My IDS sensor is currently located after the webproxy and all I am seeing is heaps of packets originated from the Web Proxy to the remote destination IP addresses. Hence, I don't actually see who does what! IDS, on the other hand, detects so many incidents e.g. IDS does not expect an IP address generates so many web traffic at a short period of time. So my question is: What is the best place to put the IDS probe when we have a web proxy in the network.
Many thanks