Some IDSs can access new signature files generated by the vendor or a user community. In most cases, however, you must update the IDS regularly about threatening or illegitimate network behavior. If you don't, the IDS can't pinpoint exploits that haven't yet been identified in a signature.
Location Is Everything
So where do you set up an IDS? That depends on where (from which network or network segment) you expect threats to originate. The most obvious location is at the network perimeter, just inside the firewall. That's a hotspot because traffic that doesn't get through the firewall is of no interest, and any logging system that captures unfiltered Internet activity is likely to fill up quickly. Positioning an IDS inside the firewall helps you understand attacks that originate outside your network. It may not, however, cover exploits that originate from inside your network targeting your hosts, depending on your network's topology.
Choosing the Optimal Setup
Click to Enlarge