[Bro] bro policy to identify memcached attacks/participation
Scott Campbell
scottc at es.net
Fri Mar 2 13:37:10 PST 2018
We have put together some sample bro policy that might be useful in
identifying:
1) memcached instances with publicly available TCP ports.
2) UDP connection attempts to 11211/udp.
3) excessive outbound traffic from an IP that has previously had an inbound
memcached 'get' request from outside the local address space.
This code is a little green, but can be used to keep an eye on your local
network as this problem evolves.
Repo can be found here:
https://github.com/set-element/bro_memcached_detect
If you have any questions please let me know and I will do what I can to
help. As well, any changes or improvements will be gladly integrated into
the code as well.
Feel free to share with anyone as this is public information.
Many thanks!
scott
-----
Scott Campbell
ESnet Security Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180302/aea81939/attachment.html
More information about the Bro
mailing list