Definition
An Intrusion Detection System (IDS) monitors network traffic for suspicious patterns and generates alerts to security analysts, without blocking inline. IDS is typically deployed in monitor mode via SPAN/TAP ports to avoid impacting traffic flow. The detection-only positioning is sometimes preferable to inline IPS for: environments where blocking false-positives is unacceptable (financial trading, healthcare critical systems), forensic-evidence collection scenarios, and high-throughput backbones. Modern security stacks combine IDS data (Suricata, Zeek) into SIEM and SOC workflows for threat hunting and incident investigation.
Related terms
- IPS (Intrusion Prevention System) - Inline security control that detects and blocks network attacks based on signatures and behavioral analysis.
- SIEM (Security Information and Event Management) - Platform that aggregates security events from across the environment for correlation, search, and alerting.
- SOC (Security Operations Center) - Centralized team responsible for monitoring, detecting, investigating, and responding to security incidents.