[Bro] Bro and flood protection - revisited

Laleh Arshadi la_arshadi at yahoo.com
Mon Nov 11 22:19:08 PST 2013


Dear All,
 
This message was sent a while ago but I see no one has replied to it. As I have almost a similar question myself, I would be thankful if someone took another look at the email and responded.
 
Regards
Laleh


________________________________
From: Alexander Frolkin <avf at eldamar.org.uk>
To: bro at bro.org 
Sent: Thursday, November 7, 2013 3:05 PM
Subject: [Bro] Bro and flood protection


Hi,

I'm currently looking around for open-source IDSes.  What we'd like
is to have an IDS machine which monitors our Internet traffic and
responds to events by blocking the traffic using Flowspec.  This is easy
to do with Bro and ExaBGP using custom event handlers and/or hooks, and
piped_exec.

I'm currently trying to understand Bro's ability to detect floods, e.g.,
SYN flood, ACK flood, or any other kind of flood, for that matter.

The feeling I have so far is that Bro wasn't really designed for this
sort of thing, and that it's designed more for L7 stuff.

I'm playing with 2.2 beta, and I can't see anything built-in to detect
floods (although maybe I haven't looked hard enough).  In older
versions, though, there was a script called synflood.bro, but it seems
to have disappeared at some point.  Does anyone know what the history of
this is, and whether there is equivalent funtionality in the latest
version?

More generally, if I want to detect network floods, is Bro the right
thing to be using, or should I be looking elsewhere?

Thanks!


Alex

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131111/23205983/attachment.html 


More information about the Bro mailing list