IDS

An IDS sits out-of-band (on a SPAN port or tap) and only alerts, so it can’t drop traffic but also can’t cause an outage; an IPS sits in-line and can block. Signature-based detection catches known patterns but misses novel attacks; anomaly/behavior-based detection catches unknowns at the cost of more false positives.