About BRO


i m working on bro 2.3.2 version

i want to know can we detect denial of service attack using bro?

if possible can you please provide me some guidance .


hoping your early reply

Detecting denial of service attacks aren’t as clear cut as detecting other attacks e.g. SQL injection. What constitutes a DoS depends on your networks specifics, such as bandwidth. A DoS to your network might not be a DoS to a larger network.
This being said, Bro does have the ability to detect common port scan attacks. I believe the detection scripts are built on the sumstats framework. Here’s one Seth wrote <https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro>. I hope that helps.