Snort is a fantastic detection engine, but interpreting the default output (text files of alerts and Libpcap traces of offending packets) is not for the faint of heart. I recommend anyone who wants to fully leverage Snort to investigate a Snort add-on such as Bamm Visscher's Sguil suite. Sguil is an interface to Snort alerts, but it supplements Snort alerts with session data collected by John Curry's SANCP program and full content data collected by a variety of sources. Once you've tried Sguil, you will wonder how you ever detected and responded to intrusions without it.
This was first published in January 2008