The main purpose of an IDS is to detect and alert an administrator about an attack. The administrator can then determine, based on the information received from the IDS, what action to take.
An IDS functions in the following way:
- The IDS monitors network activity for anomalies—that is, signatures or behaviors that may indicate an attack or other malicious behavior. If the activity detected matches signatures that the IDS has on record or a known attack, the IDS reports the activity to an administrator for them to decide what to do. Based on the configuration in place on the IDS, the system can also take additional actions, such as sending text messages, paging someone, or sending an e-mail.
- If the packet passes the anomaly stage, then stateful protocol analysis is done.