How can IDS run on a port? Does it server as intermediary between the attacker (connection) and a process? If it runs on some random port "as a process" how can it then "see" all the other connections made to other ports?
\"Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding...\"
A IDS system doesn't really run on just a port, it runs on a whole server, usually in front of all your computers before the switch or router.
So it would look like this
WAN Connection --> Snort --> Router/Server ---> Switch
or somethign similiar to that.
Snort or any other IDS listens on all ports and monitors all traffic for the rules you specify it to watch for.
So in other words all the traffic must pass through one box which has the IDS system on it in, before the internet traffic is branched off to the other computers, in order for the IDS to be used effectively.