Few questions...

> Depends what you mean by "illegal". It detects acknowledgments above
> sequence holes, and inconsistent TCP retransmission.
> Unfortunately, when
> looking at a large volume of traffic, these show up due to
> various things
> being broken (as mentioned in the Bro paper), so their presence isn't
> a useful indicator of an attack.

Have you observed it in a practical network?

Yes, that's the whole point - "looking at a large volume of traffic"
reflects years of operating Bro at LBL (and other environments). It's
a whole different world than just looking at say a LAN, which is *much*
more homogeneous and well-behaved.