• Support
  • Forums
  • Blogs

Filter unwanted traffic types at the NIC?

jhershjhersh

New Life Form
+1
Is there a way within Alienvault to filter unwanted traffic types ingested by the sniffing ports such as Wireshark's capture filter?

I have video and voice traffic on my network that I don't need bogging down the resources of my AV USM AIO.  I would like to be able to set a capture filter on each NIC that removes these types from being processed.  I understand how to create create SPAN (Cisco) ports but multiple monitored devices access both the video feeds (don't care to monitor) as well as data (want to monitor) so I'd like to filter this traffic at the NIC.
Tagged:

Share post:

Best Answer

  • Answer ✓
    jhersh,

    Due to the way that the capture buffers work (af-packet) there is currently no way to filter the inbound promiscuous data before it is sent to the buffer for Suricata to process. changing this would significantly affect the efficiency of the capture buffer which we are using.

    Suricata already has some fairly robust stream analysis, allowing it to selectively ignore streams which it finds irrelevant (the RTP stream on your phone traffic will be one of these, as there is no useful data for Suricata there). This said, AlienVault (and the vast majority of VoIP providers) recommends separating this traffic into a restricted VLAN to keep it separate form other network traffic for management as well as security pourposes. This has the side effect of simplifying separation of this traffic since it could be removed from the SPAN traffic by removing the entire VLAN.
    Kotresha

Answers

  • kcoe,

      Understood.  Mostly concerned about video traffic as that is the bulk of the traffic on that network.  It is segregated as much as possible into its own vlan but there are still Windows machines, that assist in processing and displaying the video, that I'm concerned about sniffing.  I am currently sniffing this traffic and I notice that the amount of data processed by this interface is significantly greater than other interfaces on the system that are sniffing normal data.  My assumption is that this interface is processing the video traffic.
      Do you know of a list of irrelevant streams ignored by Suricata, or at least AlienVault, that I can reference?
Sign In or Register to comment.