[Bro] Looking for a tool detecting abusing IPs

Rodrigue ALAHASSA rodrigue.alahassa at gmail.com
Mon Sep 19 07:53:56 PDT 2011 

Hi,

Bro can cope with your requirements.
You just need to write a policy script to handle that.
You declare global variables to count connexion attemps to your servers.
You should take a look at the policy script "signatures.bro". There is an
example
to detect vertical and horizontal scans.

Hope it's helpful.

R. Alahassa
On Sun, Sep 18, 2011 at 7:00 PM, <bro-request at bro-ids.org> wrote:

> Send Bro mailing list submissions to
>        bro at bro-ids.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>        bro-request at bro-ids.org
>
> You can reach the person managing the list at
>        bro-owner at bro-ids.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
> Today's Topics:
>
>   1. Re: Signature payload matching (Rodrigue ALAHASSA)
>   2. Looking for a tool detecting abusing IPs (Marc Weber)
>
>
> ---------- Forwarded message ----------
> From: Rodrigue ALAHASSA <rodrigue.alahassa at gmail.com>
> To: bro at bro-ids.org
> Date: Sat, 17 Sep 2011 21:22:30 +0200
> Subject: Re: [Bro] Signature payload matching
> The matching is  done against all the session for TCP sessions.
> For UDP sessions, it is much  like  a per packet matching.
>
> R. Alahassa
>
> On Sat, Sep 17, 2011 at 9:00 PM, <bro-request at bro-ids.org> wrote:
>
>> Send Bro mailing list submissions to
>>        bro at bro-ids.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> or, via email, send a message with subject or body 'help' to
>>        bro-request at bro-ids.org
>>
>> You can reach the person managing the list at
>>        bro-owner at bro-ids.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Bro digest..."
>>
>> Today's Topics:
>>
>>   1. (no subject) (Kristen Eisenberg)
>>
>>
>> ---------- Forwarded message ----------
>> From: Kristen Eisenberg <kristen.eisenberg at yahoo.com>
>> To: "bro at bro-ids.org" <bro at bro-ids.org>
>> Date: Sat, 17 Sep 2011 11:37:38 -0700 (PDT)
>> Subject: [Bro] (no subject)
>> [Bro] Signature payload matching
>>
>> Hi all,
>>
>> I'm working for automation of signature generation for Bro from pcap trace
>> files.
>> I would like to know if the matching of the payload as a condition is done
>> against all the session data or more like per packet matching.
>>
>> Thanks
>>
>> ** **
>> Kristen Eisenberg
>> Billige Flüge
>> Marketing GmbH
>> Emanuelstr. 3,
>> 10317 Berlin
>> Deutschland
>> Telefon: +49 (33)
>> 5310967
>> Email:
>> utebachmeier at gmail.com
>> Site:
>> http://flug.airego.de
>> - Billige Flüge vergleichen
>>
>> _______________________________________________
>> Bro mailing list
>> Bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
>
> --
> SLt COC ALAHASSA
> 161 POL
> Professeur Georges LEMAITRE
>
>
> ---------- Forwarded message ----------
> From: Marc Weber <marco-oweber at gmx.de>
> To: bro <bro at bro-ids.org>
> Date: Sat, 17 Sep 2011 22:00:24 +0200
> Subject: [Bro] Looking for a tool detecting abusing IPs
> Hi mailinglist,
>
> The company I'm working for has been attacked by SYN and ddos within the
> last three weeks.
>
> Now we'd like to optimize our setup so that we can cope with most common
> attacks with minimal resources. To do so we want to block IPs abusing
> our server eg by requesting too many page views or sending SYN attacks
> (if the source IP has not been spoofed) etc.
>
> Is bro-ids the right tool to do so?
> If not which alternative would you recommend?
>
> Is there someone who would be interested in providing payed support?
>
> Which documentation about pro-ids should I read first?
> I'm little bit lost cause the wiki says most of its information is
> outdated.
>
> We only have to protect the very common services
>  - HTTP
>  - POP3
>  - SMTP
>
> Thanks for any guidance.
>
> Of course I could use libpcap and code up a tool myself.
> However I hope that with your knowledge we're up and running much
> faster.
>
> I know about fail2ban - however I'd prefer something not requiring huge
> logfiles..
>
> Marc Weber
>
>
> _______________________________________________
> Bro mailing list
> Bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>


-- 
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110919/49fb239e/attachment.html

More information about the Bro mailing list