Deciding What to Monitor

After putting together an IDS policy centered on what activity is deemed to be unauthorized, you need to put it to practical use. The outcome of the policy should be a high-level overview of the intrusion detection capability you will strive to achieve for the organization. After this process is finished, you should apply the policy to the portions of your network infrastructure you are going to monitor. Getting more granular, you will need to decide which services will be monitored, and the specific attack signatures that will be looked for. We will get into this level of detail when you tune Snort in Chapter 10.

The ideal situation is to monitor everything. Every network device would be covered under Snort's watchful ...

Get Intrusion Detection with Snort now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.