Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are designed to protect an organization from ongoing cyber threats.  However, not all of these systems work in the same way or have the same objectives.  Important distinctions between types of systems include:

  • Intrusion detection system (IDS) vs. intrusion prevention system (IPS)
  • Host-based vs. network-based systems
  • Signature-based vs. anomaly-based detection

Understanding the distinctions between these categories of intrusion prevention systems is important when evaluating different options and selecting the right fit for an organization.

Also consider a service like Clearnetwork’s 24/7 Managed SOC Service, which is a fully managed service with no software or hardware to manage with the security benefits of an IDS + more for a surprisingly affordable price. Another option is our Managed CrowdStrike EDR service, which brings you Gartner-leading CrowdStrike EDR managed by our US-based team of experts who respond to threats all for an affordable cost.

Intrusion Detection Systems (IDS) vs. Intrusion Prevention Systems (IPS)

The terms IDS and IPS describe the difference in how each technology responds to a detected threat.  Any IPS is also an IDS, but the reverse is not typically true.

An IDS, as the name suggests, is designed to detect an intrusion on the network.  This means that, if a potential cyberattack is detected, the system will raise an alert.  The system itself does nothing to try to prevent the attack, leaving that responsibility to a human analyst or other technology.

An IPS, on the other hand, actively works to prevent an attack from succeeding.  If an intrusion is detected, the IPS will respond based upon predefined formulas.  Responses may include blocking incoming network traffic, killing a malicious process, quarantining a file, etc.

If an IPS is better at protecting the network against threats, why do IDS solutions still exist?  IPS has the advantage of a faster response to detected threats, but an IPS may also incorrectly identify a threat and take action against a legitimate user, process, connection, etc.  

IPS tools can also be more complex to install.  IPS tools need to be installed so that they can control packet traffic and will be deployed as a separate appliance, on a firewall, or on a network router so that all network traffic will pass through the solution.  

While older, IDS technology can be faster and easier to connect than IPS solutions.  IDS tools do not need to intercept network packets so IDS solutions can simply be connected anywhere on a network where they can receive packet duplicates.  While the IDS tool does not provide active response, it provides more control to the security team over how to engage in incident response and will not require as much tuning to be effective. 

Host-Based vs. Network-Based Intrusion Detection/Prevention Systems

Intrusion detection or protection systems can also be classified based upon the focus of what it protects.  IDS or IPS tools can be host-based, network-based, or both.

A host-based IDS or IPS protects a particular endpoint.  It may monitor the network traffic entering and leaving the device, processes running on the system, modifications to files, etc.

A network-based solution performs monitoring of traffic on the network as a whole.  These typically include a packet sniffer to collect packets from a network tap or by sniffing wireless traffic.  This traffic is then analyzed for signs of malicious content and based upon the profiles of common types of attacks (such as scanning or a Distributed Denial of Service attack).

Signature-Based vs. Anomaly-Based Detection

IDS and IPS solutions identify potential threats based upon built-in rules and profiles.  These rules generally will be based upon signatures or anomalies.

A signature-based algorithm compares network activity against known attacks.  After a piece of malware or other malicious content has been identified and analyzed, unique features are extracted from it to create a fingerprint of that particular attack.  

Signature-based detection systems compare all traffic, files, activity, etc. to a database of signatures.  If a match is found, the IDS or IPS knows that the content is part of an attack.

Anomaly-based detection systems take a different approach to identifying malicious content.  Instead of fingerprinting known attacks, they build a model of “normal” behavior for a particular system.  After this ‘normal behavior’ model is built, the tool can look for anything that doesn’t match its model (an anomaly).  If the model is well-trained, any anomalies should be attacks.

In practice, many Intrusion Detection and Prevention Systems combine both signature and anomaly detection.  Anomaly-based detection can potentially catch zero-day threats but can suffer from high false positive rates since they alert on anything anomalous.  Security teams could receive alerts or from benign activities such as setting up a new web server or installing new software on a machine.  

Signature-based detection strategies have very low false positive detection rates but can only detect known attacks.  Deploying solutions that adopt both strategies combines to make a more robust solution with better threat detection than with either approach in isolation.

The Best Intrusion Detection and Prevention System

Organizations can select from a variety of reasonably-priced and powerful IDS and IPS solutions that fit a variety of needs- from startups on a tight budget to global enterprises.  Some will be standalone solutions and others will be features added to other security products.

Our guide to selecting the best solution consists of:

  • Important Factors in Choosing an IDS or IPS Solution
  • Leading IDS and IPS Solutions
  • Comparing IDS and IPS Solutions

Important Factors in Choosing an IDS or IPS Solution

IDS or IPS?  Host-based or network-based?  Standalone or integrated?  The choice of what to use should be based upon an organization’s unique needs and resources.  Budget, staffing, IT environment, risk tolerance, and business strategies all play a role in determining what solution provides a good fit. 

It is also important to keep in mind that intrusion prevention system options are not always an “either/or” choice.  Achieving comprehensive threat detection and prevention may require deploying both a host-based and a network-based Intrusion Detection and Prevention System or running multiple network-level IDS systems side-by-side to take advantage of their different strengths.

Another important consideration is the organization’s ability to cope with the output of the solution.  IDS systems can be very inexpensive because they push the burden of responding to alerts off to the human talent on the security team.  

IPS solutions can absorb some of that burden because many types of alerts can simply be automatically handled by the tool.  However, IT security teams will still need to investigate and reverse potential false positives and investigate anomaly alerts that did not result in automated actions.  

Some solutions will be highly specialized for particular purposes such as wireless networks.  Other tools will be cloud-based and attempt to encompass enterprise-level environments consisting of multiple networks, cloud resources, etc.  The ‘right’ IDS or IPS will be the one that fits your IT and security needs right now and in the near future.

In a practical sense, many tools combine the features of both IDS and IPS with some calling themselves IDPS (IDS and IPS) solutions or Next Generation IPS (NGIPS) tools.  As the tools become more complex, we also must consider whether our organization needs outside experts to install and configure these devices properly for our environment.

Leading IDS and IPS Solutions (Unranked)

  • AIDE
  • BluVector Cortex
  • Check Point Quantum IPS
  • Cisco NGIPS
  • Fail2Ban
  • Fidelis Network
  • Hillstone Networks
  • Kismet
  • OpenWIPS-NG
  • Palo Alto Networks
  • Sagan
  • Samhain
  • Security Onion 
  • Semperis 
  • Snort
  • SolarWinds Security Event Manager (SEM) IDS/IPS
  • Suricata
  • Trellix (McAfee + FireEye)
  • Trend Micro
  • Vectra Cognito
  • Zeek (AKA: Bro)
  • ZScalar Cloud IPS


The Advanced Intrusion Detection Environment (AIDE) is an open-source host-based intrusion detection system (HIDS) for Unix, Linux, and Mac OS.  This specialized tool focuses on the very important niche of checking file integrity, but does not offer any broader malware or attack detection.


  • Open source
  • Runs on MacOS and *nix systems
  • Verifies the integrity of files
  • Can target specific directories for monitoring or exclude certain files
  • Integrates with other tools


  • Needs to be obtained from commercial vendor (such as Red Hat) or through a consultant for support
  • Less frequent updates
  • Very specific niche (file integrity) does not detect many types of attacks
  • Only protects the device upon which it is installed


Formerly known as Cortex and now owned by Comcast, BluVector’s advanced threat detection solution uses artificial intelligence (AI) to complement an existing security stack.  The AI detects fileless malware and zero-day threats and is designed to become more powerful the longer it sits in the environment.


  • On premise
  • Collects logs
  • Builds off of trusted Suricata and Zeek technology
  • Integrates with other tools
  • Open platform – data is easily available
  • Takes in data from multiple intel feeds and sandboxes
  • Proprietary machine learning algorithm adds to capabilities
  • Broad MITRE ATT&CK coverage, does not use signature technology
  • Built-in tuning assistant to reduce false positives easily


  • Requires local resources, not built to support the cloud
  • No published license costs makes it difficult to compare with other solutions

Check Point Quantum IPS

Check Point embeds their Quantum IPS into their next generation firewall (NGFW) solutions to scan packets passing through the device.  This device can replace a variety of other devices (firewalls, VPNs, etc.) and provides both IDS and IPS functionality.  


  • Up to 15 Gbps integrated IPS performance
  • Detailed and customizable reports
  • Vulnerability detection for HTTP, POP, IMAP, SMTP, and more
  • Policies can be configured by vendor, product, protocol, file type, and threat year
  • Updates every two hours via a security gateway
  • Built-in antivirus, anti-bot and sandboxing
  • Blocks DNS tunneling, signature-less attacks, known CVEs.
  • Uses both signature and anomaly detection


  • Sold as hardware (secure gateway) only 
  • No support for off-site (cloud, remote) resources that are not rerouted through the gateway
  • Internal network traffic must be routed through the gateway for protection


Cisco markets their Secure IPS product as a next generation intrusion prevention system (NGIPS) with over 35,000 built-in IPS rules and broad capabilities for detecting and blocking anomalous traffic.  Secure IPS can be integrated with other Cisco devices or deployed as a stand-alone IPS.


  • Can deploy as hardware or in a virtual machine
  • Detect fileless threats
  • Embedded DNS, IP and URL security intelligence
  • Threat analysis and scoring
  • File sandboxing
  • Integrates Snort 3.0
  • Uses signature and anomaly detection


  • Some customers complain that the interface could be more user-friendly
  • SSL decrypt requires a lot of memory and CPU power
  • Pricing varies depending upon type of product, number of licensed years, and level of support.
  • More expensive solution


Fail2Ban is an open-source host-based IPS designed to detect and respond to suspicious or malicious IP addresses based upon monitoring of log files.  Analysts can combine “filters” (detection rules) with automated remediation actions to form a “jail”.


  • Open source and available for free
  • Runs on *nix and MacOS systems
  • Log file analysis to identify suspicious events (such as repeated failed login attempts)
  • Automatic blocking of suspicious/malicious IP addresses
  • Effective against brute force and denial of service (DoS) attacks
  • Blocked IP tables can be fed to firewalls and other security devices


  • Focuses on repeated malicious actions from a single IP address (can miss DDoS attacks)
  • Too tight a policy can ban legitimate users
  • No paid support available
  • No user-friendly GUI
  • Only blocks IP addresses, does not detect or block other types of attacks

Fidelis Network

Fidelis Cybersecurity’s Network IPS product analyzes network traffic to calculate the risk of all assets and communication in the network.  The tool integrates with other Fidelis tools that protect other assets such as endpoints, cloud applications, and containers.


  • Uses the MITRE ATT&CK knowledge base to identify and respond to threats
  • Can decrypt and analyze encrypted network traffic
  • Supports cloud and local network
  • Tracks shadow IT deployments
  • Integrates with other security solutions
  • Part of an extended detection and response (XDR) solution
  • Offers sandboxing capabilities
  • Identifies account takeover, insider threat and hacker activity
  • Built-in OCR scanner to scan image and PDF attachments for emails
  • 24/7 global phone and web support
  • 15-day free trial


  • Complex configuration requirements
  • More expensive solution

Hillstone Networks

Hillstone Networks offers high-speed dedicated appliances for network IPS and next generation firewalls.  Hillstone IPS hardware has been installed in over 20,000 customers since 2006 and offers a range of appliances to meet a flexible range of needs.


  • 13,000 signatures built-in, custom signatures, and anomaly detection 
  • Sandboxing capabilities for investigation
  • Detection capabilities from layer 3 to layer 7
  • Application aware
  • Options for anti-spam and URL-blocking
  • Cloud-based management of distributed devices


  • Appliance-only offerings
  • Appliances will need to be upgraded to accommodate growth
  • More expensive solution


Kismet’s open-source solution sniffs wireless traffic and can act as a wardriving tool or a wireless IDS tool.  Kismet works with most wi-fi cards, bluetooth devices and other hardware.


  • Open-source free solution 
  • Wireless network and device specialist
  • Supports Linux, OSX, and Windows 10 (limited)
  • Exposes unauthorized access points
  • Extended plugin support for web user interface and functionality enhancements


  • Can be slow to search networks
  • Limited Windows support
  • Limited customer support
  • Niche offering with limited capabilities to detect or block other attacks


The Santa Clara and Beijing-based NSFOCUS provides a next generation IPS solution with a throughput of up to 20 Gbps.


  • Response options include: block, pass-through, alert, quarantine, and capture
  • Secures against webshell, XSS, SQL injection and malicious URLs
  • 9,000+ threat signatures and advanced anomaly detection
  • Categories for IPS policies and complex password policies
  • Traffic analysis, bandwidth management and Netflow data on inbound and outbound traffic
  • Protects against a variety of distributed DoS (DDoS) attacks
  • Can integrate with threat feeds


  • Does not inspect SSL packets
  • Not many reviews available
  • Deployed mostly in Asia


OpenWIPS-NG is an open-source wireless intrusion prevention system that can detect and block wireless network intrusions based upon a sensor.  The sensor forwards information to a server with an analysis engine that detects intrusion patterns to issue alerts or to take actions.


  • Highly flexible and free tool
  • Especially focused on wireless networks
  • Lightweight command-line interface


  • Runs only on Linux
  • Each installation only supports one sensor
  • Not beginner friendly or suitable for enterprise scale needs


OSSEC stands for open-source host-based security (despite the lack of an H in the acronym).  OSSEC and the more robust OSSEC+ solution protect hosts by analyzing the system files for signs of malicious activity.  A commercial version has been released by Atomicorp.


  • Open source and free
  • Windows registry monitoring
  • MacOS privilege escalation detection
  • Monitors log file checksums to detect tampering
  • Widely used – over 500,000 annual downloads


  • Limited Windows support
  • Steep learning curve
  • Protection focused on system files and does not protect against other types of attack

Palo Alto Networks

Palo Alto Networks offers an IPS for large businesses looking for support that comes with a commercial solution.  Their network IPS starts at $9,509.50 and can be deployed as hardware, software (virtual machines or containers), as a cloud service, or integrated into next generation firewalls.


  • Constantly updated threat protection profiles
  • Blocks harmful sites
  • Multiple defensive laters combining signature and anomalous analysis
  • Blocks malformed packets, TCP reassembly, IP defragmentation, and C2 attacks
  • Can deploy Snort and Suricata rules
  • Cloud-native option
  • Integrates vulnerability protection, anti-malware, and anti-spyware detection
  • Can scan encrypted traffic


  • More expensive option
  • Lack of visibility into file analysis details
  • Users complain that somle configurations have overly complex implementation steps
  • Some users complain about the level of support


Sagan is a host-based open-source IPS that focuses on log analysis.  An unusual aspect of the software is that while it can only be installed on Unix, Linux, or MacOS it can accept log data from Windows or from network IDS tools such as Snort.  Sagan also integrates with firewalls to block IP addresses from detected external attackers. .


  • Open source and free
  • Compatible with Snort, Snorby, BASE, and more.
  • Can ingest log files from Windows, Zeek and Suicata.
  • Multiple third-party integrations
  • Lightweight, high performance, multi-threaded architecture
  • Real time log analysis
  • IP locator feature that shows the geographical location of an IP address


  • Difficult to install and properly configure
  • Steep learning curve (many features)


Samhain Design Labs of Germany produces the free, host-based IDS solution that can be run on many hosts and used to feed into a central monitoring repository.  Samhain is notable because it uses steganography to hide its presence on a host computer which make it likely that attackers will not be able to disable its monitoring.

  • Free
  • Runs on MacOS, Unix, and Linux systems
  • Looks for rootkit viruses, rogue user access rights, hidden processes
  • Checks log integrity
  • Lightweight and can obscure its presence to prevent disabling by attackers


  • Does not automatically block or remediate attacks
  • Outdated interface, difficult to use
  • Smaller community than more popular open-source tools
  • Open source free version does not come with support
  • Not available for Windows

Security Onion

Security Onion is a Linux IDS that can monitor both the host and the network.  The open-source solution incorporates aspects of Snort, Suricata, Zeek, and other popular open-source security tools behind a Kibana visualization dashboard.


  • Open-source Linux distribution
  • Integrates a number of popular IDS tools
  • Examines host log files and network traffic
  • Can perform live network traffic analysis and store packets to a file
  • Uses both signature and anomaly analysis


  • Many overlapping standalone tools
  • No action automation
  • Some interfaces are not user-friendly


Snort is probably the most well-known and popular IPS in existence.  Its extremely large fan base has led to its rule formats being accepted as a widely-used standard, and many other IDS and IPS tools are built to be compatible with it.  


  • Open source and free
  • Installs on Linux, Unix, or MacOS, but will support Windows analysis
  • Large library of pre-built detection rules
  • Sniffer, packet logger, intrusion detection
  • Both signature and anomaly analysis
  • Deep visibility into network traffic
  • Supported by Cisco
  • Base rules can be downloaded, advanced access to new rules available for a fee


  • Unstable updates
  • Reliant upon community support
  • Highly complex with a steep learning curve

SolarWinds SEM 

SolarWinds Security Event Manager (SEM) is a paid IPS and log analysis tool built off of Snort and designed for enterprise environments.  It is available as a subscription service for $2,525 and up, and lifetime licenses are available starting at $4,485.  


  • Runs on Windows
  • Supports Windows, MacOS, Unix and Linux log files
  • Collects and analyzes network and host data
  • Integrates with Snort for network analysis
  • Over 700 built-in rules for event correlation
  • File integrity monitoring
  • User-friendly interface
  • Compliance reporting and forensic analysis functions
  • Alerts can be managed as rules with customizable response options
  • Can perform as a Security Intrusion and Event Management (SIEM) solution


  • Feature dense and takes time to navigate and install
  • A paid upgrade to a free tool (See: Snort) 
  • Requires some manual updates and upgrades can be difficult


Suricata is designed to be an alternative to Snort.  It is compatible with Snort file formats, rules, etc. and is also a free option.  It includes features not available in Snort, such as performing network traffic analysis at the application level (which enables detection of malicious content spread over multiple packets).  Zeek’s creator also offers an appliance that combines Suricata and Zeek features into one appliance.


  • Open source and free
  • Data collection at application layer
  • Can monitor multiple protocols such as TLS, HTTP, and SSL
  • Deep network traffic visibility
  • Integration with a number of third-party tools
  • Lua scripting support
  • User-friendly interface
  • Parallel processing with GPU support
  • Uses both signature and anomaly analysis


  • Smaller support community
  • Built-in scripting can be difficult to use
  • Processor-heavy

Trellix Network Security (McAfee + FireEye)

The details regarding the Trellix network security product may change in the near future since the company’s extended detection and response (XDR) platform is being created based upon McAfee’s Network Security Platform (NSP) and FireEye’s network security products.  A series of mergers of the companies, the brands, and the technologies took place in July 2021, but the original products can still be found on the individual company websites.  


  • Protection against bots, Distributed Denial of Service (DDoS), ransomware, and many other attacks
  • Blocks harmful sites and downloads
  • Protects cloud and on-prem devices
  • FireEye’s IPS was deployed as part of the network security and forensics solution
  • FireEye’s technology focused on anomaly detection, McAfee focused on signature detection
  • Run on physical or virtual appliances
  • Sandboxing capabilities
  • Detect and block malware, phishing, exploits, command and control (C2) callbacks, and botnets.


  • False positives for harmful site detection
  • Negatively impacts network performance
  • Pricing will be confusing until older products discontinued

Trend Micro (IPS) 

Trend Micros’ IPS solution is available as a physical or a virtual appliance to be deployed inline on local networks, private clouds, or public clouds.


  • Incorporates Trend Micro’s antivirus signatures as well as machine learning.
  • Sandbox capability for investigation
  • Deploys with rules and security policies to block current and previous threats
  • Uses deep packet inspection, malware analysis, URL reputation, and threat reputation
  • Applies both signature and anomaly analysis
  • Scans inbound, outbound, and lateral traffic


  • Does not yet integrate with other IPS or TrendMicro products (DBI, IWSVA, etc.)
  • Automatic application of rules can disrupt business processes
  • More expensive option

Vectra Cognito

Vectra’s Cognito IPS platform applies AI to analyze traffic from public clouds sources, Software-as-a-Service (SaaS), user identity information, Networks and EDR to detect and block malicious attacks.


  • Delivers results in well known Zeek format
  • Integrates with a variety of security tools
  • Will pull data from a variety of endpoints 
  • Offers strong cloud and container (Kerberos) support
  • Primarily uses anomaly detection


  • More expensive option
  • Does not have flexible geographic location for processing data
  • Use proprietary logging format
  • Can generate many false positives if misconfigured or not tuned well

Zeek (AKA: Bro)

Zeek, formerly known as Bro, is an extremely powerful network-focused IDS.  Zeek’s built-in scripting support enables a great deal of customization and customized automated responses to identified threats.  Zeek’s creator offers pre-packaged physical or virtual Zeek appliances as Corelight with user-friendly GUIs, scripts, and extra support.


  • Open source Zeek is available at no cost
  • Runs on MacOS and *nix systems
  • Deep visibility into network traffic
  • Integrated traffic logging
  • Tasks enable customized automation
  • Monitor SNMP traffic and track FTP, DNS, and HTTP activity
  • Runs analysis at the application layer for broader analysis
  • Applies both signature and anomaly detection


  • Steep learning curve, requires deep SIEM and IDS knowledge
  • Open source free version does not come with support
  • Not available for Windows

ZScalar Cloud IPS 

ZScalar’s IPS solution captures all traffic, whether the user is working on-site or remote and connecting to local data or cloud SaaS resources.


  • Supports all types of resources: local data, cloud data, SaaS apps
  • Scalable metered solution that grows or shrinks as need
  • Can decrypt SSL traffic
  • Unlimited capacity
  • No hardware to buy or software to manage
  • Security teams can dig into IPS alerts and access the Zscaler threat library for more details.
  • Supports iOS, macOS, Android, Windows, some Linux.
  • Supports mobile devices


  • Offered only as a SaaS license
  • May not support all OS
  • Can add latency to network performance
  • Global installation and custom app alignment can be difficult and time consuming

Comparing IDS and IPS Options

Not every Intrusion Detection and Prevention System is created equal.  With many different types of systems (IDS vs. IPS, host-based (HIDS) vs. network-based (Network), signature vs. anomaly detection), it is important to understand the purpose that a particular system is designed to fulfill and how it does its job.

  IDS/IPS and Host/Network Supported Platforms Detection  Price
AIDE IDS, Host Unix, Linux, and Mac OS File integrity check (only) Free*
BluVector  IDS, Network Not specified Broad threat detection Not available
Check Point Quantum IPS IDS, IPS, Network Appliance Broad threat detection $1,500+ / year
Cisco NGIPS IPS, Network Appliance, VMware Broad threat detection $1,280+ / year
Fail2Ban IDS, IPS, Host Unix, Linux, and Mac OS Detects potentially malicious IP addresses Free
Fidelis Network IDS, IPS, Network Not specified Broad threat detection $78,000+ / year based on GB bandwidth and days of storage
Hillstone Networks IDS, IPS, Network Appliance Broad threat detection Perpetual license based on users and functionality
Kismet IDS, Network Linux, OSX, Windows 10 (limited) Wireless IDS only Free
NSFOCUS IDS, IPS, Network Not specified Broad threat detection Not available
OpenWIPS-NG IDS, IPS, Network Linux Wireless Networks Free
OSSEC IDS, IPS, Host Unix, Linux, MacOS, Windows System file monitoring Free*
Palo Alto Networks IDS, IPS, Network Appliance, Container, VM Broad threat detection $9,509.50+
Sagan IDS, IPS, Host Unix, Linux, MacOS Log file analysis, IP blocking Free
Samhain IDS, Host Linux, Unix, MacOS File integrity checking, log file analysis, rootkit detection Free
Security Onion IDS, Network, Host Linux only Broad threat detection Free*
Snort IDS, IPS, Network Linux, Unix, MacOS Broad threat detection Free, $399+ for rules subscription
SolarWinds SEM IDS, IPS, Network, Host Windows, Linux, Unix, MacOS Broad threat detection $2,525+
Suricata IDS, IPS, Network Windows, Linux, Unix, MacOS Broad threat detection Free
Trellix (McAfee + FireEye) IDS, IPS, Network Appliance or software Broad threat detection $10,995+
Trend Micro IDS, IPS, Network Appliance or software Broad threat detection Not available
Vectra Cognito IDS, IPS, Network, Cloud Appliance or software Broad threat detection $10,000+, based on IP addresses
Zeek (AKA: Bro) IDS, Network Windows, Linux, Unix, MacOS Broad threat detection Free*
ZScalar Cloud IPS IDS, IPS, Network, Cloud Windows, MacOS, some Linux, Android, iOS Broad threat detection Offers different levels: Business, Transformation, ELA

*Support or preloaded appliances available from 3rd party vendors for a fee