How do intrusion detection systems work?
Intrusion detection systems are used to detect anomalies with the aim of catching hackers before they do real damage to your network. They can be either network- or host-based. A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system resides on the network.
intrusion detection systems work by either looking for signatures of known attacks or deviations of normal activity. These deviations or anomalies are pushed up the stack and examined at the protocol and application layer. They can effectively detect things such as Xmas tree scans, DNS poisonings, and other malformed packets.
A good network based intrusion detection systems is SNORT. It is free and will run on Linux and Windows computers. One simple way to set it up is to span a port, and allow that port to capture all traffic that traverses that node of the network. Install SNORT on your OS of choice and connect it to that portion of the network with a "receive only" network cable. Once you configure your rules set, you will be ready to go!