I manage a large network that has a lot of temporary users from all over. Does anyone know if there an anti-virus solution that can sniff network traffic and alert when suspicious traffic passes? It would have to be able to monitor in promiscuous mode. An inline solution is not an option.

Thanks

the only way i know is to make a server client network if you will use linux go ahead.
as for me i am still learning linux so i never worked on linux as server
but i worked on windows server 2003 and kerio winroute firewall is good a lot easier than ISA
it shows you users activity and you could do anything you want
and i also used softperfect bandwith manager it is so good it works good so that you could controll users who suck the bandwith


but if you will work with linux i cant help you with that coz i am still a newbie

It's just a matter of how much traffic you deal with, i suppose you can write a netfilter handle which puts connection(yes, conntrack) data to userspace, which thereby can be handled by any av scanner(clamd for example). But beware, you have to be watching tons of simultaneous data streams on the fly, which is requiring lots of computing power. If you've got like 50 users, a normal decent machine would be able to handle the task, but if it's a matter of 200mbit/s flowing around the interfaces - just forget it. The shit about connection scanning is you have to reassemble the connecting before being able to scan anything. It's true decent AV scanning is about codestamping and baesian/heuristics, but av scanner are not built to work on tcp streams yet. A single dirty hack is to set all stream data into a socket and open it as a filehandle , but that would be TOO SLOW.
A simple answer to the question of yours is - NO, there's just no solution , which you can apt-get install networkavscanner and let it work.

P.S. promiscious mode is not the right thing here, the data should actually FLOW through the so call AV scanner. Promiscious will do the trick if your network is built out of hubs entirely.