I'm currently looking around for open-source IDSes. What we'd like
is to have an IDS machine which monitors our Internet traffic and
responds to events by blocking the traffic using Flowspec. This is easy
to do with Bro and ExaBGP using custom event handlers and/or hooks, and
I'm currently trying to understand Bro's ability to detect floods, e.g.,
SYN flood, ACK flood, or any other kind of flood, for that matter.
The feeling I have so far is that Bro wasn't really designed for this
sort of thing, and that it's designed more for L7 stuff.
I'm playing with 2.2 beta, and I can't see anything built-in to detect
floods (although maybe I haven't looked hard enough). In older
versions, though, there was a script called synflood.bro, but it seems
to have disappeared at some point. Does anyone know what the history of
this is, and whether there is equivalent funtionality in the latest
More generally, if I want to detect network floods, is Bro the right
thing to be using, or should I be looking elsewhere?