Bro requires a network tap to give it access to live network traffic. The tap needs to be full-speed for the link being monitored and must provide copies of both directions of the link, or you need to two taps, one in each direction.
Normally the network tap for Bro should be placed behind an external firewall and on the DMZ (the portion of the network under the control of the organization but outside of the internal firewall), as shown in the figure below. Some organizations might prefer to install the network tap outside the firewall in order to detect all scans or attacks. Placing Bro outside the firewall will allow the organization to better understand attacks, but will produce a more notifications and alarms. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms. In addition to the connection to the network tap, a separate network connection is recommended for management of Bro and access to log files.
For more information on taps and tap placement see the Netoptics White paper titled Deploying Network Taps with Intrusion Detection Systems (http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf).
Figure, tap location
Typical location for network tap and Bro system
float