From BroWiki

This page bundles neat solutions to recurring questions, answers to tricky problems, and hidden gems that would otherwise remain buried treasures in mailing list archives or private conversations.

Policy Scripts

Reliably Detecting Backscatter

Identifying backscatter via connections labeled as OTH is not a reliable means to detect backscatter. Use rather the following procedure:

1. Enable connection history via redef record_state_history=T to track all control/data packet types in connection logs.
2. Backscatter is now visible in terms of connections that never had an initial SYN but started instead with a SYN-ACK or RST (though this latter generally is just discarded).