[Oisf-users] modding config to make IPS faster
Cooper F. Nelson
cnelson at ucsd.edu
Mon Apr 11 15:40:52 UTC 2016
Couple things to try.
1. Test out the Hyperscan build. It should work well on the Atom, as
SSE instructions are supported.
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
2. Filter out intra-site traffic via a bpf filter. For example, say
your internal networks were 192.168.0.0/24 and 172.16.0.0/24. Create a
file called 'local.bpf' and add this to it:
not (net 192.168.0.0/24 and 172.16.0.0/24)
Then run suricata with the -F flag:
suricata -F /etc/suricata/local.bpf
No changes to the yaml file necessary and the filtering is done in the
kernel so it is highly efficient.
-Coop
On 4/10/2016 8:35 AM, Chris Boley wrote:
> My objective is to ignore intra site traffic completely while scanning all
> traffic between the wan
> and the local LAN. I'm using a somewhat underpowered server out of
> necessity.
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/b8f421aa/attachment-0002.sig>
More information about the Oisf-users
mailing list