I have been using snort for little more than a year now and would like to upgrade things to better protect my expanding network. I currently have a range of public IP addresses running two servers on two separate IP addresses in my range.
I am running snort on one of the servers. Both servers are connected to the modem's bridge, currently no router in between and should be seeing all network traffic. I have a router on a third IP that is the gateway to the "home" network and would like to protect this too. I have been reading up on the HOME_NET variable and IP range definitions and it looks like if I specify the range with the CIDR mask that snort should be monitoring the entire network range.
When I attempt to test this feature by running either a port scan or nikto against my servers it will alert against the machine (IP) that is running snort, but not the other IPs in the range.
I currently have HOME_NET set to my range (base network IP/mask) and EXTERNAL_NET set to !HOME_NET. Should snort be picking up the IP range and if so what am I getting wrong in the configuration?