Bro IDS - detecting DDoS attacks

Question

I need to use BRO IDS to detect DDoS attacks. I installed bro 2.2 from bro.org, then I checked how to do this analysis. Some people suggest me to use synflood.bro to detect DDoS attacks. It is logical.

I am trying to use synflood.bro. First, I couldn't find it in bro2.2 package. So, I downloaded it from internet (http://www.filewatcher.com/m/synflood.bro.3792-0.html - 2012-07-24 bro-1.5.3.tbz/share/bro/synflood.bro)

I am having this error:

line 3: can't open notice

line 3 --> @load notice

OK, it is clear it cant find notice. But, what should be the "notice". Is it a folder or what? I couldn't figure it out.

Answer 1

the @load directive tells Bro to load scripts. It it in /opt/bro/share/bro/sites/local.bro

With out more data it's hard to tell, but in Bro 2.2 notices (Bro alerts) are now a framework, you are either

1. Trying to load a notice policy script or set of scripts that doesn't exist or
2. Trying to load Bro 2.1 functionality to Bro is complaining.

Answer 2

I would expect this refers to a line in your local.bro file where the @load statements are made. Check that file within your site folder and comment it out to enable bro to run if you wish.