During a bruteforce attack that made 27M attempted logins, 2 were flagged as successful by one instance of Bro monitoring the traffic, but not by another running an identical config on the same traffic stream. I wasn't able to reproduce the FPs from bulk traces of the event. Both instances were associated with two Weirds, "SYN_after_close" and "excessive_data_without_further_acks" that were otherwise quite rare in the traffic. This suggests that there's a flaw in the heuristic whereby it's analyzing traffic streams that have confused state. Perhaps an adequate fix is to track whether a given flow has experienced those Weirds, and if so, don't apply the heuristic to it.