Simple policy to detect ws-discovery DNS amplification attack
Following functionality are provided by the script
:: 1) identifies spoofed traffic and subsiquent DNS amplification attack 2) builds you a list of possible sources which are responding to 3072/udp DNS amplification attack
Installation
bro-pkg install bro/initconf/ws-discovery-dos or @load ws-discovery-dos/scripts
Detailed Notes:
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple: check for
This should generate following Kinds of notices: