Snort is a network-centric product. As an intrusion detection system, it can inspect traffic inline or offline,
and act passively or actively.
Snort mostly relies on a "known bad" or "suspected bad" approach, observing traffic for patterns that correspond to malicious or suspicious activity. When Snort detects such activity, it can alert (passive mode) or block (active mode). The first is an IDS; the second an IPS.