I realize that HM does not fall under the category of 'Intrusion Detection' tools, but it did give me the earliest notification today of an ongoing DOS attack on our web farm.
We monitor our web farm nodes for, among other things, ASP Current Sessions. An alert was generated today when ASP sessions on one node suddenly grew to about 50x normal. A quick check of the web log revealed a definite attempt at bringing down the server. A quick IP block added to the firewall and, presto, end of crisis.
It was not a distributed attack or even a very sophicated attack, but nevertheless, within 10 minutes, attack was detected, verified, and stopped. Thanks Alex -- I'm liking HM more everyday.