Check out BRO! (Score 1)

Just thought I'd put a plug in for BRO-IDS: http://www.bro-ids.org/ Basically, you write all the signatures you want, but then write policy files on top of that to interpret that data, so it's a strict superset of Snort's functionality. There's even a tool in the distribution that lets you turn snort signatures into bro rules. So, you can have things like: If a user logs in to a machine on HOME NET from anywhere outside of HOME NET and in the next 15 minutes initiates a file transfer to that machine and that machine joins an IRC server or has FTP transfers from it in the next 2 days then raise an alert At OSU, Bro is used to check all files coming over the border against team cmruy's (http://www.team-cymru.org/) DNS based malware database. Check it out! Plus, you get the INFORMATION SECURITY CUBE OF POTENTIAL DOOM! (http://www.nersc.gov/nusers/security/TheSpinningCube.php)