Skip to content
MyCyberSecurityPath

IDS, IPS, and Firewalls — Detection, Prevention, and Evasion Techniques

What Is an Intrusion Detection System and Why Does It Matter?

Section titled “What Is an Intrusion Detection System and Why Does It Matter?”

An intrusion detection system (IDS) monitors network traffic or system activity for malicious behaviour and policy violations. NIST SP 800-94 (Guide to Intrusion Detection and Prevention Systems) defines IDS as a critical component of defence-in-depth, while MITRE ATT&CK catalogues over 40 defence evasion techniques under TA0005 — Defense Evasion. Together with intrusion prevention systems (IPS) and firewalls, IDS forms the backbone of network security — the layered defences that protect organisations from unauthorised access, malware, and data exfiltration.

Understanding these technologies is essential for every cybersecurity role:

  • SOC analysts spend a significant portion of their day triaging IDS/IPS alerts, investigating potential intrusions, and tuning detection rules to reduce false positives.
  • Penetration testers need to understand how IDS and firewalls work so they can test whether defences detect their activities — and document when they do not.
  • Network engineers deploy, configure, and maintain these systems as part of the organisation’s security infrastructure.
  • Certification exams including CompTIA Security+ SY0-701, CEH v13, and CompTIA CySA+ cover IDS/IPS types, firewall architectures, Snort rules, and evasion techniques extensively.

This page covers the differences between IDS, IPS, and firewalls, how each type works, detection methods, Snort and Suricata basics, evasion techniques that attackers use, and why understanding evasion makes you a better defender.

When I first encountered Snort running on a home lab network, I was amazed at how much it could see. I ran a simple Nmap scan against a target machine and watched Snort light up with alerts — port scan detected, SYN flood suspected, OS fingerprinting attempt. It was like having a security guard that noticed everything happening on the network. Then I started learning about evasion techniques, and I realised that the guard could be tricked. That tension between detection and evasion is what makes network security so fascinating and why defenders need to understand both sides.

Ethical and legal warning: Evasion techniques discussed on this page are for educational purposes and authorised security testing only. Using these techniques to bypass security controls on systems you do not own or have explicit written authorisation to test is a criminal offence under the Criminal Code Act 1995 (Australia), the Computer Fraud and Abuse Act (US), and the Computer Misuse Act (UK). Understanding evasion makes you a better defender — that is the purpose of learning it.

What Do Real-World Detection and Evasion Scenarios Look Like?

Section titled “What Do Real-World Detection and Evasion Scenarios Look Like?”

The Snort community maintains over 30,000 detection rules through the Cisco Talos Intelligence Group, and Suricata processes traffic at multi-gigabit speeds using multi-threaded, protocol-aware parsing. IDS, IPS, and firewalls are involved in security operations every day, on both the defensive and offensive sides.

ScenarioWhat the defence doesWhy it matters
Malware command-and-controlIDS detects known C2 traffic patterns; IPS blocks the connectionPrevents compromised hosts from communicating with attackers
Port scan from external IPFirewall drops unsolicited inbound packets; IDS alerts on scan patternEarly warning of reconnaissance activity against the network
SQL injection attemptWAF blocks requests matching SQLi signatures; IDS logs the attemptProtects web applications from the most common attack vector
Lateral movementNIDS detects unusual internal traffic patterns between workstationsIdentifies attackers who have breached the perimeter and are moving inside
Encrypted C2 tunnelIDS cannot inspect encrypted traffic; anomaly detection flags unusual traffic volumeHighlights the limitation of signature-based detection against encrypted threats
Penetration testTester uses fragmentation and encoding to test whether IDS detects evasion techniquesValidates that detection rules work against sophisticated attackers, not just basic scans

The key takeaway is that detection systems and evasion techniques are two sides of the same coin. Defenders need to understand evasion to build effective detection.

How Do IDS, IPS, and Firewalls Work?

Section titled “How Do IDS, IPS, and Firewalls Work?”

NIST SP 800-94 distinguishes between network-based IDS (NIDS), host-based IDS (HIDS), and inline IPS, each serving complementary detection and prevention roles within a layered security architecture.

These three technologies serve different but complementary roles. Understanding the distinctions is critical for both real-world work and certification exams.

The Analogy: Building Security

Section titled “The Analogy: Building Security”

Think of network security like physical building security:

  • A firewall is the locked door and security checkpoint at the entrance. It decides who can enter and who cannot based on predetermined rules (ID badges, visitor lists). It controls access.
  • An IDS is the security camera system. It watches everything happening inside the building and alerts security staff when it sees suspicious behaviour. It detects but does not intervene.
  • An IPS is an armed security guard watching the camera feeds in real time. When it sees an intruder, it physically intervenes — locking doors, triggering alarms, and blocking the threat. It detects and prevents.

Firewall Types

Section titled “Firewall Types”
Firewall typeHow it worksInspection depthUse case
Packet filteringExamines individual packet headers (source/destination IP, port, protocol)Layer 3-4 onlyBasic perimeter filtering, ACLs on routers
Stateful inspectionTracks connection state (SYN, ESTABLISHED, RELATED) and makes decisions based on connection contextLayer 3-4 with stateStandard network firewalls (iptables, Windows Firewall)
Proxy / application gatewayActs as an intermediary — terminates and re-establishes connectionsLayer 7 (full application)High-security environments, content filtering
Next-Generation Firewall (NGFW)Combines stateful inspection with deep packet inspection, application awareness, and integrated IPSLayer 3-7Modern enterprise networks (Palo Alto, Fortinet, Check Point)
Web Application Firewall (WAF)Inspects HTTP/HTTPS traffic specifically for web attacks (SQLi, XSS, CSRF)Layer 7 (HTTP only)Protecting web applications (AWS WAF, Cloudflare, ModSecurity)

IDS Types

Section titled “IDS Types”
IDS typeDeploymentWhat it monitorsExamples
NIDS (Network-based)Inline or on a network tap/span portAll network traffic passing through the segmentSnort, Suricata, Zeek (Bro)
HIDS (Host-based)Installed on individual hostsSystem logs, file integrity, process activity, registry changesOSSEC, Wazuh, Tripwire, AIDE

Detection Methods

Section titled “Detection Methods”
MethodHow it worksStrengthsWeaknesses
Signature-basedCompares traffic against a database of known attack patterns (signatures/rules)Fast, accurate for known threats, low false positive rateCannot detect zero-day attacks or novel techniques
Anomaly-basedBuilds a baseline of “normal” behaviour and alerts on deviationsCan detect unknown attacks and zero-day threatsHigher false positive rate, requires training period, baseline can drift
Heuristic / behaviouralAnalyses behaviour patterns rather than specific signatures (e.g., a host suddenly scanning many ports)Catches sophisticated attacks that match no signatureComplex to tune, can be computationally expensive

Step-by-Step: How IDS/IPS and Firewalls Work Together

Section titled “Step-by-Step: How IDS/IPS and Firewalls Work Together”

Understanding the architecture of layered network security is essential for both defensive operations and penetration testing.

Step 1: Perimeter Firewall — First Line of Defence

Section titled “Step 1: Perimeter Firewall — First Line of Defence”

The perimeter firewall sits at the network boundary and filters traffic based on rules. It blocks obviously malicious or unnecessary traffic before it reaches internal systems. Common configurations:

  • Block all inbound traffic by default; allow only specific ports (80, 443) to web servers
  • Allow outbound traffic for established connections
  • Drop packets from known malicious IP ranges
  • Enforce network segmentation between zones (DMZ, internal, management)

Step 2: IDS/IPS — Deep Inspection Layer

Section titled “Step 2: IDS/IPS — Deep Inspection Layer”

Traffic that passes the firewall is inspected by the IDS/IPS for malicious patterns:

  • NIDS inspects all traffic flowing through the network segment, comparing it against signature databases and anomaly baselines
  • IPS (inline mode) can drop malicious packets in real time before they reach the target
  • IDS (passive mode) generates alerts but does not block traffic — the SOC team investigates and responds

Step 3: WAF — Application-Specific Protection

Section titled “Step 3: WAF — Application-Specific Protection”

For web-facing applications, a WAF provides specialised protection:

  • Inspects HTTP/HTTPS requests for SQL injection, cross-site scripting, and other web attacks
  • Can block malicious requests based on OWASP Core Rule Set signatures
  • Provides virtual patching while developers fix underlying vulnerabilities

Step 4: Host-Based Security — Last Layer

Section titled “Step 4: Host-Based Security — Last Layer”

On individual hosts, HIDS and endpoint security provide the final defence layer:

  • File integrity monitoring detects unauthorised changes to critical system files
  • Host-based firewalls restrict which processes can make network connections
  • Endpoint Detection and Response (EDR) monitors process behaviour for signs of compromise

Defence-in-Depth Network Security

Section titled “Defence-in-Depth Network Security”

Visual Explanation

Section titled “Visual Explanation”

Defence-in-Depth: Network Security Layers

Multiple overlapping layers ensure that no single point of failure compromises the entire network

Perimeter Firewall
IP filtering, port control, stateful inspection
Network IDS/IPS
Snort, Suricata — signature and anomaly detection
Web Application Firewall
OWASP rules, SQLi/XSS blocking, virtual patching
Network Segmentation
VLANs, DMZ, zero-trust microsegmentation
Host-Based IDS + EDR
OSSEC, Wazuh, file integrity, process monitoring
Application Security
Input validation, parameterised queries, secure coding
Idle

IDS vs IPS — Detection vs Prevention

Section titled “IDS vs IPS — Detection vs Prevention”

Visual Explanation

Section titled “Visual Explanation”

IDS vs IPS

Intrusion Detection System (IDS)
  • Passive monitoringObserves traffic via tap or span port — does not sit inline
  • Alerts onlyGenerates alerts for the SOC team to investigate and respond manually
  • No impact on trafficCannot accidentally block legitimate traffic — zero risk of disruption
  • Requires human responseDetected threats continue until a human or automated playbook responds
VS
Intrusion Prevention System (IPS)
  • Inline deploymentSits directly in the traffic path — all packets pass through it
  • Blocks threats automaticallyDrops malicious packets in real time before they reach the target
  • Risk of false positivesMisconfigured rules can block legitimate traffic and cause outages
  • Requires careful tuningRules must be tested and refined to balance security and availability
Verdict: IDS is safer to deploy initially — it alerts without risk. IPS provides stronger protection but requires careful tuning to avoid blocking legitimate traffic.
Use case
Most organisations deploy both: IDS for visibility and alerting, IPS inline for known high-confidence threats. SOC analysts work with both daily.

What Does IDS/IPS Configuration Look Like in Practice?

Section titled “What Does IDS/IPS Configuration Look Like in Practice?”

The Snort 3 documentation provides a comprehensive rule-writing guide, and the Suricata documentation covers protocol-aware detection with support for HTTP, TLS, DNS, and over 20 other application-layer protocols.

These examples demonstrate how detection and prevention tools are configured in practice. Practise these in your home lab with Snort, Suricata, or iptables.

Snort Rule Syntax

Section titled “Snort Rule Syntax”

Snort rules follow a consistent structure. Understanding this syntax is essential for SOC analysts and is tested in CEH and Security+.

action protocol source_ip source_port -> dest_ip dest_port (options)
Terminal window
# Alert on any inbound ICMP (ping) traffic
alert icmp any any -> $HOME_NET any (msg:"ICMP Ping Detected"; sid:1000001; rev:1;)


# Alert on SQL injection attempt in HTTP traffic
alert tcp any any -> $HOME_NET 80 (msg:"Possible SQL Injection - UNION SELECT";
  content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; within:20;
  sid:1000002; rev:1;)


# Alert on Nmap SYN scan pattern
alert tcp any any -> $HOME_NET any (msg:"Possible Nmap SYN Scan";
  flags:S; threshold:type both, track by_src, count 20, seconds 5;
  sid:1000003; rev:1;)


# Alert on SSH brute force attempt
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt";
  threshold:type threshold, track by_src, count 5, seconds 60;
  sid:1000004; rev:1;)

Suricata Rule Example

Section titled “Suricata Rule Example”

Suricata uses a similar syntax to Snort but adds advanced features like multi-threading and protocol-aware parsing.

Terminal window
# Detect HTTP request to known malware domain
alert http any any -> any any (msg:"Malware C2 Domain Detected";
  http.host; content:"malicious-domain.com";
  classtype:trojan-activity; sid:2000001; rev:1;)


# Detect TLS connection to suspicious certificate
alert tls any any -> any any (msg:"Suspicious TLS Certificate";
  tls.subject; content:"CN=evil.com";
  sid:2000002; rev:1;)

iptables Firewall Rules

Section titled “iptables Firewall Rules”
Terminal window
# Drop all incoming traffic by default
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT


# Allow established and related connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Allow SSH from specific IP only
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.10 -j ACCEPT


# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT


# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT


# Log dropped packets for analysis
sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
sudo iptables -A INPUT -j DROP


# List current rules
sudo iptables -L -n -v

Evasion Techniques

Section titled “Evasion Techniques”

Understanding evasion helps defenders tune their detection systems. These techniques are covered in CEH v13 and used during authorised penetration tests.

Terminal window
# Fragmentation — split packets to evade signature matching
nmap -f 192.168.1.100              # Fragment packets into 8-byte chunks
nmap --mtu 16 192.168.1.100       # Custom fragment size


# Decoy scanning — hide your IP among decoy addresses
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.100


# Timing — slow scans to avoid threshold-based detection
nmap -T1 192.168.1.100            # Paranoid timing (very slow)
nmap -T2 192.168.1.100            # Polite timing


# Source port manipulation — use a trusted source port
nmap --source-port 53 192.168.1.100   # Appear as DNS traffic
nmap --source-port 80 192.168.1.100   # Appear as HTTP traffic


# Encoding payloads to bypass WAF
# URL encoding: ' OR 1=1 becomes %27%20OR%201%3D1
# Double encoding: %27 becomes %2527
# Case variation: UNION SELECT becomes uNiOn SeLeCt

The purpose of learning evasion is not to become an attacker — it is to understand what your detection systems miss and how to tune them. Every evasion technique you learn reveals a detection gap you can fix.

Trade-offs, Limitations, and Failure Modes

Section titled “Trade-offs, Limitations, and Failure Modes”

No single security technology is perfect. Understanding limitations helps you design effective layered defences.

FactorLimitationHow to handle it
Encrypted trafficSignature-based IDS cannot inspect encrypted payloads (TLS/SSL)Use TLS inspection proxies, monitor metadata (JA3/JA4 fingerprints), deploy host-based detection
False positivesAnomaly-based systems generate high volumes of false alerts, causing alert fatigueTune baselines regularly, use threat intelligence feeds, implement alert prioritisation
False negativesSignature-based systems miss zero-day attacks and novel techniquesLayer signature-based with anomaly-based detection; keep signature databases updated
Performance overheadInline IPS adds latency; deep packet inspection is CPU-intensiveRight-size hardware, use bypass mechanisms for failure scenarios, offload to dedicated appliances
Evasion techniquesFragmentation, encoding, and encryption can bypass detection rulesReassemble fragments before inspection, normalise encoding, use protocol-aware parsers
Maintenance burdenRules need constant updating, tuning, and review as the network changesAutomate rule updates, schedule regular tuning sessions, use managed rule sets

A common beginner mistake is deploying an IDS with default rules and assuming the network is protected. Default rules generate enormous numbers of alerts, most of which are false positives. Effective IDS deployment requires ongoing tuning — disabling rules that do not apply to your environment, adjusting thresholds, and creating custom rules for your specific assets and threats.

Entry-Level Interview Perspective

Section titled “Entry-Level Interview Perspective”

IDS, IPS, and firewall questions are standard in security interviews because these technologies are fundamental to every organisation’s security posture.

Q1: What is the difference between an IDS and an IPS?

Strong answer: “An IDS passively monitors traffic and generates alerts when it detects malicious activity, but it does not block traffic. It typically sits on a tap or span port. An IPS sits inline in the network path and can actively block or drop malicious traffic in real time. The trade-off is that an IDS has no risk of disrupting legitimate traffic, while an IPS provides stronger protection but can cause outages if rules are misconfigured. Most organisations deploy both — IDS for broad visibility and IPS inline for high-confidence threats.”

Q2: What is the difference between signature-based and anomaly-based detection?

Strong answer: “Signature-based detection compares traffic against a database of known attack patterns and is fast and accurate for known threats but cannot detect novel attacks. Anomaly-based detection builds a baseline of normal behaviour and alerts on deviations, so it can detect unknown attacks and zero-day threats, but it has a higher false positive rate and requires a learning period to establish the baseline. The strongest deployments use both methods together.”

Q3: How does a NIDS differ from a HIDS?

Strong answer: “A Network-based IDS monitors all traffic on a network segment using a tap or span port, giving visibility into what is flowing across the network. A Host-based IDS is installed on individual endpoints and monitors system logs, file integrity, process activity, and registry changes on that specific host. NIDS catches network-level attacks like port scans and exploitation attempts. HIDS catches host-level activity like unauthorised file modifications, privilege escalation, and malware execution. You need both for comprehensive coverage.”

Q4: An IDS is generating too many false positives. How would you address this?

Strong answer: “I would start by reviewing the most frequent alert types and determining which rules are generating noise. Rules that do not apply to our environment — like alerts for Windows attacks on a Linux-only network — should be disabled. For legitimate rules that are too sensitive, I would adjust thresholds and tune the detection parameters. I would also implement alert categorisation and prioritisation so that high-confidence alerts are investigated first. Finally, I would establish a regular tuning schedule rather than treating it as a one-time activity.”

Real-World Security Operations

Section titled “Real-World Security Operations”

IDS, IPS, and firewalls are the foundation of daily SOC operations. Understanding how they fit into the bigger picture is essential for anyone entering a security role.

Day-One SOC Scenarios

Section titled “Day-One SOC Scenarios”

As a new SOC analyst, you will work with these technologies from day one:

  • Alert triage. Your SIEM aggregates alerts from IDS, IPS, firewalls, and EDR. You investigate alerts, determine whether they are true positives or false positives, and escalate confirmed incidents. Most of your initial work will involve IDS alerts.
  • Firewall change requests. Teams request firewall rule changes to allow new services or block specific traffic. You review these requests against security policy before approving.
  • Rule tuning. Based on alert patterns, you propose rule adjustments — disabling irrelevant signatures, adjusting thresholds for noisy rules, and creating custom rules for newly identified threats.
  • Incident investigation. When a confirmed incident occurs, IDS logs, firewall logs, and packet captures become primary evidence. You trace the attack path through these logs to understand what happened.

Australian Context

Section titled “Australian Context”

The ASD Essential Eight specifically addresses network security through multiple controls. “Restrict administrative privileges” and “patch applications” reduce the attack surface that IDS/IPS must protect. “Application control” on endpoints complements host-based detection. The Essential Eight framework expects organisations to implement multiple overlapping controls — exactly the defence-in-depth approach covered on this page.

The ACSC Information Security Manual (ISM) includes specific controls for gateway security (firewalls), intrusion detection, and network monitoring. ISM controls ISM-1028 and ISM-1030 address the requirement for IDS/IPS deployment and monitoring in Australian government environments.

The Security of Critical Infrastructure Act 2018 (SOCI Act) requires critical infrastructure operators to maintain a “Critical Infrastructure Risk Management Program” that includes cybersecurity measures. Effective IDS/IPS deployment and monitoring is a practical requirement for compliance with these obligations.

For career changers targeting Australian SOC analyst roles, hands-on experience with Snort or Suricata and the ability to read and write basic rules is a strong differentiator. Many job descriptions specifically list IDS/IPS experience as a requirement.

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”

IDS, IPS, and firewalls form the layered detection and prevention infrastructure that protects every modern network. Understanding how they work — and how they can be evaded — is essential knowledge for any cybersecurity professional.

  • Firewalls control access by filtering traffic based on rules (IP addresses, ports, protocols). Types range from basic packet filtering to Next-Generation Firewalls with deep packet inspection.
  • IDS detects threats passively by monitoring traffic and generating alerts. It provides visibility without risk of disrupting legitimate traffic.
  • IPS prevents threats actively by sitting inline and blocking malicious traffic in real time. It requires careful tuning to avoid false positive disruptions.
  • Signature-based detection catches known attacks quickly. Anomaly-based detection catches novel attacks but with more false positives. Use both together.
  • Evasion techniques like fragmentation, encoding, and timing manipulation reveal detection gaps. Understanding evasion makes you a better defender by showing you what to tune for.
  • Defence-in-depth is mandatory. No single technology catches everything. Layer perimeter firewalls, NIDS/NIPS, WAFs, host-based detection, and secure coding practices.
  • Australian compliance (ASD Essential Eight, ISM, SOCI Act) expects layered network security with ongoing monitoring and tuning.

Individual results vary. Career timelines, salary outcomes (source: BLS and CyberSeek, as of 2025), and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Section titled “Related”

Frequently Asked Questions

What is an intrusion detection system (IDS)?

An IDS is a security system that monitors network traffic or host activity for signs of malicious behaviour and policy violations. When it detects suspicious activity, it generates alerts for security analysts to investigate. It observes and reports but does not block threats — that is the role of an IPS.

What is the main difference between IDS and IPS?

An IDS passively monitors and alerts on suspicious traffic without blocking it. An IPS sits inline in the traffic path and can actively drop or block malicious packets in real time. IDS is safer to deploy because it cannot disrupt legitimate traffic, while IPS provides stronger protection but risks blocking legitimate traffic if misconfigured.

What is the difference between NIDS and HIDS?

NIDS (Network-based IDS) monitors traffic flowing across a network segment using a tap or span port. HIDS (Host-based IDS) is installed on individual endpoints and monitors system logs, file changes, and process activity on that specific host. NIDS provides network-wide visibility while HIDS provides deep host-level insight. Both are needed for comprehensive detection.

What is signature-based detection?

Signature-based detection compares network traffic or system activity against a database of known attack patterns called signatures or rules. It is fast and accurate for known threats with a low false positive rate, but it cannot detect zero-day attacks or novel techniques that have no matching signature in the database.

What is anomaly-based detection?

Anomaly-based detection builds a model of normal network or system behaviour during a training period, then alerts when it observes activity that deviates significantly from that baseline. It can detect unknown and zero-day attacks, but it typically has a higher false positive rate and requires careful tuning of the baseline.

What is Snort and how is it used?

Snort is an open-source network intrusion detection and prevention system. It analyses network traffic in real time, matching packets against a database of rules to detect attacks like port scans, buffer overflows, and web application attacks. It can run in IDS mode (alerting only) or IPS mode (inline blocking). Snort is widely used in production environments and is a standard tool in cybersecurity education.

What are IDS evasion techniques?

IDS evasion techniques are methods attackers use to avoid triggering detection rules. Common techniques include packet fragmentation (splitting payloads across multiple packets), payload encoding (URL encoding, hex encoding), timing manipulation (slow scans below threshold), protocol-level evasion, and encryption tunnelling. Defenders study these techniques to improve their detection rules.

What is a Next-Generation Firewall (NGFW)?

An NGFW combines traditional stateful firewall capabilities with deep packet inspection, application awareness, integrated IPS, and often threat intelligence feeds. Unlike basic firewalls that only inspect packet headers, NGFWs can identify and control specific applications regardless of port, inspect encrypted traffic, and block threats inline. Examples include Palo Alto, Fortinet FortiGate, and Check Point.

How do I practise IDS and firewall skills safely?

Set up a home lab with virtual machines running Snort or Suricata on a monitoring system and target machines to generate traffic. Use Security Onion, which bundles Suricata, Zeek, and other tools into a ready-to-use platform. Practise writing Snort rules, configuring iptables, and analysing alerts. TryHackMe and Hack The Box also offer IDS-focused labs and challenges.

Why do SOC analysts need to understand evasion techniques?

Understanding evasion techniques helps SOC analysts tune their detection systems to catch sophisticated attacks, not just basic script-kiddie scans. If you know that attackers use fragmentation to evade signature matching, you can ensure your IDS reassembles fragments before inspection. If you know that slow scans bypass threshold rules, you can adjust your thresholds. Every evasion technique learned reveals a detection gap to fix.

Related sections

Scanning Networks

Understanding port scanning and Nmap — the reconnaissance activity that IDS systems are designed to detect.

Explore Incident Response

What happens after IDS alerts confirm a security incident — containment, eradication, and recovery.

Explore Sniffing

Network traffic analysis and packet capture — the fundamentals that underpin how NIDS operates.

Explore

More resources

Snort Official Documentation

The definitive reference for Snort — rule syntax, configuration, preprocessors, and deployment modes from the Cisco Talos team.

Visit Suricata Documentation

Complete documentation for Suricata — the high-performance, multi-threaded IDS/IPS engine with protocol-aware detection.

Visit ACSC Essential Eight Maturity Model

The Australian Signals Directorate's Essential Eight framework — the baseline security controls expected in Australian organisations.

Visit

Technical content verified in March 2026 against Snort 3, Suricata 7, CompTIA Security+ SY0-701 exam objectives, CEH v13 syllabus, NIST SP 800-94 (Guide to IDS and IPS), and ACSC ISM controls.