[Oisf-users] Using "pass" to ignore research data traffic

Victor Julien lists at inliniac.net
Tue Jan 15 11:56:32 UTC 2013

On 01/15/2013 12:29 PM, Victor Julien wrote:
> On 01/15/2013 11:42 AM, Chris Wakelin wrote:
>> On 15/01/13 09:45, Victor Julien wrote:
>>>> On 01/08/2013 04:39 PM, Chris Wakelin wrote:
>>>>>> Hi,
>>>>>> I've got a problem with our Meteorology Department doing large data
>>>>>> transfers and clobbering Suricata. Suricata is running out-of-band on a
>>>>>> mirrored port, and I'm using PF_RING with DNA and libzero which,
>>>>>> unfortunately, doesn't support BPF filters (and I couldn't get hardware
>>>>>> filters to work last time I tried, plus they'd stop me counting the
>>>>>> traffic which I'd still like to do).
>>>>>> I've tried using a couple of rules to "pass" the traffic as quickly as
>>>>>> possible:
>>>>>> pass ip [,] any -> $HOME_NET any
>>>>>> (msg:"RDG pass research data traffic inbound";  sid:379000998; rev:1;)
>>>>>> pass ip $HOME_NET any -> [,] any
>>>>>> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
>>>>>> but it doesn't seem to make any difference. According to Suricata
>>>>>> kernel_drop stats, 3 of my 8 queues are currently dropping packets.
>>>> I would expect this to work. Are you not seeing any difference or just
>>>> not a big enough difference?
>> Difficult to say, it seems to make no clear difference. Running Suricata
>> without rules, though, doesn't see any drops. I'm wondering whether the
>> rule precedence is working properly? Does having other "ip" rules make a
>> difference?
> Tracing the code it would appear that the pass rules have no performance
> benefit. Opened #718.

Care to try the attached patch?


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-an-IP-only-pass-rule-matches-set-the-no-inspect-f.patch
Type: application/mbox
Size: 3819 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130115/1b5d68b9/attachment.mbox>

More information about the Oisf-users mailing list