I configured the client to sync with the serve by putting only the server in /etc/of the client. ntpq shows that the state is INIT which - according to the docs - indicates that "The association has not yet synchronized for the first time" The problem was that the server itself was not able to synchronize with it's upstream server.the solution was to change the server configuration like this: re-enabled the Debian pool servers instead of my single hard coded server.Having this information can let you know if you need to make some firewall changes or harden the OS on a particular server a bit more.You may see the term IPS for Intrusion Prevention Systems which takes things one step further, having the IDS adjust the firewall when it discovers something.If you're interested in monitoring traffic coming in from the Internet, given that most Internet (broadband) connections are less than 10 megabit you can pick up an old 4-port 10-meg hub on e Bay to tap into this link.
You need to either tap into the link you want to monitor using a hub, or you have to do port spanning on your switch.(Most cable/DSL routers have some limited firewall capabilities.) In this case, in order to determine the HOME_NET value (discussed below) you'd have to know the IP address that your router pulled from your ISP's DHCP server.The easiest way to find out what IP address your router pulled is to visit a Web site like that displays your "external" IP address when you visit the site.BASE uses what's commonly referred to as a LAMP server (Linux, Apache, My SQL, PHP) so we'll need to install those applications as well.Because LAMP servers tend to attract hackers we'll want to put the Snort box on an internal network but this requires setting up your Snort box with two NICs.