Hi everyone,
As part of demonstrating Bro in a class setting, I’m preparing an exercise that asks students to detect SYN floods. I found some older Bro code that does this (and referenes to it on Robin Sommer’s slides from a 2007 talk):
http://www.gnu-darwin.org/www001/src/ports/security/bro/work/bro-1.2.1/policy/synflood.bro
I noticed, however, that I couldn’t find anything similar in SumStats. It might be that I missed something, but maybe SYN floods just aren’t as interesting anymore? Does anyone know what happened there?
Anyway, I tried to write a quick script to test it out first, which turned out to use a lot of memory (at least, in my perception – perhaps it’s an issue with the VM I’m testing it in though), which I guess might be the reason. Here’s the code I used (unlike /scripts/policy/misc/scan.bro
, this script uses connection_SYN_packet, which means we can detect SYNs that are not responded to):
event connection_SYN_packet(c:connection, pkt: SYN_packet)
{
SumStats::observe(“tcp.syn.rcvd”, [$host=c$id$orig_h], [$str=fmt("%s",c$id$resp_h)]);
}
function f(ts:time, key:SumStats::Key, result:SumStats::Result)
{
local r=result[“tcp.syn.rcvd”];
print fmt(“Saw %d SYNs from %s”, r$num, key$host);
}
event bro_init()
{
local r1 = SumStats::Reducer($stream=“tcp.syn.rcvd”, $apply=set(SumStats::SUM));
SumStats::create([$name=“tcp.syn.scan”, $epoch=30min, $reducers=set(r1), $epoch_result=f, $epoch_finished(ts:time_ = { print " – new Epoch --";}]);
Greetings,
Rens