[Oisf-users] Using "pass" to ignore research data traffic
Victor Julien
lists at inliniac.net
Tue Jan 15 11:29:32 UTC 2013
On 01/15/2013 11:42 AM, Chris Wakelin wrote:
> On 15/01/13 09:45, Victor Julien wrote:
>> > On 01/08/2013 04:39 PM, Chris Wakelin wrote:
>>> >> Hi,
>>> >>
>>> >> I've got a problem with our Meteorology Department doing large data
>>> >> transfers and clobbering Suricata. Suricata is running out-of-band on a
>>> >> mirrored port, and I'm using PF_RING with DNA and libzero which,
>>> >> unfortunately, doesn't support BPF filters (and I couldn't get hardware
>>> >> filters to work last time I tried, plus they'd stop me counting the
>>> >> traffic which I'd still like to do).
>>> >>
>>> >> I've tried using a couple of rules to "pass" the traffic as quickly as
>>> >> possible:
>>> >>
>>> >> pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
>>> >> (msg:"RDG pass research data traffic inbound"; sid:379000998; rev:1;)
>>> >> pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
>>> >> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
>>> >>
>>> >> but it doesn't seem to make any difference. According to Suricata
>>> >> kernel_drop stats, 3 of my 8 queues are currently dropping packets.
>> >
>> > I would expect this to work. Are you not seeing any difference or just
>> > not a big enough difference?
> Difficult to say, it seems to make no clear difference. Running Suricata
> without rules, though, doesn't see any drops. I'm wondering whether the
> rule precedence is working properly? Does having other "ip" rules make a
> difference?
>
Tracing the code it would appear that the pass rules have no performance
benefit. Opened #718.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list