HTTP reply

  I think sometimes HTTP reply especially the first line is very useful.
Through it, we can know whether the attack is successful.
That is right?

Yes, and HTTP.cc has *most* of the internal analysis already to extract
this. What it's missing is the ability to accurately track persistent
connections, which requires being able to tell when an item ends. For
some items, finding the end is easy, you just use the content-length; but
for those encoded using chunking or (especially) MIME/multipart, this is
more work, and that's the part that's missing. If someone wants to finish
it up, that would be great.

How to detect the syn flood attack using Bro? May I use a timer In th Bro's
interpret,so we can know the statistic of some network event?

You could use a timer, or you could count the number of connection attempts
arriving after a particular time for each server. One thing to note is
that if you use connection_attempt, you only get the events after Bro
times out the connection attempt (controlled by the tcp_attempt_delay
variable). If you instead use new_connection, you'll get the events
immediately.

    Vern