Fwd: Re: [Bro] detect Ack flooding attack

[bchen at cs.ucf.edu]

Hi Scott,
   Thank you for your reply. Bro didn't work without filter expression. this is
why I tried to use this filter expression. conn and weird analyzers did
generated some log records, but none of them captured the packets
having random source IP addresses. Weird analyzer recorded some "weird"
connections having good syn, ack and fin flags.
     This traffic data is actually the DAPAR 2000 data set of MIT LL. I believe
it was captured from a real Lan. I doubt that Bro, in default setting, doesn't
record connection information if it did see SYN packets. The problem is how to
change this default setting.

thanks again

Bing


> bchen at cs.ucf.edu wrote:
>> Hello everyone,
>>      I am trying to use Bro to detect a DOS attack in a tcpdump file. This
>> attack uses Ack packets with spoofed random source IPs and random
>> destination
>> ports to flood a remote server. I thought weird analyzer should catch this
>> attack. I searched all log files generated by Bro and found Bro didn't
>> capture
>> any of these packets.
>>      I have thought that Bro might drop these packets because there are
>> no SYN
>> packets seen by Bro, so I run the following command:
>>
>> ./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or
>> udp or
>> icmp" -r dos.dump mt
>>
>> It unfortunately didn't work. Does anyone have any suggestion?
>>
>> Thanks
>>
>> Bing
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Few questions:
>
> Does it work without the filter expression?
> Are you seeing any connection information from the trace file at all?
> Is the traffic in a vlan?
>
> You are correct that there should be something in the weird records.
> This is a little odd.
>
> scott
>




----- End forwarded message -----