How Does an IDS Work?
NIDS in general, and Snort specifically, are run on devices that have the ability to monitor as much of the network as possible, generally on or near a gateway device, (as in the case of IPCop) or on some sort of monitoring port on a switch (SPAN/Mirror ports). The NIDS then sets up the network card or cards on the device to work in promiscuous mode meaning they will pass packets up through the network stack whether or not they are destined for the machine. This is important as a NIDS will often be monitoring machines other than itself. The NIDS on the host will then take these packets and have a look at the data payload (and sometimes the headers as well) to see if it notices anything malicious. This may sound like artificial intelligence as the NIDS just sits there thinking to itself about packets passing by; it's actually quite a lot simpler than that!
Every day exploits, viruses, worms, spyware, and other malicious software generate network traffic, and this traffic...