[Bro] Slow-motion DoS attack
Liam Randall
Liam.Randall at gigaco.com
Mon Jan 9 03:07:45 PST 2012
Seth,
I would be interested in the script as well. We will be running a BRO
box out at Shmoocon this year and I'm _sure_ we'll see some interesting
traffic.
Liam Randall
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf
Of Seth Hall
Sent: Saturday, January 07, 2012 11:59 PM
To: Will
Cc: bro at bro-ids.org
Subject: Re: [Bro] Slow-motion DoS attack
On Jan 7, 2012, at 5:00 PM, Will wrote:
> I was wondering if anyone has set anything up in Bro to monitor their
web servers for this style of attack.
I have a script. :)
I've been working on this for a little while already, but I'm still
expanding it to work against some of the newer attacks like the one that
takes advantage of TCP window sizes to execute a slow read attack. The
script still kind of sucks and has false positives in a few cases (and
I'm sure false negatives as well), but I'm slowly working on getting
those ironed out.
If you'd like a copy of my script to try, let me know and I can get it
over to you.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list