I was astonished when I first read this post from the Internet Storm Center. The post describes a setup of Snort running in a bridge and inspecting the traffic between the Corporate Network and the border router (fair enough).
Then, the following rule is used as an example to catch a possible data ex-filtration.
alert ip 192.168.1.0/24 any -> any any (msg:”Data Loss from inside the network”; content:"Company X - Confidential"; rev:1)
I am not an expert in security and you do not have to trust my words, but I think that deploying a device in front of the border router and with this kind of signatures, is only going to catch the more Naive users.
A skilled attacker will encode/encrypt/partition the data and 'act' like a normal user in order to bypass this kind of rules. Therefore, we are just having a false sense of security.
I think, the only way to detect a skilled attacker is by knowing your network and applying the ideas explained in this book from Richard Bejtlich: Extrusion Detection: Security Monitoring for Internal Intrusions