Where to start? (Score 3, Interesting)

I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.