[Oisf-users] Traffic limit

Cooper F. Nelson cnelson at ucsd.edu
Fri May 15 20:24:48 UTC 2015

Hash: SHA1

There are a few ways to filter traffic with suricata.

One, you can setup your monitoring environment to only pass flows you
want to monitor to suricata.

Or, you can monitor everything and then filter either in the linux
kernel via bpf filters or within suricata itself via pass rules.

Details here:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Performance impact on the suricata host is in this order, from least
(zero) to most.

1.  External filtering/policy based routing.
2.  BPF filter on suricata host.
3.  Pass rules on suricata process.

Filtering out "top-talkers", like backup software, streaming video
sites, security scanners, etc. can do wonders to improve the performance
of a sensor.

- -Coop

On 5/15/2015 1:07 PM, Alan Wanderley dos Santos wrote:
> My question is about traffic limit. There are any way to do a limit rate by software? I mean, as i said, the traffic volume is biggest that vm interface. There are some kind of workaround about it? Some kind of limitation for network traffic. I think on environment on, vm engine's analysis 80% of 100 Mpbs traffic and discard the rest. I have afraid that the traffic kill the engine.
> Sorry for the long introduction and for my bad english. I think that is hard explain the question without tell details about the project.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list