[Bro] Is there a quickstart method?

[David Caldwell]

I am seeking a quickstart method to perform the following.

The intended purpose of the Bro install I am working on is to monitor  
incoming traffic only. To break it down simply I want to track only  
those incoming events that would appear to be malicious (ssh, telnet,  
etc). We are trying to upgrade our security situation here, and in  
order to get our customer to go along with it we have to show good  
reason why we need it. Using Bro to capture malicious attempted  
traffic will help us clarify the need for stiffer security measures  
than we currently implement.

I am reading the manuals, and looking for the info I need to do just  
that. In the case of you, if I can get some pointers to where to look  
to do just what I have intended it would speed up the process for  
what I have in mind.

We don't however wish to police our own outgoing and responding  
traffic. I know this is possible with Bro, and am trying to get this  
system up and running asap.

Can anyone provide pointers in the manuals, or other locations for  
such a setup?