You need to Span/Mirror the traffic from your distribution switch(es) to an ethernet card appropriate for the size of traffic you see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort with all of the plugins to look for malicious traffic. There aren't really network "virus" scanners so much as there are IDS detection programs which will detect the traffic signatures of the 'worm/malware' spreading software and alert you. As viruses are generally local host problems but the 'spreading' of them you CAN detect. HTH. -Drew -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of eric at austinconventioncenter.com Sent: Tuesday, October 10, 2006 11:39 AM To: centos at centos.org Subject: [CentOS] antivirus sniffer/scanner for networks Is anyone aware of a package that can detect viri on the network & possibly alert when there are? Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter. I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus. We can then track down the culprits' ip/mac and shut off the switch port he/she is connected to and then visit with the guest to help them clean their machine. Given the nature of our network and our guests' needs, an inline solution is not an option. Although, I recall that squid supports WCCP, I'm not sure that it would do what I am requesting. I also looked at snort+libclamav, but the info was inconclusive. We are a CentOs shop and I have a spare dual xeon box that I can use for the task. Thanks, Eric _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos