Earlier IDSs were only involved in monitoring activity and analyzing log files. Today's reactive IDSs can respond to an attack in one of four ways:
Terminate the session by performing a Transmission Control Protocol (TCP) reset
Block or shun the traffic
Create session log files
To terminate an attack session, the IDS sends TCP packets with the reset bit set to both the source address of the attack and destination address of the target. To block offending traffic, the IDS instructs another managed device such as a firewall or router to add an entry to the relevant access control list to deny incoming traffic from the offending source address. Session log files can also capture the data transmitted from the source address of the attack. Finally, the IDS can block the attacker's access to the relevant realm or domain.
A router, switch, or firewall that is instructed by a sensor to perform blocking is called a managed device.