[Oisf-users] modding config to make IPS faster

Cooper F. Nelson cnelson at ucsd.edu
Mon Apr 11 15:40:52 UTC 2016

Couple things to try.

1.  Test out the Hyperscan build.  It should work well on the Atom, as
SSE instructions are supported.

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan

2.  Filter out intra-site traffic via a bpf filter.  For example, say
your internal networks were and  Create a
file called 'local.bpf' and add this to it:

not (net and

Then run suricata with the -F flag:

suricata -F /etc/suricata/local.bpf

No changes to the yaml file necessary and the filtering is done in the
kernel so it is highly efficient.


On 4/10/2016 8:35 AM, Chris Boley wrote:
> My objective is to ignore intra site traffic completely while scanning all
> traffic between the wan
> and the local LAN. I'm using a somewhat underpowered server out of
> necessity.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/b8f421aa/attachment-0002.sig>

More information about the Oisf-users mailing list