IDS systems can either be behaviour-based or knowledge-based and good systems use a combination of both.
A behaviour-based IDS needs to be configured with a set of rules in a similar manner to the way firewall rules work. The network administrator determines what the IDS should be looking for, and what action to take when there is a hit. The basic rules will be based around the Source and Destination IP Addresses, Source and Destination port numbers and the Transport layer protocols in use such as TCP or UDP. Depending on the functionality in your Intrusion Detection device you may be able to configure it to log events and initiate SNMP Traps, send alerts to network security staff or block and attempt to trace the source of the attack
A knowledge-based IDS will used signatures derived from previously known attacks or patterns of attack. It may be a simple case of checking the TCP, UDP, IP or ICMP headers or values in a header field, or looking at the status of a connection. When it comes to DoS (Denial of Service) attacks, how many individual connections before a warning is given of a potential attack. Setting up knowledge-based IDS can be a complex affair only undertaken by experienced staff.
Although we tend to think about attacks on a network as a whole, network-based IDS systems will be looking for anything unusual coming into the network and specifically distributed attacks. The hosts themselves need to be protected, particularly critical hosts from many different attacks. Network-based systems may not protect against certain host vulnerabilities such as viruses and trojans. Agent software is often placed in particular devices and resources within the network. These resources may be databases, routers and switches and servers. It is up to the network administrator to assess the risk and protect those critical host devices.
It is one thing to set up IDS protection in your network, but what happens when the IDS reports a problem? Without an experienced team to follow up on alerts the Intrusion Detection System may be at least partially ineffective. Badly configured IDS may produce what are known as false positives which are in effect false alarms, but they may need to be investigated further to identify them as false positives. Remember that your Intrusion Detection policy may mean an increase in network traffic and this will need to be factored in then determining the required network bandwidth. Hackers can be clever and may run an attack to overload your IDS itself as a precursor to something like a Denial of Service attack. Any system that includes IDS must have fast network connections and sufficient onboard resources such as CPU, Memory and I/O to cope with the IDS running at full capacity.