I’m trying to learn if Bro can detect UDP flood attacks. And found the synflood script that was provided on previous versions of Bro. Wondering if there’s something similar on Bro 2.2 or if the 1.5.x version would still work?
Noticed that this question was raised in the past by Alex (below). Does anyone know how this could be done on 2.2 or have a working script to detect flood attacks already?
Thanks for the response. I’ve modified the script slightly and commented out the install and uninstall addr_filters. See attached.
I tried running the script against a sample pcap that I generated using hping3 (hping3 --rand-source 192.168.146.130 --flood -S -L 0 -p 80) and it seemed to be logging the SYN attack alerts in the notice logs, atleast the start of the attack:
1392741015.684576 - - - - - - - - - SynFloodStart Start of syn-flood against 192.168.146.130; sampling packets now - 192.168.146.130 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1392741015.740914 - - - - - - - - - SynFloodStart Start of syn-flood against 192.168.146.130; sampling packets now - 192.168.146.130 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1392741015.797104 - - - - - - - - - SynFloodStart Start of syn-flood against 192.168.146.130; sampling packets now - 192.168.146.130 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
But I also keep getting several runtime errors: no such index (current_victims[ip]) on line 66 of the attached script. And I’m not sure how to fix this. Any thoughts?