I've been playing around with snort lately. For the most part, I've just been playing with it in a lab.
I've tried on both windows and linux. I seem to prefer linux.

I have configured snort on Fedora Core 2 with Apache, mysql, php and ACID.

I followed the guide that is on snort.org with some minor changes.

I plan on running this in parallel to our current IDS to see how it holds up.
If all works out well, I'll be replacing my current IDS.

First off, a little info about the box on which it is running:

PIII 800MHZ, 256mb ram (soon to be upgraded to 512), 20 gig HD.

In the lab environment, there are only a dozen or so PCs all hooked to a switch which is hooked to a hub (so I can use snort) and then to a router.

In the production environment it will be similar. I'll be putting it after the firewall.
There will be also be many more acitve boxes.

The listening interface will have no ip address.
The access interface will be on a separate private network of which only two workstations will be able to access. I have locked down the box and services. Only two user accounts will have access to sshd and only one user account for ACID.

I couldn't find any good resources for this:

Some Questions:

What are the recommended system requirements for a T1 with about 150 users?
Would the hardware that I'm currently using be enough?
Should I get a new dedicated server for this with a lot of storage?
How much storage do I need?
Does it matter that I keep the logs on the snort box?

During the install I selected no mail servers.
However, sendmail is installed and running. I didn't kill that service. Is sendmail necessary?
sendmail is currently firewalled and it can't be used except for locally.

Thanks for any input you have! You know I appreciate it!