[Oisf-users] Using "pass" to ignore research data traffic

Victor Julien lists at inliniac.net
Tue Jan 15 09:45:10 UTC 2013


On 01/08/2013 04:39 PM, Chris Wakelin wrote:
> Hi,
> 
> I've got a problem with our Meteorology Department doing large data
> transfers and clobbering Suricata. Suricata is running out-of-band on a
> mirrored port, and I'm using PF_RING with DNA and libzero which,
> unfortunately, doesn't support BPF filters (and I couldn't get hardware
> filters to work last time I tried, plus they'd stop me counting the
> traffic which I'd still like to do).
> 
> I've tried using a couple of rules to "pass" the traffic as quickly as
> possible:
> 
> pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
> (msg:"RDG pass research data traffic inbound";  sid:379000998; rev:1;)
> pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
> 
> but it doesn't seem to make any difference. According to Suricata
> kernel_drop stats, 3 of my 8 queues are currently dropping packets.

I would expect this to work. Are you not seeing any difference or just
not a big enough difference?

> Is there a better way to deal with this?

BPF or pass-rules are pretty much it I think.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list