I have a 4210 sensor behind the PIX firewall. I have had just a few alarms so far and of course they come from inside the network. An example was a 5232 when and internal private address was accessing a website. I understand what would be happening if this was from the outside to the inside but when it is someone on the inside simply accessing a website, what is actually happening. I also checked the NSDB and it said there were no benign triggers. Please forgive my niavity but I am just learning security and IDS so bear with me.
Do you know of any good white papers, check lists, or documented processes to familiarize yourself with that would ultimately help you investigate suspicious activity? It would certainly help a newbie.
I haven't been able to find anything but have been looking. I only got CSPM and the sensor about two weeks ago. I used the Cisco Press book to install but it of course doesn't tell me what to do with it now that I have it installed and working.
