13-3. Monitoring IDS Activity

When you configure embedded IDS sensors in your network, it is important to monitor their activity frequently. If the sensors are configured only to generate alarms, you need to see the alarms so that you can take the appropriate action. If the sensors are configured to drop or reset connections in response to an alarm, you should review the logs to learn what took place.

As well, the whole IDS process requires some tuning so that you reduce the number of false positive alarms. Watching the alarm logs helps you determine which ones are false and should be removed from the signature audit.

The following sections step through the two types of alarm collection as they are deployed and monitored.

Verifying Syslog Operation ...

Get Cisco ASA and PIX Firewall Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.