thoughts on bro
It provides a nice site-wide view of security
It’s not disruptive to users
It’s centrally administered
Unlike a firewall, which stops badness before it starts, bro’s alarm may come too late
It can’t flag attacks that are not in its database of known attack signatures
It can not reliably determine what an end-station is seeing, for a variety of reasons