No External Hits/Proxy Server Required?

[Tim Rohrer <snort () metbymail com>]

Good Morning Folks,

I have a group of questions that likely stems from a misunderstanding 
of a simple requirement on my part.  I am running SNORT with ACID on 
a small home network.  I am interested in intrusion detection as I 
run a mail server and am giving consideration to installation of my 
own web server.  I am also interesting in monitoring internal traffic 
and will try to set up blocking of certain types of sites (for the 
kids).  Most everything seems to work except that I do not get hits 
from external sites unless they specifically connect to my mail 
server.  I have a cable modem and a Linksys router/firewall but I do 
not have a dedicated machine running as a firewall [wife would kill 
me if I got *another* computer : ) ].  Because I did not see any hits 
when I went to a porn site, I created a generic rule [alert tcp 
$EXTERNAL_NET any -> $HOME_NET any (msg:"Just a test"; 
class-type:misc-activity;)] to alert on any traffic as a test.  The 
only traffic that seems to trigger this is traffic bound for the mail 
server.  Am I missing the obvious about how SNORT should work?  Do I 
have to set up a proxy server in order for SNORT to monitor traffic 
there?  (I am sort of think "yes" since established web connections 
would not be broadcast, would they?).

I welcome your thoughts or comments.  Thanks.

Tim
--
Tim Rohrer
tgrohrer () metbymail com
http://www.metbymail.com