IDS: IDS on Large Lan

[Samuele Giovanni Tonon <tonon@students.cs.unibo.it>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

hi there,
The major problem i had trying many ids on my lan is when i have lots of 
traffic to see on my log .
i use currently courtney and a strange program i find , called ntop (
www-serra.unipi.it/~ntop ) which is like top for the network .
The problem seems to be in the development of ids : Ids start with the
idea of watching all the net-traffic of your pc/lan , and try to identify
strange connection ( FIN SYn, scan ecc )  .
But when u have a host which have about 4 gb of traffic ( udp and tcp )
at day the IDS give up and pick as attacks, normal connections too .
So you start to not to trust it and when the hacker come to you u think
that's another oaks of your ids , and u get "fucked up " .
Is only my experience ? ( if so it means that i made wrong  configurations ) 
 
samuele 
--