You should have the following information before you attempt advanced tuning:
The network topology
The network address space
Which inside addresses are static and which are DHCP
The operating system running on the servers
Applications running on servers
The overall security policy
The location of the sensor is important for tuning considerations. The nature of the traffic that the sensor monitors will vary, and so will the security policy that the sensor interacts with. When the sensor is outside the firewall, for example, you should avoid assigning a high severity level to any single event. Also, turn off all response actions, and use the sensor to look for trends that might indicate ...