On Tue, 10 Oct 2006 10:38:58 -0500 (CDT) eric at austinconventioncenter.com wrote: > Here is the scenario: Our network is utilized by guest users all > the time, sometimes into the thousands. We see guests from all over > with a variety of OSs & hardware, all of which, we have no control > or say in that matter. > > I am looking for something that I can run in promiscuous mode > and/or on a span port that will sniff for viri and then alert/log > when it sees a virus. I was faced with the same situation and I have gone a completely different route. Everyday, one of my customers has 'guests' in the various board rooms and meeting rooms. There is always somebody with viruses, spyware and then they call me to help them or to fix their laptops. What I did is: change the network! The firewall/gateway inside interface has 2 separate IP addresses in different classes: * The company employees are in 10.0.0.0/16 * The visitors are in the 172.20.0.0/16 All employees' computer must have a registered MAC address. It's some work, but that the only way to go, and yes it can scale to thousands of users. The DHCP servers will serve them an IP address in the 10.0/16 address space. All computers with a non-registered MAC address with get an IP in the 172.20/16 address space. Their default gateway is the secondary IP address of the gateway. I have VLANs and maxport in place on the switches to control how many people can connect to a physical port and what they can do on the network. The only things the non-registered users can access is the Internet, they cannot access any of the internal resources [including printers], and cannot infect or attack any of the internal network. If they want to print, they can supply us with a PDF file, and reception will print it for them [tried having an HP printer in one of the board room, but too many people did not have the correct driver.] If you still want to run an antivirus at the layer 2 level, Cisco has ASA boxes that will do some antivirus. They do not have a full listing of all the viruses, but a select few hundred, the more recent/prevalent ones. Hope this helps. -- Thanks http://www.sqlhacks.com The SQL knowledge base