What type of filtering do IDSs do?

Intrusion Detection Systems detect threats by looking at data across a sequence of packets, not just individual packets. This is packet stream analysis: the system reconstructs each connection’s data, reassembling the TCP streams and inspecting the payload over time to spot signatures or unusual patterns that only appear when you consider the broader context of the session. Many attacks are spread across multiple packets or depend on the order of messages, so analyzing the whole stream is essential to catch them. Stateful Packet Inspection, the idea behind SPI filtering, is a firewall technique that tracks the state of connections and filters packets based on whether they fit an allowed state. While related systems can incorporate this, IDSs focus on content-based detection through stream analysis to identify malicious activity, rather than enforcing stateful rules per se.