Hi,
I am new to Bro IDS, I wanted to know if Bro can be used to detect portscan or Denial of service using the netflow data collected from a router.
If yes, I am able to use bro as netflow collector now but i am unable to proceed after this point. Should I use the existing scripts on the netflow data to detect the the threats ? or should i write my own scripts?
Regards,
Harish
Currently, we don't have any Bro scripts for NetFlow processing, so
you'll need to write your own ones. Feeding NetFlow into the existing
scripts (which would be mainly the scan detection I think) would
probably be tricky as the scan.bro code (from 1.5) is already quite
complex. We're planing to migrate that over to the new Metrics
framework. That would probably also be the best starting point with
NetFlow.
Robin