Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Understanding of "user defined" rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: Understanding of "user defined" rules (Read 2032 times)
JasMan
Full Member
Posts: 175
Karma: 9
Understanding of "user defined" rules
«
on:
June 07, 2020, 01:51:49 pm »
Hey,
I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.
When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.
So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.
My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (
https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html
).
What would be the best way to perform my requirement?
Thanks.
Jas
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Understanding of "user defined" rules