[Bro] Intrusion prevention

[Vern Paxson]

> Will it be interfacing with a firewall like iptables (like snort-inline does) ?

It's a different API, and not directly suitable for use with something
like iptables (our approach is quite fine-grained).

Note, we already (and for a long time) run Bro in a reactive fashion, for
which the policy script can drop hostile traffic.  But this isn't the full
power of an IPS since there's latency between discovering a problem and
blocking a host, so damage can still occur.

		Vern