The default signature settings are a good starting point. As the IDS is used and alarms are fired, tuning is usually required on most networks. Tuning the base signatures usually falls in three categories: turning off signatures (even just for one host), turning signatures on, and changing the default severity.
Turning off signatures: This is usually done on a system-wide basis if you feel you don't need the signature at all (ie. you only run apache and don't care about IIS signatures). Usually this doesn't happen as most people want to know if they are getting attacked even though the attack is doomed to fail. But you also can turn signatures 'off' with single hosts by using the RecordOfExcludedAddress, this is typically used once you discover a machine that produces traffic that trips a 'false positive' in a particular signature. This type of tuning is somewhat common.
Turning signatures on: There are relatively few signatures that are turned off by default. These signatures are usually too nosy and pose a small amount of risk. One example would be a NETBIOS session failure, a common event in a windows network and usually too nosy to be any good. However, if you run a largely UNIX environment with only a couple of windows boxes you might see value if this signature is on.
Changing the default severity: This is done typically because the administrator finds some attacks more serious than others. The administrator might only want a few level 5 sigs while there are many at that level in the default configuration. This is entirely a personal perspective thing.
The examples above are simple examples to illustrate a point, bottom line is the administrator knows his/her network the best and is usually the best person to tune their sensor. It isn't something you do in one night though...time teaches you things as your IDS is present on your network and you investigate alarms. Eventually, tuning will be used to help limit (or strengthen) your investigations.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :