The invention discloses a soft and hard combined intrusion detection system, which comprises a network interface card, an FPGA, a ternary content addressable memory (TCAM) and a CPU, and also provides an intrusion detection method based on the system. The FPGA is used for carrying out message analysis on introduced network flow, and the analyzed message is sent to the TCAM. Primary rule matching is performed on the content of the message obtained in the step S2 by utilizing the TCAM, a matching result of a hit rule is fed back to the FPGA, hash shunting is performed on the message of the hit rule according to a source-target IP address of the message, and the message is sent to the CPU for secondary rule matching. Through the above mode, TCAM head and tail table items are used for matching, a CPU flow management module does not need to cache all messages of one flow, all the messages are cached only under the condition that head and tail table entries are hit, and only the current message is cached under the condition that the head and tail table entries are not hit. The memory of the equipment is greatly saved, the overhead of stream recombination is reduced, and the overall processing performance of the equipment is improved.