I was looking into something like this as well. I'm looking to monitor network traffic, but being new to this kind of thing, I've been playing with numerous things, like Snort and a few various Linux Firewalls like Endian and Entangle with inline monitoring.
I would really love to see some additional material on how some of this stuff is set up, since some of the documentation I've read just is not clear enough.