detect Ack flooding attack

Hello everyone,
      I am trying to use Bro to detect a DOS attack in a tcpdump file. This
attack uses Ack packets with spoofed random source IPs and random destination
ports to flood a remote server. I thought weird analyzer should catch this
attack. I searched all log files generated by Bro and found Bro didn't capture
any of these packets.
      I have thought that Bro might drop these packets because there are no SYN
packets seen by Bro, so I run the following command:

./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or udp or
icmp" -r dos.dump mt

It unfortunately didn't work. Does anyone have any suggestion?

Thanks

Bing