Cisco Security Professional's Guide to Secure Intrusion Detection Systems

Once the Cisco IDS sensor is racked and operational, and the IDS management device or director is configured and communicating properly, it is time to tune the IDS signatures to the traffic patterns that occur on your network. We need to run the sensor for a period of time, normally a week or so to build a baseline of activity to look at. Without the baseline it is impossible to know for sure if the alarm is real or if it has resulted from an incorrect setting for your network traffic. Without optimized signatures, the IDS sensor is relatively useless to us. To start the baselining of the network, the sensor is placed in a strategic location on your network where it can see and analyze all of the targeted traffic that passes by the sensor. To put it simply, you are data-mining from a security perspective. With data-mining, there needs to be a query; in this case, the tuned signature is the query. Anything that meets the parameters of the signature triggers an alarm and sends an event to the IDS management device. We are studying the traffic behavior of the network and teaching the IDS sensor to make decisions on data and patterns that are considered out of the norm for the network and which provide some type of notification or action such as shunning.
As you can see in our discussion of IDS signatures, the IDS signature is the heart and soul of successful IDS deployment...