Q: What is the overall process for setting up sensors, interfaces, interface sets, detection engines, and IDS policies?

A:

I'll refer to each appliance as a "sensor".

1. Figure out how many detection engines each sensor supports. My IS1000 supports one, and the IS2100 supports two. It took me some recursion to figure this out; the only indicator is the pulldown in the "detection engine" screen. We're going to end up assigning interfaces to a detection engine, and then applying policy to groups of detection engines.
2. Bring up your interfaces. One at a time, attach a live cable to the interface, and use ifconfig -a from the command line to figure out which one you just connected to. Leave the interfaces at autodetect to avoid problems. If you get a stuck interface, reboot the sensor.
3. Navigate to Operations//Configuration//Detection Engines. We'll be working from here.
4. "Network interface" screen. Edit each interface. Give it a description according to what it is monitoring. Leave "auto-negotiate" on but set the Link Mode to your favorite setting.
5. "Interface sets" screen.

   First delete any default interface sets; these glom onto all of your interfaces when you first start, and prevent you from assigning the interfaces anywhere else.

   Think backwards from how many detection engines the sensor has, and the names of the policies you are going to (later) apply to them. For each D.E. (which you'll set up later), create an interface set. Make its description 'idsname-policyname'. For instance, I have an interface set on ids3 which has the policy 'domain controllers'; the interface set name is therefore ids3-domain-controllers.

6. "Detection engines" screen. Create a D.E. called 'policyname idsname'. For instance, domain-controllers-ids3. Description is unnecessary. Type is IDS. Select the interface set which it corresponds to (this should be easy, because of the way you named it). Now here's the tricky part: under the "Detection resources" pulldown choose "1". This pulldown shows you the number of remaining Detection Engines on your sensor. (Remember the first step above? This step confirms for you that you correctly guessed the number of D.E. supported by the sensor). Note: the number in the pulldown is not the cardinal number of the engine. It is the number of engines remaining to be used on the sensor. Repeat for all D.E.s that you have available.
7. If you have more than one D.E. which will have the same IDS policy, create a group for them.

8. Now you can go over and create you IDS policies (Policy & Response//Intrusion Sensor//Detection & Prevention); when you with to apply them, you can apply them to the individual engines or groups. Keeping the names consistent, as we have done, will help you avoid making mistakes when applying policies. What you end up with is policies which apply to interfaces like this: policy (applies to) detection engine(s) (applies to) interface group (applies to) interface(s).

   For instance, my policy "IDS domain controllers" applies to D.E. group "domain controllers" which contains the D.E. "dom-ctrl-ids3" and "dom-ctrl-ids4". "dom-ctrl-ids3" is assigned to interface set "ids3-dom-ctrl" which contains the interfaces on ids3 which are listening to domain controller ports.