[Oisf-users] Traffic limit

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are a few ways to filter traffic with suricata.

One, you can setup your monitoring environment to only pass flows you
want to monitor to suricata.

Or, you can monitor everything and then filter either in the linux
kernel via bpf filters or within suricata itself via pass rules.

Details here:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Performance impact on the suricata host is in this order, from least
(zero) to most.

1.  External filtering/policy based routing.
2.  BPF filter on suricata host.
3.  Pass rules on suricata process.

Filtering out "top-talkers", like backup software, streaming video
sites, security scanners, etc. can do wonders to improve the performance
of a sensor.

- -Coop

On 5/15/2015 1:07 PM, Alan Wanderley dos Santos wrote:
> My question is about traffic limit. There are any way to do a limit rate by software? I mean, as i said, the traffic volume is biggest that vm interface. There are some kind of workaround about it? Some kind of limitation for network traffic. I think on environment on, vm engine's analysis 80% of 100 Mpbs traffic and discard the rest. I have afraid that the traffic kill the engine.
> 
> Sorry for the long introduction and for my bad english. I think that is hard explain the question without tell details about the project.


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVVlYQAAoJEKIFRYQsa8FWd/QIAJPr3BT6CxEvJviYfKjUkJwN
BKOUu/bCNZVuS61A4KtkOaCukrWOKdG+C2Y2f8VH948K1mVVu/iQzXVSSJl4qQG3
SWQja7Seenx4c61aIjquJ4T0msa6wvIAUA1KccJNC/y5SRwDCBNadLOFufKeIzHA
2LTEx+3gw6mSCUp8Mn8IngWQQkUdxNooYh5n9v3S0TEAOr8vegNwae4LLRL8/vIF
i3hQp1oW04HlnSETSQfZNVq1MQ6TkB9V3hGYeymWSlzK74XquKTzPzkHVuzSod+q
HGDb73hTsilH4lsummnVUYdEkB3a2Tlm7Jygd+Xso2Q7Wp3MiicIm/hrJ4pNaIY=
=pQqM
-----END PGP SIGNATURE-----