[Oisf-users] Using "pass" to ignore research data traffic
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Jan 8 15:39:10 UTC 2013
Hi,
I've got a problem with our Meteorology Department doing large data
transfers and clobbering Suricata. Suricata is running out-of-band on a
mirrored port, and I'm using PF_RING with DNA and libzero which,
unfortunately, doesn't support BPF filters (and I couldn't get hardware
filters to work last time I tried, plus they'd stop me counting the
traffic which I'd still like to do).
I've tried using a couple of rules to "pass" the traffic as quickly as
possible:
pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
(msg:"RDG pass research data traffic inbound"; sid:379000998; rev:1;)
pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
(msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
but it doesn't seem to make any difference. According to Suricata
kernel_drop stats, 3 of my 8 queues are currently dropping packets.
Is there a better way to deal with this?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list