[Bro] detect Ack flooding attack

Vern Paxson vern at icir.org
Tue May 17 23:43:46 PDT 2005

Previous message: [Bro] udp_request and icmp_sent event handlers
Next message: [Bro] detect Ack flooding attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> ./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or udp or

The second test you give, for capturing ACK packets, is incorrect.
It needs to be

	(tcp[13] & 0x10 == 0x10)

- Vern

Previous message: [Bro] udp_request and icmp_sent event handlers
Next message: [Bro] detect Ack flooding attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Bro mailing list