Intrusion detection systems and Network Security Monitoring. All too often, these countermeasures are portrayed as the ‘boy who cried wolf’, the magical box with blinking lights that does nothing but get the checkbox from $COMPLIANCE_AUDITOR. and is never heard from again. When most organizations choose to implement IDS, they tend to take an all or nothing approach. ‘Turn on all the rules, or it’s useless!’, ‘Capture all of the alerts, or we may misssomething!’ I’m here to tell you that this approach isn’t going to do you, your organization, or your already taxed security analysts any good. I’m here to show you to actually cut the shit on your IDS, get actionable intelligence and make yourself the hunter, instead of the hunted. This talk will primarily be focused around Snort and Suricata, since their rules operate about the same, and they are where I got most of my battle scars, but a lot of these concepts can apply to any Intrusion Detection or Prevent Software.