NOTE: This chapter still a very rough draft and incomplete
Bro is most effective when used in conjunction with bulk traces
from your site. Capturing bulk traces just involves using tcpdump
to capture all traffic entering and leaving your site.
Bulk traces can be very valuable for forensic analysis of all traffic in and out of a compromised host. It is also needed to run some particularly CPU intensive policy analyzers that can not be done in real time (as described in the Off-line Analysis section below).
Depending on your traffic load, you might be able to bulk capture on the Bro host directly, but in general we recommend using a separate packet capture host for this. Unless you want to buy a huge amount of disk, you'll probably only be able to save a few days worth of traffic.