I'm looking into and odd problem here. It all started when I realized our IDSM was randomly NOT triggering on malicious traffic flowing through a trunked interface. This interface handles all our VLANs but only three of those are filtered on the SPAN session sending traffic to the IDSM.
As a troubleshooting step I set the SPAN session destination to a sniffer and sent some nessus and malicious web traffic over the trunk...some was seen on the sniffer but not all.
What could be the problem here? We have a 6513 with SUP720 and DFC cards, is it possible that some traffic is missed by the SPAN session and sent directly to the ports by the DFC? I haven't found any clues in the IDSM manuals or the IOS guide for our 6513.