SANS paper entitled "Intrusion Detection on a Large Network".
It's a good paper for building and installing Snort. However, it's a
bit lacking in the data correlation side of the house (something that
you have to have to effectively monitor/protect networks of any size).