*****Intrusion Detection Systems....

Intrusion Detection Systems (IDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).

A typical example is a  system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine thus discovering if someone is attempting a TCP port scan.

There are several ways to categorize an IDS:

Misuse detection: In misuse detection, the IDS analyze the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has alrerady been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures it uses to compare [potentially threatening] packets against.

Anomoly detection: In anomoly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocol,, and typical packet size. The anomoly detector monitors network segments to compare their state to the normal baseline and look for anomolies.

Network-Based: In a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to to be overlooked by a firewall's simplistic filtering rules. A Network Intrusion Detection System is responsible for detecting anomolous, inappropiate, or other data that may be considered unathorized occuring on a network. An NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated. Network-based intrusion detection systems tend to be more distributed than host-based IDS.

Host-based systems: In a host-based system, the IDS examines the activity on each indivdual computer or host. Host-based systems collect and analyze data and aggregate them so that they can be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that oiperate on a system and recieve application or operating system audit logs. These programs are highly effective for detecting insider abuses. Residing on the trusted network systems themselves, they are close to the network's authenticated users.
If one of these users attempts unauthorized activity, host-based systems  usually detect and collect the most pertinent information in the quikest possible manner. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.
Network Based IDS should be between firewall/router and clients.

Passive System: In a passive system, the IDS detects a potential security breach, logs the information and signals an alert.
Reactive System: In a reactive system, the IDS respond to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.

Intrusion detection is different from traditional firewalls in that it involves the detecting of a security breach. In a firewall, IF the traffic matches an acceptable pattern, it is permitted, regardless of what the packet contains.

In general, host-based systems are best at detecting the following activities:
Unauthorized outsider access:When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
Bandwith theft/denial of serrvice: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.