More of an opinion question here.... maybe someone on here has more experience with this...
I need to come up with an IDS solution. Looking for a few thoughts from the masses. Would I be best off with a custom built Linux solution, or should I go with one of the commercial solutions (Cisco, NetMRI, HP, etc.)
I'm going off of the usual determining factors (reliability, throughput, cost effectiveness, administrative overhead, etc...)

It's for a (quite frankly, excessively used) high traffic connection (Dual redundant T3 upstreams and separate downstreams handled by 3 routers.... yea, the guy before me got it to work and I haven't truly wanted to contemplate the idea of touching that disasterous feat of network WTFWUT =( ) which requires a 99.9% SLA, and it needs to be able to monitor both the primary and redundant connection (also not my idea). It will be between the 3 routers. The 2 routers on the perimeter seperate the i/o's and pipe the merged traffic into the third router.... and I need to park the IDS in the middle.

Any suggestions would be awesome... or someone more persuasive than I talk my CIO into getting an OC1 =D

If you can define "Best", we can tell you. But there's no real way to quantify it. If your organization has the $$$ to spend, and they're adamant about it being a "supported" (read: paid-for) solution, then you're better off buying something, and shoveling any problems you have off to the vendor to solve.

However, there's very little you can't put together with Linux, and you can easily duplicate (and exceed), commercial products capabilities. Snort is a good tool to use, and can form a good base for things. You can extend it further, start generating traffic reports, graphs, etc., which you are going to be limited with the commercial products to what THEY decide you need.

If you've got the time to learn and want to develop something that does 100% of what you need, go Linux. If you're already spread thin, and need something to make your boss'es shut up, go commercial/off-the-shelf.

Best: as in one's opinion through their experiences with the various products commercially available versus a home-built solution. I know how to build one, I'm just looking for people who already have the aforementioned solutions in place and if their experience with said solution made for an acceptable ROI. (IE reasons that can justify a $10,000+ expenditure plus associated support subscription costs over a $500 solution that is supported by internal IT which may possibly include additional staff to support said home-grown solution) or is it an outright waste of time/money and just an unnecessary point of failure in the network infrastructure.

Throughput: By ones experience, on an extremely active connection, how much traffic can one of these commercial units handle without causing an internal DOS due to said system being run beyond it's capacity

Reliability: how often do the commercial solutions break down or have to be rebooted (inadvertently creating a DOS)

Administrative overhead: How much additional overhead will my IT staff incur with the commercial solution vs the home grown solution.

Short answer: I other people's opinion, how do their IDS systems fare whether they chose to go the commercial route or home built.

Oh that's easy...we built ours, and have had much better luck with them, than with the commercial ones. In my opinion, the FOSS model gives you:

• More flexibility - you set it up how you want, where, and decide what reports you want. You've got the tools to do it, and are only limited by your imagination.
• More reliability - Since you're using commodity-hardware, you don't need a specialized appliance/server. So having four boxes in an HA cluster is very doable, even on a modest budget.
• Throughput - haven't hit the upper limit on the commercial or FOSS products, so can't say.
• Administrative costs - Lower, I'd say, for the FOSS. Simply because during the build/install/configuration process, you'll learn EVERYTHING about the system, and how YOU'VE configured it. Easily documented during build time, so more easily referenced later. Since you don't have to depend on a vendor, or shovel $$ their way for support, you've got the answers when you need them, in a way that's totally customized for you.

Add to that the fact that you could use a generic desktop PC as your 'test' environment for new rule sets, patches, etc., and you lower costs and increase reliability even more. Commercial products? if you've got the $$$ to shove another one in your lab, that's great...but often you don't, and have to trust the vendor to not break things.