Give us some feedback when you can!
Will do. I'll get it running on a machine that's plugged into a span port on one of our more centralized switches. I'll also give it a try in our DMZ.
I've had it running for a little over 24 hours on a span port that's mirrored from the port where our perimeter firewall is plugged in that provids our primary connection to the internet. So far it hasn't found anything. I suppose that's a good thing, but makes for some boring testing. lol I might fire up a VM and do an intentional infection of some kind just to test it(famous last words I know).
I've had it running on a XP box with 2g of RAM, and it seems really stable with only 50megs of RAM used total on Snort and the bot hunter front end. Just for reference, I can fire up Ethereal(Wireshark) while connected to that mirrored port, and it will bring the system to a halt after a few minutes because the machine can't handle the load.
I'll report back when I have more information. I'll give it a run on a Linux machine in the next day or so.