The Bro is a programming language designed from the ground up for working with network traffic. In this talk we will cover useful tool- tactics and procedures for examining network traffic for incident response. By building a library of reusable components we will equip our IR team with new capabilities to speed up the incident resolution process with a focus on identifying the real threats facing todays teams. In this demonstration heavy talk we will review practical cases around attack on SSL/TLS- SQL Injection- XOR’d content- and more.