[Snort-users] Concerning Cisco SPAN ports and Snort

Martin Roesch roesch at ...421...
Tue Oct 24 18:28:17 EDT 2000


Run Snort with the network address of the network being monitored.  If you go
for 0.0.0.0/32, that's equivalent to "any", which means that all
directionality in the Snort rules will be dropped.

     -Marty

Jarrod Manzer wrote:
> 
> What would be the proper HOME_NET val if your running off a SPAN port from a
> cisco device?
> 
> The layout is as such...
> 
> An OpenBSD 2.7 system with fxp2 directly connected to a 6509 SPAN port. The
> IP for fxp2 is 0.0.0.0 with a netmask of 0xffffff00.
> 
> My thinking is that it should be var HOME_NET 0.0.0.0/32. Would this be
> correct? There should be no traffic directed to the IDS itself, but I want
> to examine all traffic on the link as a normal IDS would.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list