Well i have Snort up and running, logging to MySQL and viewable using the PHP based ACID.
It's really quite neat. Using ACID you can view alerts (ie. known potential attacks or probes etc.) and by cross referencing with your firewall logs can determine if your firewall is doing its job. Because Snort works off of TCPDump libraries it grabs the info before your firewall nails it
.
Only problem that i have encountered is that there doesnt seem to be an easy way to do the cross referencing. the IPTables ULOG daemon can log to MySQL but there doesn't seem to be much functionality associated with this. Guess i'll just have to learn PHP and build my own plugin...
If people are interested i'll look at writing up a howto??
Cheers