Deep ThoughtsBlog
← Back to all writing

Network+ Exam

Intrusision Detection Systems (IDS/IPS)

October 29, 2025

  • #network+

Intrusision Detection Systems (IDS/IPS)

Recognizes network attacks and and ips can respond accordingly. will look at signature and behaviour based. SNORT is an IDS/IPS it’s a passive device. if it see’s something it will make an alert to the administrator.

if it works as an iPS then it’s inline. everything has to go through it.

IPS functions like an ids BUT also blocks or drops offending traffic. wh

why IDS ofer IPS . IPS can drop legitamate traffice

signature based - detection is triggered by a signature that contains a byte string. IPS will block matching signatures that is not threatining.

policy based - relys on specefic declaration of.a security policy.

anomaly based - done through statistical or non statscal anomaly.

stat. anomaly based - watches traffic patterns to build baseline and flag.

non statistical - admin defines pattern or baseline.

host based. network and host based systems can work together for more protection.

πŸ›‘οΈ Intrusion Detection & Prevention Systems (IDS/IPS)

πŸ”‘ Core Functions

  • IDS (Intrusion Detection System)
    • Monitors traffic.
    • Passive β†’ detects, then alerts admin.
    • Example: Snort (IDS mode).
  • IPS (Intrusion Prevention System)
    • Inline β†’ all traffic passes through it.
    • Detects and blocks/drops malicious traffic.
    • More proactive but risk of false positives.

πŸ“Š Detection Methods

  • Signature-Based
    • Matches known patterns (byte strings, rules).
    • βœ… Accurate for known threats.
    • ❌ Can’t detect zero-day/unknown attacks.
  • Policy-Based
    • Uses defined security policies/rules.
    • Example: β€œNo FTP traffic allowed.”
    • Limited by the completeness of policies.
  • Anomaly-Based
    • Detects deviations from normal traffic.
    • Statistical: builds a baseline of normal behavior.
    • Non-Statistical: admin manually defines expected behavior.
    • Useful for catching zero-days.

πŸ–₯️ Deployment Types

  • Host-Based IDS/IPS (HIDS/HIPS)
    • Runs on individual hosts.
    • Monitors system calls, file access, logs.
  • Network-Based IDS/IPS (NIDS/NIPS)
    • Monitors entire network segments.
    • Detects threats across multiple devices.

πŸ‘‰ Best practice: use both together for layered defense.

βœ… Exam Tips

  • IDS = alert only, IPS = alert + block.
  • Snort = popular open-source IDS/IPS.
  • IPS is inline, IDS is passive.
  • False positives are why some orgs prefer IDS over IPS.
  • Signature = known attacks, Anomaly = new/unusual attacks.

⚑ Sample Question:

β€œWhich intrusion detection method relies on comparing traffic to a baseline of normal activity?”

β†’ Anomaly-based (statistical)

πŸ‘‰ Build your own quick-reference table (IDS vs IPS, Signature vs Policy vs Anomaly) to lock in the comparisons for rapid review.