detect Ack flooding attack

./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or udp or

The second test you give, for capturing ACK packets, is incorrect.
It needs to be

  (tcp[13] & 0x10 == 0x10)

- Vern

Hi Vern,
     Thank you for your reply. I corrected this filter expression and run Bro,
but I got the same result. I can see these spoofed source IP packets with
Ethereal. All of them target the same host but with different destination
ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
record was for such packets. Am I missing anything?
     By the way, I am using the DARPA 2000 data set (Scenario one, inside
tcpdump file). This is the link for this data:

thank you for your time.


Quoting Vern Paxson <>: