DDoS detection

Just wondering if anyone has a DDoS detection script for Bro 2.2+. I saw there was an older one for Bro 1.5, but was wondering if someone created an updated one using the new SumStats framework. Please let me know if there is an out-of-the-box way to detect DDoS that I am missing.



Justin, did you ever end up creating one? It should be pretty easy once you define what exactly you want to measure.


Thanks guys!

Justin, if I’m reading this correctly, the script will only look at ports specified in dos_ports.

Is there a way to match all ports? Are there dangers in doing that?