A
NIDS monitors network traffic for attack signatures and anomalies, generating alerts. Deployed out-of-band (via TAP or SPAN port) — passive, can't block traffic.
NIDS: passive monitoring, generates alerts. NIPS: inline, blocks traffic. Snort and Suricata are popular open-source NIDS tools. Signature-based NIDS misses zero-days; anomaly-based NIDS has high false positives.