I think an IDS, analytics is worth it, but if your system is sufficient large enough then you may want to route such items through a Gigamon virtual device to be handled by other tools plugged into it.
The real question will be if you do this, do you have a large enough SIEM to parse all the possible events and correlate them over all your networks. If your intent is to analyze traffic to determine what is false and what is not, then what is the tool you will be using to do this and how does it fit into your network to give the best response time. If your response is too slow then an event will have passed you by. Active Response is critical but having the data to do so is more so.
If you do not have a tool, then design to what you desire, and then pick a tool that will work to your specifications.
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
ok thanks again