An intrusion detection system (IDS) filters packets similar to the process used in firewalls. However, for IDS specifically, rather than dropping packets that violated filtering rule sets, the system will generally take an informational approach. Some common IDS responses to security violations include:
IDSs that take a more aggressive approach - like shutting down the network connection or auto-generating an updated rule set - cross the boundary line into intrusion prevention systems (IPS). That being said, however, there is a shades of gray relationship between IDS, IPS, and firewall, and the functionality of each of these is often found bundled into the same appliances.
IDSs can be classified according to where they are deployed. Two main types are:
HIDSs reside on a single host and only filter traffic bound for that host. NIDSs caputure traffic across an entire network segment and identify threats traversing the network. Filtering rules for an IDS can be either signature-based or anomaly-based. Signature-based IDSs rely on a database of know attack signatures which must be periodically updated. Anomaly-based IDSs compared current traffic to a known baseline and signal an incident when traffic exceeds typical parameters.
A problem facing all forms of IDS is to avoid false positives and false negatives. A false positive is an alert on traffic that is in fact benign. A false negative is a failure to identify traffic that is in fact a threat. An IDS is probably best placed behind one of more firewalls to cut down on the amount of traffic that must be analyzed and to reduce the number of false positives.
References:
http://www.sans.org/reading_room/whitepapers/detection/understanding-intrusion-detection-systems_337
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf