[Snort-users] Concerning Cisco SPAN ports and Snort

Martin Roesch roesch at ...421...
Tue Oct 24 18:28:17 EDT 2000

Run Snort with the network address of the network being monitored.  If you go
for, that's equivalent to "any", which means that all
directionality in the Snort rules will be dropped.


Jarrod Manzer wrote:
> What would be the proper HOME_NET val if your running off a SPAN port from a
> cisco device?
> The layout is as such...
> An OpenBSD 2.7 system with fxp2 directly connected to a 6509 SPAN port. The
> IP for fxp2 is with a netmask of 0xffffff00.
> My thinking is that it should be var HOME_NET Would this be
> correct? There should be no traffic directed to the IDS itself, but I want
> to examine all traffic on the link as a normal IDS would.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list