Intrusion Detection Systems: IDS vs IPS

IDS vs IPS: What Is the Difference?

An IDS monitors traffic and generates alerts. An IPS sits inline and can drop malicious packets before they reach the target. Many modern tools (Suricata, Snort) can operate in either mode.

Detection Methods

Signature-Based Detection

Compares traffic against a database of known attack patterns (signatures/rules):

# Suricata rule example: detect SSH brute force
alert ssh any any -> $HOME_NET 22 (msg:"SSH brute force attempt";
  flow:to_server,established; threshold:type both,track by_src,
  count 5,seconds 60; sid:1000001; rev:1;)

Pros: Low false positives for known attacks. Cons: Cannot detect novel (zero-day) attacks.

Anomaly-Based Detection

Establishes a baseline of normal behavior and flags deviations:

• Unusual traffic volumes
• New protocols or ports
• Abnormal connection patterns

Pros: Can detect unknown attacks. Cons: Higher false positive rate, requires tuning.

Popular IDS/IPS Tools

Quick Suricata Setup

# Install on Ubuntu
sudo apt install suricata

# Download ET Open rules
sudo suricata-update

# Run in IDS mode on interface eth0
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

# View alerts
sudo tail -f /var/log/suricata/fast.log

Deployment Best Practices

• Start in IDS mode to tune rules before switching to IPS.
• Place sensors at network boundaries and between critical segments.
• Maintain updated rule sets — subscribe to Emerging Threats or Snort VRT.
• Feed alerts into a SIEM for correlation and incident response.
• Whitelist known-good traffic to reduce alert fatigue.