Snort is defenitly the way to go, it's a little hard to setup rules and what not at first, but there are some great tutorials out there. My biggest problem was I had a WAP that was blasting snmp broadcasts, about 30,000 a day. Made for some HUGE log files.