snort- problems

[Rishi Pande <rpande () vt edu>]

Hello,
        I am new to security and IDS in general. After doing some research we
decided to use Snort[with HenWen(mac OS X GUI)] on our network. I am
currently facing two problems.

1) I was led to believe that Snort can run on one machine and monitor
specific IPs, which I would like to because not all machines on our
subnet are part of our office nor are they serially assigned. However,
snort is monitoring only the machine that it is installed on. Am i
missing something here or do I need another product?

2) Last night I had a bunch of alerts pop-up which said
"ATTACK-RESPONSES id check returned root"; content: "uid=0(root)"
Snort's signature database said this was an indication of an attacker
gaining super user access to the system and that there are no known
false positives. The alert also mentioned that the source for the
attacks were port 80 on IPs belonging to websites I had open(Snort and
SANS) I ran netstat to check if the ports they were connecting to had
established a connection but none of the ports mentioned showed any
connections. I also NMAPped the machine and it showed only the expected
ports to be open.

Any help in both regards would be appreciated. Thanks for your time.
                                                                Sincerely,
                                                                Rishi


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------