What is an Intrusion Detection System (IDS)?. 
Intrusion Detection Systems look for attack signatures, which are specific patterns that
usually indicate malicious or suspicious intent. When the IDS looks for these patterns in network traffic via a promiscuous interface it is considered a Network Based IDS. There are three forms of a Host based IDS. Of the two main ones, the first examines the logs of the host looking for attack patterns; the second examines patterns in the network traffic (this is not done in promiscuous mode like the Network IDS). The third one is a solution that executes both Log based and Stack-Based IDS.
Network-Based IDS
Network-Based Intrusion Detection Systems (IDS) use raw network packets as the
data source. The IDS typically uses a network adapter in promiscuous mode that
listens and analyses all traffic in real-time as it travels across the network. A first
level filter is usually applied to determine which traffic will be discarded or passed
on to an attack recognition module. This first level filter helps performance and
accuracy by allowing known un-malicious traffic to be filtered out. An example of
this would be if an event for suspicious SNMP get was detected, and a known
SNMP management station generated this event. Using Filters SNMP traffic from
this machine could be filtered out of the examined traffic. Caution must be taken
when using filters as traffic can be spoofed, and mis-configurations can cause more
traffic to be filtered than desired. At the attack recognition module, typically on of
three methodologies are used for attack signatures; pattern, frequency, or anomaly
based detection. Once an attack is detected a response module provides a variety of
options to notify, alert, and take action in regards to the attack at hand.
Host Based IDS
Host Based Intrusion Detection actually started in the early 1980’s before
Networks were as prevalent, complex and inter-connected as they are today. In the
1980’s it was common practice to review audit logs for suspicious and security
relevant activity. Today’s host-based IDS still use various audit logs but they are
much more automated, sophisticated, and real-time with their detection and responses. Host-based systems use software that continuously monitor system specific logs. On Windows NT these include system, event, and security logs, while on most flavours Unix they include Syslog and OS specific log files. As soon as there is a change to any of these files the host-based IDS compares the info with what is configured in the current security policy and then responds to the change accordingly. One method of host-based IDS is to monitor log activity in real-time, while other solutions run processes that check the logs periodically for new in formation and changes. Being that the IDS is monitoring these logs continuously or frequently the detections and responses are considered to be in near real-time. Some host-based IDS can also listen to port activity and alert when specific ports are accessed, this allows for some network type attack detection.