We have a 4215 IDS in place that is identifying quite a few triggers based on Cisco signatures. It does not perform any automatic countermeasures. Right now, it is just providing information. Typically it is the same 5-10 different alerts being repeated many times. I am trying to assemble a report that will include recommended countermeasures for the various alerts, but can't find any good information. I thought going in that Cisco would include in its sig definitions that actions recommended for each alert, but I can't find such a thing. e.g. we get DNS Tunneling quite often. Cisco describes breifly what it is, but doesn't tell you what to do about fixing or mitigating the problem. Where do I find this type of information.