Monitor network traffic for suspicious activities and known attack patterns.

• Deploy IDS at network perimeter and between segments
• Keep signatures updated daily
• Tune rules to reduce false positives
• Use IPS inline for automatic blocking of known threats

# Snort IDS Rule — detect SQL injection attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
  msg:"SQL Injection Attempt";
  flow:to_server,established;
  content:"UNION"; nocase;
  content:"SELECT"; nocase;
  sid:1000001; rev:1;
)