We recently had a FW hardware failure and I replaced it with a basic ubunutu server running iptables and it seems to be working well. One of our sites came under a denial of service attack and I am looking at an IDP type solution and wondering about snort. Can I run this app (or another that people can suggest) on the firewall and/or is it recommended?

The box is sitting pretty idle, so not sure on what resources but I am going to start reading up, but thought someone might already have done this and thumbs up it, or says not to, or suggests otherwise.

Thanks

Within a firewall server to defend yourself directly you would probably want snort-inline, which turns snort from an ids to an ips. I've not had too much experience with it over recent years, but certainly you can run it on your generic hardware firewall. What is worth saying though is that a significant percentage of attacks can be filtered out with iptables alone by looking at connection limiting, tarpit destinations and similar, meaning the traffic doesn't even need to hit an ips system. iptables really has from pretty sexy modules, which would quite possibly have mitigated a DDOS with some ease.