flow-level analysis code

Hi,

I think Bro is really a good tool for intrusion detection. However, after I studied the reference manual, I found for offline analysis it can only use tcpdump packet level input. Could it also use flow-level analysis data as input? I want to detect some scan and SYN flooding attacks, does somebody have this kind of flow-level code or experience on this? If so, could you share it with us? Our purpose is purely for research.
Thx.

Yan Gao

Fermilab uses a package named 'flow-tools' that was originally developed at Ohio State Unix. The first Google hit is...

http://www.splintered.net/sw/flow-tools/

Randy Reitz
Computer Security Team