I don't have experience with either of the honeypot packages.

I have used both Snort and Bro-IDS.   If you are going to use Bro-IDS, use BSD as the OS.   The documentation for Bro is quite bad for anything other than BSD.  I had quite a few issues getting it up and running.  I couldn't get any sort database logging going at all.  It performed reasonably well, but I found it detected much less than Snort.  It was also inconsistent.  I put it through quite a few tests.   In general, i wouldn't recommend this product from personal experience.

Snort, is much easier to configure.  I had it running on Redhat and Ubuntu boxes without any issues.  Most distributions even include it as package.  Database integration was also easy to configure and well documented.  The most difficult part is learning the exception, processor, and rules syntax.  If you get stuck, pick up the "Snort IDS and IPS Toolkit" book.  Also, make sure that you install a front-end for Snort, otherwise you will end up managing it through config files only.   Snort, has much better documentation and much more support in the community.   I would go with Snort.

Finally, you can look into the OSSIM package, which includes Snort, Arpwatch, Nessus, and a bunch of other tools.  It's a good security management console.

http://www.alienvault.com/community.php?section=Home

Thanks for response. Yesterday I set up Ossec HIDS, but I'm not sure if it is useful. Modern internet security programs have some kind of "hids" already built in. And I think that HIDS is only useful for client host.
I also played with HoneyBOT, and it is cool, but to easy in some way. Do you know any european producer of modern honeypots and honeypot's like IDS software?

I checked OSSIM. It looks great. If I understood correctly, is all in one platform. But tell me, does make some program settings easier? Or will I have to spend few days configuring different programs which comes with OSSIM?

For an IDS, take a look at Suricata http://www.openinfosecfoundation.org/

Oh the SCADA PITA environment! I have a client who's one of the many contractors @ a gas plant which had a horrible explosion earlier this year. So I guess to an extent, the answer is yes, however, our testing did NOT include any HMI based controls, etc. For particular questions on that I'd post them to the SCADA mailing list (http://news.infracritical.com/mailman/listinfo/scadasec) With that said... Define SCADA. Pentesting against say the corporate network in a SCADA based environment shouldn't interfere with mission critical controls (theoretically) as the controls infrastructure is usually segregated (theoretically).

I think about protecting on Operator Work station and HMI Web/DB server level. I believe (but i don't know yet) that Operator Work station isn't segregated from corporate network at small local plants in my area.