I was given three hours time for the class which I split 60/40 between lecture and hands-on lab time. The lecture material presented foundation topics needed to understand what Bro does and how it works. A decent understanding of protocol design, event based systems, system administration, and network forensics are all required before thinking about Bro. These topics were covered briefly, followed by Bro specific material. I also briefly discussed ElasticSearch and ELK and how those projects integrate with Bro (the ElasticSearch log writing code is now a plugin).
I've published the slides I presented for the lecture as well as the lab (which includes the step-by-step commands needed to set up Bro and ELK).
Instructing a class was an experience; instructing a class remotely was definitely a challenge, and I thank everyone for their patience with my ignorance of remote meeting software. I really enjoyed it and hope all the students gained *some* knowledge from the material even if it was only from my opinionated tangential rants about RFCs and HTTP.