I think Bro is really a good tool for intrusion detection. However, after I studied the reference manual, I found for offline analysis it can only use tcpdump packet level input. Could it also use flow-level analysis data as input? I want to detect some scan and SYN flooding attacks, does somebody have this kind of flow-level code or experience on this? If so, could you share it with us? Our purpose is purely for research.