telekom-security / tpotce

🍯 T-Pot - The All In One Multi Honeypot Platform 🐝
GNU General Public License v3.0
6.82k stars 1.08k forks source link

To not log certain traffic (namely ES data to external cluster and DNS traffic) #266

Closed landonstewart closed 5 years ago

landonstewart commented 5 years ago

Issues

I have reconfigured logstash to send to our own Elasticsearch on port 19200. Suricata and P0f are picking this traffic up and logging it (a lot of it). How can I get Suricata and P0f (and TPOT in general) to ignore certain traffic based on src ip or port or dst ip or port? I want to still allow the traffic but not have it sent to Elasticsearch.

I should also mention that the DNS lookups to my chosen resolvers are being logged as well.

  Time type dest_ip dest_port
  November 29th 2018, 10:10:44.326 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:43.843 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:43.394 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:43.332 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:28.065 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:10.231 Suricata 8.8.8.8 53
  November 29th 2018, 10:10:09.999 Suricata 8.8.8.8 53
  etc (thousands)

I saw the issue posted here which almost asks what I'm looking for but not quite.

Basic support information

NAME STATUS PORTS ciscoasa Up 14 hours
conpot_guardian_ast Up 14 hours 0.0.0.0:10001->10001/tcp conpot_iec104 Up 14 hours 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 14 hours 0.0.0.0:623->623/tcp conpot_kamstrup_382 Up 14 hours 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 14 hours 0.0.0.0:22-23->22-23/tcp cyberchef Up 14 hours (healthy) 127.0.0.1:64299->8000/tcp dionaea Up 14 hours
elasticpot Up 14 hours 0.0.0.0:9200->9200/tcp elasticsearch Up 14 hours (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 14 hours
glutton Up 14 hours
head Up 14 hours (healthy) 127.0.0.1:64302->9100/tcp heralding Up 14 hours 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp kibana Up 14 hours (healthy) 127.0.0.1:64296->5601/tcp logstash Up 14 hours (healthy)
mailoney Up 14 hours 0.0.0.0:25->25/tcp medpot Up 14 hours 0.0.0.0:2575->2575/tcp nginx Up 14 hours
p0f Up 14 hours
rdpy Up 14 hours 0.0.0.0:3389->3389/tcp snare Up 14 hours 0.0.0.0:80->80/tcp spiderfoot Up 14 hours (healthy) 127.0.0.1:64303->8080/tcp suricata Up 14 hours
tanner Up 14 hours
tanner_api Up 14 hours
tanner_phpox Up 14 hours
tanner_redis Up 14 hours 6379/tcp tanner_web Up 14 hours

t3chn0m4g3 commented 5 years ago

You need to replace /etc/suricata/capture-filter.bpf with a volume of your own capture-filter.bpf. AFAIK p0f does not offer this option.

landonstewart commented 5 years ago

Excellent, thank you @t3chn0m4g3.