I am trying to use Bro to detect a DOS attack in a tcpdump file. This
attack uses Ack packets with spoofed random source IPs and random destination
ports to flood a remote server. I thought weird analyzer should catch this
attack. I searched all log files generated by Bro and found Bro didn't capture
any of these packets.
I have thought that Bro might drop these packets because there are no SYN
packets seen by Bro, so I run the following command:
./bro -f "(tcp and ((tcp & 0x7 != 0) or (tcp & 0x10 == 1)) ) or udp or
icmp" -r dos.dump mt
It unfortunately didn't work. Does anyone have any suggestion?