Pakon/Surikata traffic whitelisting

blackdot · January 5, 2020, 1:49pm

Hello,
can you please help me with configuring Suricata (collection for pakon) to whitelist/ignore some traffic?
I have Zabbix monitoring system running in my network and it generates a lot of connection to many hosts. After few days, pakon.db grow to much and fill /tmp completely. And GUI interface became unusable as there is to much data…

Best way will be to ignore tcp ports 10050 and 10051 and do not include them in traffic inspection.

Any hints?

Thank you

mgulick · June 29, 2020, 1:46am

I was just wondering the same thing. I have a tor relay on my network which generates a lot of traffic (around 100 entries/min from pakon-show). I was able to filter this host out by editing /etc/suricata-pakon/suricata.yaml:

af-packet:
  -interface: default
    ...
    bpf-filter: not host 192.168.1.12

blackdot · June 29, 2020, 1:47pm

Thx @mgulick
bpf-filter: not portrange 10050-10051 did a trick!