there is a sort of IDS called "static". such IDS don't catch anomalies actually, but watching flow's normality so all other (than normal) traffic assumed to be anomalous.
check out SANS reading room...
- Re: deep packet inspection Daniel Carneiro
- Re: deep packet inspection Cedric Berger
- Re: deep packet inspection Laurent Cheylus
- Re: deep packet inspection Ed White
- Firewall in VLAN Traffic Jorge Severino Diaz
- Re: deep packet inspection Cedric Berger
- Re: deep packet inspection Ed White
- Re: deep packet inspection Cedric Berger
- Re[2]: deep packet inspection Max Laier
- Re: deep packet inspection Damien Miller
- Re[2]: deep packet inspection Alexey E. Suslikov
- Re[2]: deep packet inspection Alexey E. Suslikov
- Re: deep packet inspection Daniel Carneiro
