loading
Loading content
loading
Also known as IDS
An intrusion detection system (IDS) monitors traffic or host activity and flags behavior that matches known attacks. A network IDS like Snort or Suricata inspects packets against signature rules and protocol anomalies, while a host-based IDS watches file integrity, process activity, and log patterns on a single system. The two detection styles complement each other: signatures catch known exploits with precision, and anomaly models catch deviations from a learned baseline, including techniques no signature covers yet.
The distinction from a prevention system matters. A plain IDS alerts but does not block, so it observes without risking a false positive that takes down legitimate traffic. An IPS adds inline blocking. Either way, the IDS is only as good as its rules and its placement, and attackers actively work to slip past it.
For offensive teams the IDS is an obstacle to plan around, which is why firewall evasion techniques like fragmentation, timing, and encoding aim to avoid signature matches. Noisy techniques such as credential stuffing trip volume thresholds fast. On the defensive side an IDS feeds alerts into a SIEM and gives detection engineering a place to deploy and refine rules.
Related terms