Publisher Summary This chapter focuses on the intrusion detection systems (IDS)—signatures, IDS deployment, and operation. Once the Cisco IDS sensor is racked and operational, and the IDS management device or director is configured and communicating properly, it is time to tune the IDS signatures to the traffic patterns occurring on the network. Without optimized signatures, the IDS sensor is relatively useless. The Cisco IDS sensor can also provide various responses to signature triggers such as logging, transmission control protocol (TCP) resets, or blocking. It is important to understand what a signature is, and what exactly a signature does. A signature is a known type of activity. A signature is unique to a certain attack or type of activity. A Cisco IDS sensor compares traffic against the signatures it has configured and matches up this activity when it appears on the network. The different types of signatures are also grouped by traffic patterns. Groups include—General, Connection, String, and Access Control List (ACL). Configuring signatures does not take time and effort. Adding new ones is beneficial only if a similar signature is not already looking at a particular pattern. The chapter highlights that without correct signatures, the IDS sensor is useless for maintaining the network security.