Actually it is the "Inpkts" parameter on CatOS that allows it to accept inbound traffic on the SPAN destination. The "learning" is
to disable MAC address learning, since the IDS will spoof the MAC address of the server when it sends a TCP RST back to the client. So disable Mac learning on the switch.