I've finally had a chance to look into this - sorry about the delay. I had
misinterpreted your original comment - I thought you were asking about
detecting ACK scanning, not flooding. Bro doesn't have a flood-detection
script other than for SYN flooding (which is in synflood.bro), so it's
expected that it wouldn't detect this. (FYI, I have a tweak to it for
detecting ACK scanning, but this is tricky because it's hard to distinguish
between ACK scanning and SYN flooding backscatter.)
The attachment is a small trace file. thanks
FYI, the trace has numerous checksum errors (confirmed by tcpdump) -
something to be aware of when analyzing it.
Vern