[Bro] Looking for a tool detecting abusing IPs

Marc Weber marco-oweber at gmx.de
Sat Sep 17 13:00:24 PDT 2011


Hi mailinglist,

The company I'm working for has been attacked by SYN and ddos within the
last three weeks.

Now we'd like to optimize our setup so that we can cope with most common
attacks with minimal resources. To do so we want to block IPs abusing
our server eg by requesting too many page views or sending SYN attacks
(if the source IP has not been spoofed) etc.

Is bro-ids the right tool to do so?
If not which alternative would you recommend?

Is there someone who would be interested in providing payed support?

Which documentation about pro-ids should I read first?
I'm little bit lost cause the wiki says most of its information is
outdated.

We only have to protect the very common services
  - HTTP
  - POP3
  - SMTP

Thanks for any guidance.

Of course I could use libpcap and code up a tool myself.
However I hope that with your knowledge we're up and running much
faster.

I know about fail2ban - however I'd prefer something not requiring huge
logfiles..

Marc Weber



More information about the Bro mailing list