There are two types of IDS systems - HIDS (host intrusion detection system) and NIDS (network intrusion detection system). An example of a HIDS would be tripwire, and example of NIDS would be snort or any of the standalone commerical products.
In independent testing (in 2002), snort beat the commericail products from Enteresys and Cisco. I can tell you that I had it running on a 400Mhz machine monitoring a full (always busy) T1 and it was taking about 30-40% of the CPU. However, I was having it log to a MySQL database, and I didn't perform some of the steps needed to mitigate the performance impact (since it wasn't an issue.)
Having said all that, I would not recommend putting ANY NIDS on an active machine - it should be on a dedicated machine. Several reasons for this, including the fact that if somebody DOES breakin to your system, having the IDS on it means that they can hide the evidence that they were there (the same way they can clean stuff from the log files.) Another thing to remember is that you could be recording user name and passwords, and you certainly don't want that on the same machine as your users. Get an old machine, run a strip down Linux on it (www.devil-linux.org
has one that is perfect for this), and only have it run Snort (and the associated components like MySQL [to log the attack records], Acid, etc.).
And yes - the buffer overflow issue has been resolved.