[Tfug] Lightweight IDS options/strategy/policy

[Bexley Hall]

Hi,

I'm looking for ideas for *lightweight* IDS techniques that
I can employ (i.e., limited resource situations) and, more
importantly, how to convey to the (unknowledgeable) user
that an attack may be in progress/have occurred/etc.  Also,
what to recommend to said user as remedies in those cases.

I'm not worried about actual penetration -- my stacks are
hardened and protocols designed with this sort of thing in
mind.  Rather, I'm trying to figure out how to alert on a
potential attack and how to direct the user in those events.

[False positives are obviously to be avoided!  False negatives
have far less impact as the network will protect itself -- but,
the user would not be alerted in the event of a false negative]

Thx,
--don