I am thinking about deploying an IP audit machine to check on trends/
abnormal traffic bahavior on our network. I want to get a feel for how
it works and what I can learn from the information it gathers. My
questions are:

1. If you were only going to setup one machine, and you wanted to be
able to spot potentially dangerous activity, where would you put it?
In your LAN or DMZ?

2. Is running SNORT on the same machine a good idea as well? The
reason I ask is SNORT normally ends up making me climb up trees I dont
need to climb. If I can get a good pulse of what the network should do
and does, I think I will have more time to get other things done and
not climb so many trees.

Thanks for any advice you can give,