Snort set up acting as a IDS
cheyenne1212: Where exactly do you have your snort box? If you have it plugged into your router and your router has a built in switch, it won't do you much good. Your ids will need to be able to inspect ALL traffic going to and from the router.

In order to do this, you will need a hub. A hub will broadcast all traffic to all ports letting you inspect all traffic going to and from the router. The switch will only allow you to inspect traffic going to a specific MAC.

Here is how it'd have to be setup... I think*

modem to router
router to hub (so you can repeat all traffic to all ports)
hub to hosts

if you really want the extra bandwith on your LAN you can do...

modem to router
router to hub
hub to switch but plug the IDS into the hub too
switch to hosts

You don't want your IDS on a switch, as it won't be able to inspect all the traffic (unless you have a programmable switch in which you can make it act like a hub) or... unlss you are using something like ettercap which will flood your switchs arp/MAC table in turn making it act like a hub.

I think*** I might be wrong and its getting late and I'm not thinking clearly... so can someone please confirm this?
At least... thats the way I've always understood it... but I'm still learning just like the rest of you.