Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Setting Up an Intrusion Detection System: Page 4 of 8

And beware that your log file will grow quickly, so consider a terabyte of storage for IDS log files so you can keep data on the history and genesis of a successful attack. The last thing you need is your log storage system filling up and copying over log files while you're under attack.

Care and Feeding of Your IDS

With the IDS attached and plenty of storage available, it's time to start building the library of signatures. Visit www.snort.org to see how a widely used open-source IDS handles signatures and alerts. The Snort community has developed various ways of managing signature files and analyzing the contents of log files.

The size and complexity of these files drives home just how significant an investment in human resources IDS requires. The exception is a network that changes very slowly and has a narrow range of vulnerabilities. Most organizations need a dedicated IDS person studying log files to understand which transactions represent normal traffic and which are actual attacks. Once your IDS person has nailed that down, he or she will need to examine your IDS logs daily and revise the signature files frequently.

Although the IDS typically shows you how to make changes to routers, firewalls and servers, sometimes it alerts other devices to shut down attacks in progress. Some of Check Point Software's firewalls, for example, take commands from the IDS, and many IDSs forward commands for shutting down connections or blocking traffic to or from specific IP addresses.