An Intrusion Detection System (IDS) monitors network traffic for suspicious activity and alerts administrators. It doesn't block traffic. It watches and reports.
IDS detection methods:
- Signature-based: Matches traffic against known attack patterns
- Anomaly-based: Flags deviations from normal behavior
An IDS typically sits on a mirrored port, receiving copies of all traffic. When it detects something suspicious, it generates an alert. You investigate and respond. The attack may have already succeeded by the time you see the alert.