'd be interested in trying out the script as well. 

-Chuck

Sent from my iPwn

On Jan 8, 2012, at 1:00 PM, bro-request at bro-ids.org wrote:

> On Jan 7, 2012, at 5:00 PM, Will wrote:
> 
>> I was wondering if anyone has set anything up in Bro to monitor their web servers for this style of attack.
> 
> I have a script. :)
> 
> I've been working on this for a little while already, but I'm still expanding it to work against some of the newer attacks like the one that takes advantage of TCP window sizes to execute a slow read attack.  The script still kind of sucks and has false positives in a few cases (and I'm sure false negatives as well), but I'm slowly working on getting those ironed out.
> 
> If you'd like a copy of my script to try, let me know and I can get it over to you.
> 
>  .Seth



More information about the Bro mailing list