[Bro] tcp off-path exploit

[philosnef]

Is it possible to flag these exploit attempts? From the look of things, it seems reasonable to think that the connection information in conn.log could be used to trace this, do to the very particular way it hands syn/ack requests. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160811/ba30dbcd/attachment-0001.html