You will need some type of intrusion detection/prevention system. SNORT is one that can help identify rogue traffic based on signatures and rules. For this system to properly work though, it will need to be on a TAP or mirrored port to see all traffic on the network. This will be a challenge in a distributed network. You may need a sensor at each distribution facility to detect traffic that just stays local to that DF.
In the IT trenches? So am I – read my IT-Trenches blog