SourceFire Default Setting - Server Flow Depth
If you're running SourceFire, there's a setting in the HTTP Configuration module you'll want to check when doing your tuning and configuration. Under the Configuration section, 5th setting down, you'll find Server Flow Depth. This setting has to do with how many bytes of HTTP server response data the rules inspect. It's a little more complex than that, as there are other settings that help determine what parts of the data are looked at, but that's all well documented. The thing to look at here is the default setting, which is 500 bytes. Possible values are 1-65,535 to specify a particular number of bytes, or 0 for all, including data that exceeds 65,5535. 500 is a very low value here, even though the docs say the rules usually target the headers or traffic that will be in the first hundred of so bytes of data.
I started testing larger values here by increasing this to 5,000 bytes. That's a ten fold increase of the default, but still far smaller than the recommended value of 65,535. The change was startling, as we saw an immediate increase in the number of alerts, some from rules that had never fired before. I monitored two of the busiest sensors in the system and saw no noticeable hit in performance.
To cut to the chase, I tried values of 10,000, 50,0000 and finally the recommended 65,535 bytes. None of those values gave me an unacceptable performance hit on the sensors, but each time the volume of alerts, what had been false negatives, went up in large measure.
The amount of tuning needing done on the new, heretofore unseen traffic was on par with having added a new segment to monitor. It was amazing and disconcerting how much traffic that low default setting had blinded the sensors to.
The moral of the story here is check every configuration item carefully and make sure you understand what each one does. IDS is a complex beast and you might be missing a lot traffic you should be seeing if you're not careful.