With the recent outbreak of the WMF Zero Day exploit, I'd like to get myself familar with intrusion detection systems. I'd like a good introductory page or text on the subject, something that I can wrap my mind around fairly easily that explains how they work, what options there are out there, and a basic instruction in how to implement them.
Start with the wikipedia article on intrusion detection system. Its gives you the foundation you need to start with signatures based versus anomoly based. Host Based Versus Network Based. Passive versus reactive (sometimes called intrusion detection versus intrusion prevention).
There are two main ways to set it up. One is to place the IDS in-line, forcing all traffic to pass through it, potentially creating a single point of failure. The other way is to set up the ids in promiscious mode so it listens to all traffic and either interject a hub into your network traffic flow, or set up a switch to mirror all traffic to a single port and put the ids on that.
A main concern with us was making the internal traffic be seen by an ids without buying an ids for every switch (or waiting for the attack traffic to go through a choke point). We had to do some network redesign to make that happen. But you could start small and just put the ids on a choke point.
I haven't read them but I think a book by Richard Bejtlich would be a helpful as well.
After that, it depends if you have money or not. I think you can still get snort free. I'm sure they have some forums that would help with the setup. If you have money, there are tons of ids products. We've tried a few. To me accurate definitions, along with reporting and correlation of events are important. I like my ISS IDS, but its up on the DMZ behind a firewall so it doesn't have to work very hard. My Cisco IDS frustrates me, but I am told it can do what I want (reporting/alerting) if we install more software.