I gave this talk as a 2 hours workshop at BSides Jackson, but I'm turning it into a presentation w/demo. I wrote a bro script that imports a list of network connections from a file (looks a lot like a firewall config). Any connection to a baselined host is checked against the database. If the connection isn't in the database, it generates a log. I'm using bro_agent with SGUIL to bring these logs into SGUIL. Talk will be about 1.Why baselines 2. How to create one using bro/elsa 3. Using the baseline with my bro script to generate alerts