Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IDS General Problematics

Lots of posts on in-depth technical questions on this forum, while mine is a lot more generic.

As a service provider we manage many seperate customer networks, some internet connected, some not. We have been looking at several IDS systems for a while now, and it´s not technical problems which are causing us headaches but more functional.

If we would to roll out IDS for several networks, no doubt we´ll be hit around the head with lots of events, intrusions, logs what have ya. To maintain a 24 h service on this level is downright nearly impossible. You would need Level 3 technical personel to look at these events, even if they can be cut down to a few a day, it would still mean looking into these alerts on a daily/nightly basis and determine the next cause of action. In my opinion large environments will result in many (to many) alerts, filtering them will help, but will also improve changes you might be missing a serious event.

Obviously to have this much manpower on it would be very expensive. I would like to receive some comments on how some of you are coping with this, or is it not as bad as it all looks? Maybe if you tune it right a few alerts a week? I have no idea what to expect, that part of the problem.


New Member

Re: IDS General Problematics

First, make sure you install the IDS behind a firewall. That will stop a lot of unwanted alarms. Thats really all you want to monitor anyway, what gets through the FW. Then its a matter of tweeking the IDS until you are only being notified by true intrusions and not a bunch of false positives. It takes several days/weeks to get the signature list trimmed down. There will be a lot of false positives at first. The IDS does all the work (eventually ) anyway by resetting and blocking connections. Takes some time to get it settled down though.

CreatePlease to create content