[Bro] Bro and flood protection

Benson Mathews benson.mathews at gmail.com
Wed Jan 29 11:14:05 PST 2014

Hi Folks,

I'm trying to learn if Bro can detect UDP flood attacks. And found the
synflood script that was provided on previous versions of Bro. Wondering if
there's something similar on Bro 2.2 or if the 1.5.x version would still

Noticed that this question was raised in the past by Alex (below). Does
anyone know how this could be done on 2.2 or have a working script to
detect flood attacks already?


Date: Mon, 11 Nov 2013 22:19:08 -0800 (PST)
From: Laleh Arshadi <la_arshadi at yahoo.com>
Subject: [Bro] Bro and flood protection - revisited
To: "bro at bro.org" <bro at bro.org>
        <1384237148.40495.YahooMailNeo at web140606.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear All,
This message was sent a while ago but I see no one has replied to it. As I
have almost a similar question myself, I would be thankful if someone took
another look at the email and responded.

From: Alexander Frolkin <avf at eldamar.org.uk>
To: bro at bro.org
Sent: Thursday, November 7, 2013 3:05 PM
Subject: [Bro] Bro and flood protection


I'm currently looking around for open-source IDSes.? What we'd like
is to have an IDS machine which monitors our Internet traffic and
responds to events by blocking the traffic using Flowspec.? This is easy
to do with Bro and ExaBGP using custom event handlers and/or hooks, and

I'm currently trying to understand Bro's ability to detect floods, e.g.,
SYN flood, ACK flood, or any other kind of flood, for that matter.

The feeling I have so far is that Bro wasn't really designed for this
sort of thing, and that it's designed more for L7 stuff.

I'm playing with 2.2 beta, and I can't see anything built-in to detect
floods (although maybe I haven't looked hard enough).? In older
versions, though, there was a script called synflood.bro, but it seems
to have disappeared at some point.? Does anyone know what the history of
this is, and whether there is equivalent funtionality in the latest

More generally, if I want to detect network floods, is Bro the right
thing to be using, or should I be looking elsewhere?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140129/3ba789a3/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synflood.bro
Type: application/octet-stream
Size: 3876 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140129/3ba789a3/attachment.obj 

More information about the Bro mailing list