[Oisf-users] Using "pass" to ignore research data traffic

[Chris Wakelin]

On 15/01/13 09:45, Victor Julien wrote:
> On 01/08/2013 04:39 PM, Chris Wakelin wrote:
>> Hi,
>>
>> I've got a problem with our Meteorology Department doing large data
>> transfers and clobbering Suricata. Suricata is running out-of-band on a
>> mirrored port, and I'm using PF_RING with DNA and libzero which,
>> unfortunately, doesn't support BPF filters (and I couldn't get hardware
>> filters to work last time I tried, plus they'd stop me counting the
>> traffic which I'd still like to do).
>>
>> I've tried using a couple of rules to "pass" the traffic as quickly as
>> possible:
>>
>> pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
>> (msg:"RDG pass research data traffic inbound";  sid:379000998; rev:1;)
>> pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
>> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
>>
>> but it doesn't seem to make any difference. According to Suricata
>> kernel_drop stats, 3 of my 8 queues are currently dropping packets.
> 
> I would expect this to work. Are you not seeing any difference or just
> not a big enough difference?

Difficult to say, it seems to make no clear difference. Running Suricata
without rules, though, doesn't see any drops. I'm wondering whether the
rule precedence is working properly? Does having other "ip" rules make a
difference?

> 
>> Is there a better way to deal with this?
> 
> BPF or pass-rules are pretty much it I think.
> 

Pass rules are favourite, if I can get them to work. I want to count the
research data traffic, so hardware filters (if I could get them to work)
on the PF_RING interface would not be ideal.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094