Overview architecture of IPS

In the following diagram, although we see that firewall allows the packet to travel further as it matches the rule, IPS checks the TCP data header to see the contents of the packet. The attacker is trying to send a buffer overflow exploit to the server. The packet traverses the firewall as the rule matches perfectly. 

It then reaches the IPS system, which analyzes the contents of the packet:

It then checks the list of associated signatures and finds that this code is a part of buffer overflow-based attacks. IPS then blocks the Packet Content and does not allow it to reach the Server.