Understanding of "user defined" rules

Started by JasMan, June 07, 2020, 01:51:49 PM

Previous topic - Next topic

I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.

When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.

So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.

My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html).
What would be the best way to perform my requirement?

Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose