How to handle IPS properly

[labsy]

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

[Wayne Train]

I would be interested in the methodology, too :-)
Any best practice out there ?
Cheers,
Wayne