Intrusion detection systems can be a valuable defence mechanism – provided you deploy them correctly. While there are some considerations to your deployment process, these devices or software installations require some more thought before you choose a specific implementation. Testing might be a good idea. If you want to detect intruders, then it would be nice if your IDS can do the job. How do you find out? Well, in theory you could use the specifications of the IDS systems as published by the vendors/developers. In practice this information lacks the most important figure: How many intrusions can you detect in a given time frame? True, you have to deal with specific signatures of attacks, so comparing isn’t easy provided you take different sets of rules. Then again some IDS engines have their own features and rule sets, so a comparison gets difficult.
At DeepSec 2013 Arron ‘Finux’ Finnon of Alba13 Labs gave some advice on how to conduct IDS testing efficiently. Listen to his presentation if you have to deal with intrusion detection!