Also figure out what you're going to do with the output. Do you have
the resources to investigate apparent misbehavior? Remember that any
IDS will have a certain false positive rate. Even for true positives,
do you have the customer care resources to notify your users and (if
appropriate) hold their hands while they disinfect their machines.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
And along the same lines, as much as it irks me to state this, one needs to
ask whether this really is a desirable state and what sort of implications
does one create when that is done. One might find the discussions with
appropriate legal counsel to be quite enlightening, for example, and they
are probably a good starting point prior to even attempting to
operationalize sorting out wheat from chaff, let alone responding in a
useful manner.
Best regards,
Christian
My suggestion, in the case that you'll use snort, is to do some extensive
testing on a non-production network. Take the time to learn and
understand its functionality and intended purpose.Also figure out what you're going to do with the output. Do you have
the resources to investigate apparent misbehavior? Remember that any
IDS will have a certain false positive rate. Even for true positives,
do you have the customer care resources to notify your users and (if
appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day
password attacjs per host, when one does not have password ssh
even enabled.
randy
How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans,
and Randy for that i change the ssh port to a higher one 
Read the following interesting article:
http://www.spectrum.ieee.org/WEBONLY/publicfeature/may05/0505worm.html
Greets,
Jeroen