Deployed intrusion detection solutions are not a substitute for firewalls; although they usually complement the function of firewalls. Commonly, a deployed IDS inspects computer activity to identify suspicious patterns that may indicate an attack from hackers or crackers utilizing vulnerability assessment software. There are several categories for IDS inspection including misuse, anomaly, host-based, and network-based detection. Each IDS classification relies on analytical information to determine reportable conditions, such as signatures, protocols, profiles, and/or statistical patterns.
Generally, intrusion detection systems have passive and active components. Passive procedures normally encompass: inspection of system configuration files to expose inadvisable settings; inspection of password files to indicate imprudent pass-codes; and inspection of other system areas to detect policy violations. Whereas, active procedures usually accommodate: mechanisms to ascertain known methods of attack; mechanisms to log-off users; mechanisms to reprogram the firewall; and mechanisms to log system responses.
Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.