how do I know which signitures are 100% malicious ?
Usually, by default, when you first install IPS (cisco or not), all signatures with deny/drop-kind of action are targeted for really malicious traffic wich shouldn't appear on your network. I would say you can just plug ips in inline mode in your network and it won't block any legitimate traffic (from my own experience). Plus, in cisco IPS you can manage behaviour globally by tuning Event Action Overrides and Event Action Filters depending on Risk Rating values. But you should be ready to disable/change event action of a certain signature if it blocks smth that it shouldn't.
and when you say tune them, what do you mean ?
I mean that you should analyze logs and take certain actions, i.e.: disabling or enabling certain signatures, changing actions that certain signatures do, changing anomaly detection policies if u use tnem, etc. For example, you see that some signature trigers tonns of loggs every day, but you know that there's nothing special about it, it's all legitimate - so you just disable that signature. Or you see that some log indicates something that shouldn't appear on your network, but doesn't block it, cause IPS is not sure what do do with it. In that case you should change action of that signature from log to some kind of deny/drop. And many other things.
also should I enable anomaly detection?
First you should know how it works, and then you'll know if you should))
