not to toot my own horn too much, but you should take a look at the openhids project--http://www.openhids.com. i think it has most of the capabilities you would need, and it is free.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
