Thank you for your reply. I corrected this filter expression and run Bro,
but I got the same result. I can see these spoofed source IP packets with
Ethereal. All of them target the same host but with different destination
ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
record was for such packets. Am I missing anything?
By the way, I am using the DARPA 2000 data set (Scenario one, inside
tcpdump file). This is the link for this data: http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
Please send a small trace that can be used to reproduce the problem.
Thanks.
Hi Vern,
I have an interesting finding about the problem I met. It was the backdoor
analyzer that prevented those ack flooding packets from logging. If I load the
backdoor.bro into mt.bro and run bro to read tcpdump file (command line: ./bro
-r 2000.dump mt), those ack flooding entries are missing in conn.log and
weird.log. If I unload the backdoor.bro from mt.bro and run bro, those ack
flooding packets are logged in conn.log and weird.log. The interesting thing is
these ack flooding packets are sent by a backdoor program (Mstream DDOS tool). I
don't understand why the backdoor analyzer blocks the logging of these packets.
By the way, the latest version just released looks much slower than previous
version in my machine (Linux).