From: Juan B (juanbabi_at_yahoo.com)
Date: Fri, 10 Jun 2005 10:32:45 -0700 (PDT) To: firstname.lastname@example.org
before deploying an IDS u should know that this kind
of systems needs a lot of maintanance. setting and
configuering the sensors is not a big deal ,it is the
Alerts handeling that needs to be configured. whan you
first install and start to recieve alerts you will
receive many false positive alerts on your machines.
in large firms there is a dedicated employee which his
task is only to handle this system.
also consider having a very strong managment server to
handle all the alerts (mysql server most of the time).
use snort as an ids system .
you will need a signiture handleing application which
you can find in www.activework.org.
also be sure to armor the sensors before plug in tham
to the network, I would out a sensor in the DMZ and in
each network sigment . but not between the router and
the Firewall, It will just fill your managment server
with a lot of unusefull alerts.
Remember- false positives is the number 1 problems
hope it helped.
Mcse Ccna Ccsa Scsa
Stay in touch with email, IM, photo sharing and more. Check it out!