HTTP reply

  I think sometimes HTTP reply especially the first line is very useful. Through it, we can know whether the attack is successful.
That is right? Forgive me poor English. Another question, How to detect the syn flood attack using Bro? May I use a timer In th Bro's
interpret,so we can know the statistic of some network event?