I need to use BRO IDS to detect DDoS attacks. I installed bro 2.2 from bro.org, then I checked how to do this analysis. Some people suggest me to use synflood.bro to detect DDoS attacks. It is logical.
I am trying to use synflood.bro. First, I couldn't find it in bro2.2 package. So, I downloaded it from internet (http://www.filewatcher.com/m/synflood.bro.3792-0.html - 2012-07-24 bro-1.5.3.tbz/share/bro/synflood.bro)
I am having this error:
line 3: can't open notice
line 3 --> @load notice
OK, it is clear it cant find notice. But, what should be the "notice". Is it a folder or what? I couldn't figure it out.
the @load directive tells Bro to load scripts. It it in /opt/bro/share/bro/sites/local.bro
With out more data it's hard to tell, but in Bro 2.2 notices (Bro alerts) are now a framework, you are either