How To Guide
How to Set Up Intrusion Detection Systems (IDS)
Monitor traffic for suspicious patterns in real-time.
Overview
IDS alerts you to potential breaches.
Step 1: Choose IDS
Select solution.
1
Options
- Snort: Free, industry standard
- Suricata: Free, multi-threaded
- pfSense: Includes Snort/Suricata
- Commercial: Cisco, Palo Alto
2
Deploy
- Mirror/SPAN port on main switch
- Or inline as IPS
- OSSEC for host-based
Step 2: Tune
Reduce false positives.
1
Process
- Install Emerging Threats rules
- Define home network ranges
- Run detection-only 2-4 weeks
- Categorise alerts
- Enable blocking gradually
Pro Tip:
Expect many false positives initially. Tuning is essential.
2
Deploy and Configure
- Install on a dedicated machine or VM with sufficient CPU and RAM
- Connect to a SPAN/mirror port on your core switch to see all traffic
- Install the Emerging Threats Open ruleset (free) as your baseline
- Define your HOME_NET variable to match your internal IP ranges
- Define EXTERNAL_NET as everything that is not HOME_NET
- Enable rules relevant to your environment (Windows, web servers, etc.)
- Disable rules for services you do not run (reduces false positives dramatically)
3
Tuning and Reducing False Positives
- Run in detection-only mode (IDS, not IPS) for the first 2-4 weeks
- Review ALL alerts generated during the tuning period
- Categorise each alert: True positive, false positive, or expected behaviour
- Suppress rules that generate excessive false positives from known-good sources
- Create threshold rules: Alert only after N occurrences in M minutes
- Whitelist trusted internal scanners, backup systems, and monitoring tools
- Document every tuning decision so new team members understand the rationale
Pro Tip:
An untuned IDS generates so much noise that real threats get buried. Invest time in tuning — a well-tuned IDS with 50 rules is more valuable than an untuned one with 50,000 rules.
4
Alert Management and Response
- Configure alert priorities: Critical, High, Medium, Low
- Send Critical alerts via email and SMS immediately
- Route High alerts to your monitoring dashboard for same-day review
- Log Medium and Low alerts for weekly batch review
- Create response procedures for each alert category
- Integrate IDS alerts with your SIEM if you have one
- Review and update rules monthly based on new threat intelligence
5
IDS vs IPS Decision
- IDS (Detection): Alerts you but does not block traffic — lower risk of disruption
- IPS (Prevention): Actively blocks suspicious traffic — can cause false positive disruptions
- Start with IDS mode until you are confident in your tuning
- Gradually enable IPS mode for high-confidence rules only
- Keep IDS mode for less certain rules — better to alert than to block legitimate traffic
- Some organisations run both: IPS on the perimeter, IDS internally
- Review blocked traffic logs daily when running in IPS mode
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.