I just got snort running and now i don't know what the best use for it is, but I will give my scenario and see if anyone has advice.

I am using satellite internet, with a DHCP hub at the source, from there we hook up a cisco 3600 with DHCP and NAT. besides users from this router, there is another router hooked up, also using DHCP and NAT. (I know, but logistically it is a practical method)

What will give me the greatest monitoring control, plugging into the middle router?

Thanks

one bump because I had spelled Snort wrong in the subject

Your best place to put the Snort sensor is on the external hub. It should allow you to have the greatest ability to see what type of intrusions you have.

A logistical feature that I use with snort, is to place the snort sensor on my firewall (I use iptables).

If your second router is a place of concern, put an additional sensor there is well.

Keep in mind this is only with hubs, not switches. If you're using cisco switches, you'll need to setup a port mirror so that you can see all traffic flowing into your internal networks.

Hereis a link that basically gives you some info on what it does and such. Be sure to Google as there are a TON of ways to setup and IDS to opimize the ability to view what is going on within your network.

http://www.linuxfocus.org/English/May2003/article292.shtml