[Oisf-users] Using "pass" to ignore research data traffic

Victor Julien lists at inliniac.net
Tue Jan 15 11:56:32 UTC 2013


On 01/15/2013 12:29 PM, Victor Julien wrote:
> On 01/15/2013 11:42 AM, Chris Wakelin wrote:
>> On 15/01/13 09:45, Victor Julien wrote:
>>>> On 01/08/2013 04:39 PM, Chris Wakelin wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've got a problem with our Meteorology Department doing large data
>>>>>> transfers and clobbering Suricata. Suricata is running out-of-band on a
>>>>>> mirrored port, and I'm using PF_RING with DNA and libzero which,
>>>>>> unfortunately, doesn't support BPF filters (and I couldn't get hardware
>>>>>> filters to work last time I tried, plus they'd stop me counting the
>>>>>> traffic which I'd still like to do).
>>>>>>
>>>>>> I've tried using a couple of rules to "pass" the traffic as quickly as
>>>>>> possible:
>>>>>>
>>>>>> pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
>>>>>> (msg:"RDG pass research data traffic inbound";  sid:379000998; rev:1;)
>>>>>> pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
>>>>>> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
>>>>>>
>>>>>> but it doesn't seem to make any difference. According to Suricata
>>>>>> kernel_drop stats, 3 of my 8 queues are currently dropping packets.
>>>>
>>>> I would expect this to work. Are you not seeing any difference or just
>>>> not a big enough difference?
>> Difficult to say, it seems to make no clear difference. Running Suricata
>> without rules, though, doesn't see any drops. I'm wondering whether the
>> rule precedence is working properly? Does having other "ip" rules make a
>> difference?
>>
> 
> Tracing the code it would appear that the pass rules have no performance
> benefit. Opened #718.
> 

Care to try the attached patch?

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-an-IP-only-pass-rule-matches-set-the-no-inspect-f.patch
Type: application/mbox
Size: 3819 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130115/1b5d68b9/attachment.mbox>


More information about the Oisf-users mailing list