For our network I think this would be perfect!! Our router does not have port spanning capabilities that I know of (Linksys RV042), so, again, how would I create or where I purchase a passive ethernet tap? I saw info about this in the Snort manual/FAQ, but I was somewhat confused.
Even though the bridge is invisible, some layer 2 firewalling can still be performed on it if desired, such as MAC==IP address matchings. It is not a bridge past the firewall. I think I was unclear in my explanation. The setup would look like this:
Upstream ISP ==> F/wall ==> Snort Bridge ==> Webserver ==> F/wall ==> Snort Bridge ==> LAN
Where both snort bridges are in fact running on the same box and invisible to the rest of the network.
Miracle> True though, a downed snort box here would mean a downed network. If you don't have port spanning capabilities, see about purchasing passive ethernet taps. I have a couple here that work well (I doubt they'd handle a high load since I built them myself -- I imagine professional quality taps would work far better). Either that, or pass the traffic through a hub before going to any production switch. A second port on that hub can then forward traffic to the IDS.