Since the Snort sensor can only alert on what it sees, the placement of the sensor is very important. In many networks, putting the sensor in the wrong spot can cause you to miss an entire network's traffic. Figure 6-1 illustrates this in a simplistic example. If you place the Snort sensor at point A, you will be able to see all traffic between the internal network and the Internet. You will not be able to see the traffic between your DMZ (containing a web server and mail server) and the Internet. In this case, an attack on your web server would go unnoticed.
Figure 6-1. The importance of sensor placement
If you put the sensor at point B, you will see all traffic between the systems in your DMZ and the Internet. In this case, you will not see the traffic between the internal network and the Internet. Please note that this might be desirable. Perhaps you have a sensor dedicated to the DMZ with a tuned set of rules and preprocessors specifically for those servers. You might have another sensor located at point A that watches that traffic that is tuned appropriately.
Locating a sensor at point C will allow you to see all traffic traveling to and from both networks (DMZ and internal) and the Internet. Putting the sensor at point C still leaves a potential blind spot: traffic between the DMZ and the internal network will not be watched.
As you can see, connecting your sensor ...