We currently use a Cisco 4235 IDS and PIX 515E with the IDS listening on the outside. We gather around 300-500 false positives every day and it has become a chore to sort through them all. Would it be more beneficial to listen inside the firewall?
I'm afraid it will get to the point that when the IDS "cries wolf" there will be nobody around to notice the event. Listening to the inside would make our alarms more meaningfull. We would like to have both inside and outside but we have to stick to the budget.