RE: Few questions...

> I could not find any bro mailing list archive.

(it's available as a single flat file [:-(] by sending "get
bro archive"
in the body of a message mailed to

Thanks !!! I will be really useful for me.

> Does bro detects illegal TCP acknowledgements and
> retransmissions which i could not see using ordinary
> dump utility?

Depends what you mean by "illegal". It detects acknowledgments above
sequence holes, and inconsistent TCP retransmission.
Unfortunately, when
looking at a large volume of traffic, these show up due to
various things
being broken (as mentioned in the Bro paper), so their presence isn't
a useful indicator of an attack.

Have you observed it in a practical network?