[Oisf-users] Using "pass" to ignore research data traffic

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Jan 15 12:26:54 UTC 2013 

On 15/01/13 11:56, Victor Julien wrote:
> On 01/15/2013 12:29 PM, Victor Julien wrote:
>> On 01/15/2013 11:42 AM, Chris Wakelin wrote:
>>> On 15/01/13 09:45, Victor Julien wrote:
>>>>> On 01/08/2013 04:39 PM, Chris Wakelin wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've got a problem with our Meteorology Department doing large data
>>>>>>> transfers and clobbering Suricata. Suricata is running out-of-band on a
>>>>>>> mirrored port, and I'm using PF_RING with DNA and libzero which,
>>>>>>> unfortunately, doesn't support BPF filters (and I couldn't get hardware
>>>>>>> filters to work last time I tried, plus they'd stop me counting the
>>>>>>> traffic which I'd still like to do).
>>>>>>>
>>>>>>> I've tried using a couple of rules to "pass" the traffic as quickly as
>>>>>>> possible:
>>>>>>>
>>>>>>> pass ip [193.62.216.0/24,130.246.191.0/24] any -> $HOME_NET any
>>>>>>> (msg:"RDG pass research data traffic inbound";  sid:379000998; rev:1;)
>>>>>>> pass ip $HOME_NET any -> [193.62.216.0/24,130.246.191.0/24] any
>>>>>>> (msg:"RDG pass research data traffic outbound"; sid:379000997; rev:1;)
>>>>>>>
>>>>>>> but it doesn't seem to make any difference. According to Suricata
>>>>>>> kernel_drop stats, 3 of my 8 queues are currently dropping packets.
>>>>>
>>>>> I would expect this to work. Are you not seeing any difference or just
>>>>> not a big enough difference?
>>> Difficult to say, it seems to make no clear difference. Running Suricata
>>> without rules, though, doesn't see any drops. I'm wondering whether the
>>> rule precedence is working properly? Does having other "ip" rules make a
>>> difference?
>>>
>>
>> Tracing the code it would appear that the pass rules have no performance
>> benefit. Opened #718.
>>
> 
> Care to try the attached patch?
> 
> Cheers,
> Victor
> 

That's made a huge difference! I'd just resorted to using PF_RING via
libpcap (where the BPF filters may work) which seemed to be doing a bit
better. Putting in your patch and going back to direct PF_RING is
dropping almost no packets at 1.2Gb/s.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list