[Snort-users] Concerning Cisco SPAN ports and Snort

Jarrod Manzer JManzer at ...641...
Mon Oct 23 20:17:28 EDT 2000


What would be the proper HOME_NET val if your running off a SPAN port from a
cisco device?

The layout is as such...

An OpenBSD 2.7 system with fxp2 directly connected to a 6509 SPAN port. The
IP for fxp2 is 0.0.0.0 with a netmask of 0xffffff00.

My thinking is that it should be var HOME_NET 0.0.0.0/32. Would this be
correct? There should be no traffic directed to the IDS itself, but I want
to examine all traffic on the link as a normal IDS would.



More information about the Snort-users mailing list