[Bro] SYN Flood detection
Rens van der Heijden
rensvdheijden at gmail.com
Mon Jan 26 10:32:35 PST 2015
Hi everyone,
As part of demonstrating Bro in a class setting, I'm preparing an
exercise that asks students to detect SYN floods. I found some older Bro
code that does this (and referenes to it on Robin Sommer's slides from a
2007 talk):
http://www.gnu-darwin.org/www001/src/ports/security/bro/work/bro-1.2.1/policy/synflood.bro
I noticed, however, that I couldn't find anything similar in SumStats.
It might be that I missed something, but maybe SYN floods just aren't as
interesting anymore? Does anyone know what happened there?
Anyway, I tried to write a quick script to test it out first, which
turned out to use a lot of memory (at least, in my perception -- perhaps
it's an issue with the VM I'm testing it in though), which I guess might
be the reason. Here's the code I used (unlike
/scripts/policy/misc/scan.bro
<https://www.bro.org/sphinx/_downloads/scan.bro>, this script uses
connection_SYN_packet, which means we can detect SYNs that are not
responded to):
event connection_SYN_packet(c:connection, pkt: SYN_packet)
{
SumStats::observe("tcp.syn.rcvd", [$host=c$id$orig_h],
[$str=fmt("%s",c$id$resp_h)]);
}
function f(ts:time, key:SumStats::Key, result:SumStats::Result)
{
local r=result["tcp.syn.rcvd"];
print fmt("Saw %d SYNs from %s", r$num, key$host);
}
event bro_init()
{
local r1 = SumStats::Reducer($stream="tcp.syn.rcvd",
$apply=set(SumStats::SUM));
SumStats::create([$name="tcp.syn.scan", $epoch=30min,
$reducers=set(r1), $epoch_result=f, $epoch_finished(ts:time_ = { print "
-- new Epoch --";}]);
Greetings,
Rens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150126/1793ef20/attachment.html
More information about the Bro
mailing list