How can IDS run on a port? Does it server as intermediary between the attacker (connection) and a process? If it runs on some random port "as a process" how can it then "see" all the other connections made to other ports?
Printable View
How can IDS run on a port? Does it server as intermediary between the attacker (connection) and a process? If it runs on some random port "as a process" how can it then "see" all the other connections made to other ports?
A IDS system doesn't really run on just a port, it runs on a whole server, usually in front of all your computers before the switch or router.
So it would look like this
WAN Connection --> Snort --> Router/Server ---> Switch
or somethign similiar to that.
Snort or any other IDS listens on all ports and monitors all traffic for the rules you specify it to watch for.
So in other words all the traffic must pass through one box which has the IDS system on it in, before the internet traffic is branched off to the other computers, in order for the IDS to be used effectively.