[Bro] Slow-motion DoS attack
Seth Hall
seth at icir.org
Mon Jan 9 05:36:45 PST 2012
On Jan 9, 2012, at 6:07 AM, Liam Randall wrote:
> I would be interested in the script as well. We will be running a BRO
> box out at Shmoocon this year and I'm _sure_ we'll see some interesting
> traffic.
Cool! It's attached.
It currently detects the slow body and slow headers attacks from the slowhttptest tool. It doesn't detect range attacks yet, but that should be easy to add. We may be able to make it detect slow read attacks with 2.1 once we get the new tcp stats analyzer integrated since that's not even technically an HTTP attack (it's a tcp attack).
I know that it currently has some false positives and generally isn't written very well. If anyone encounters any false positives, please let me know. I'd like to understand all of cases where false positives happen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-DoS-detector.bro
Type: application/octet-stream
Size: 2445 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120109/84fdf6c0/attachment.obj
-------------- next part --------------
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list