IDS on RED, GREEN, ORANGE

HI,

I have an ipcop (firewall) box. The question is: Should I enable IDS on RED? Why?

Should I enable IDS on GREEN? Why?

I have it enabled on green just to see if something shows up. I had it enabled on red, but had to disable it, as it would cause the system to halt (almost impossible to access any page on the web).

I'm a bit puzzled as all the IDS (snort) on IPCOP does is monitor suspicious activity based on the currently installed snort rules. ( www.snort.org/ ). It does not actually control or filter web access. A wild guess may be that there may be so much malicious activity going on that the logging is affecting the performance of your IPCOP. Are you running IPCOP on a very low spec machine?

As to whether to enable IDS on RED or GREEN. I would definitely enable on RED. If you suspect internal malicious activity, you can also enable on GREEN.

You've answered my question. Thanks.

As to the slow response, I am still trying to find out what is causing it. I don´t think it has to do with IDS anymore.

Let us know if you find out what's causing the speed problems. I'm always looking for problems/solutions to file away in my "problems database".

I narrowed down the problem to a bad or to big black list used with urlfilter. I had uploaded a 10MB list. I then uploaded a list from the university of tolouse, which is abou 3MB, and now everything is working fine.

IDS is now set on red.