Looking for a tool detecting abusing IPs

Hi mailinglist,

The company I'm working for has been attacked by SYN and ddos within the
last three weeks.

Now we'd like to optimize our setup so that we can cope with most common
attacks with minimal resources. To do so we want to block IPs abusing
our server eg by requesting too many page views or sending SYN attacks
(if the source IP has not been spoofed) etc.

Is bro-ids the right tool to do so?
If not which alternative would you recommend?

Is there someone who would be interested in providing payed support?

Which documentation about pro-ids should I read first?
I'm little bit lost cause the wiki says most of its information is
outdated.

We only have to protect the very common services
  - HTTP
  - POP3
  - SMTP

Thanks for any guidance.

Of course I could use libpcap and code up a tool myself.
However I hope that with your knowledge we're up and running much
faster.

I know about fail2ban - however I'd prefer something not requiring huge
logfiles..

Marc Weber

Yes, Bro is an excellent tool for such things. There's the default
scan.bro script which reports TCP scans (also UDP if udp.bro is
loaded; and icmp.bro can find ICMP scans).

Generally, it's pretty straight-forward to add custom logic for
fine-tuning reporting or finding other types of scans. We're also in
the process of adding a new Metrics framework that generalizes
"counting stuff", and it will be able reports scans of all kinds.

Robin