> I could not find any bro mailing list archive.
(it's available as a single flat file [:-(] by sending "get
bro archive"
in the body of a message mailed to majordomo@lbl.gov)
Thanks !!! I will be really useful for me.
> Does bro detects illegal TCP acknowledgements and
> retransmissions which i could not see using ordinary
> dump utility?Depends what you mean by "illegal". It detects acknowledgments above
sequence holes, and inconsistent TCP retransmission.
Unfortunately, when
looking at a large volume of traffic, these show up due to
various things
being broken (as mentioned in the Bro paper), so their presence isn't
a useful indicator of an attack.
Have you observed it in a practical network?
-senthil