I have reconfigured logstash to send to our own Elasticsearch on port 19200. Suricata and P0f are picking this traffic up and logging it (a lot of it). How can I get Suricata and P0f (and TPOT in general) to ignore certain traffic based on src ip or port or dst ip or port? I want to still allow the traffic but not have it sent to Elasticsearch.
I should also mention that the DNS lookups to my chosen resolvers are being logged as well.
Time
type
dest_ip
dest_port
November 29th 2018, 10:10:44.326
Suricata
8.8.8.8
53
November 29th 2018, 10:10:43.843
Suricata
8.8.8.8
53
November 29th 2018, 10:10:43.394
Suricata
8.8.8.8
53
November 29th 2018, 10:10:43.332
Suricata
8.8.8.8
53
November 29th 2018, 10:10:28.065
Suricata
8.8.8.8
53
November 29th 2018, 10:10:10.231
Suricata
8.8.8.8
53
November 29th 2018, 10:10:09.999
Suricata
8.8.8.8
53
etc (thousands)
I saw the issue posted here which almost asks what I'm looking for but not quite.
Basic support information
What T-Pot version are you currently using? 18
Are you running on a Intel NUC or a VM? Hardware
How long has your installation been running? 14 hours since last reboot
Did you install any upgrades or packages? no
Did you modify any scripts? yes - logstash's elasticsearch hosts
Have you turned persistence on/off? no
How much RAM is available (login via ssh and run htop)? 58GB Free
How much stress are the CPUs under (login via ssh and run htop)? Load is 2.7
How much swap space is being used (login via ssh and run htop)? 0
How much free disk space is available (login via ssh and run sudo df -h)? 803GB available
What is the current container status (login via ssh and run sudo dps.sh)?
# dps.sh
========| System |========
Date: Thu Nov 29 18:07:37 UTC 2018
Uptime: 18:07:37 up 14:39, 1 user, load average: 3.02, 2.86, 2.82
CPU temp:
NAME STATUS PORTS
ciscoasa Up 14 hours
conpot_guardian_ast Up 14 hours 0.0.0.0:10001->10001/tcp
conpot_iec104 Up 14 hours 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp
conpot_ipmi Up 14 hours 0.0.0.0:623->623/tcp
conpot_kamstrup_382 Up 14 hours 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp
cowrie Up 14 hours 0.0.0.0:22-23->22-23/tcp
cyberchef Up 14 hours (healthy) 127.0.0.1:64299->8000/tcp
dionaea Up 14 hours
elasticpot Up 14 hours 0.0.0.0:9200->9200/tcp
elasticsearch Up 14 hours (healthy) 127.0.0.1:64298->9200/tcp
ewsposter Up 14 hours
glutton Up 14 hours
head Up 14 hours (healthy) 127.0.0.1:64302->9100/tcp
heralding Up 14 hours 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp
kibana Up 14 hours (healthy) 127.0.0.1:64296->5601/tcp
logstash Up 14 hours (healthy)
mailoney Up 14 hours 0.0.0.0:25->25/tcp
medpot Up 14 hours 0.0.0.0:2575->2575/tcp
nginx Up 14 hours
p0f Up 14 hours
rdpy Up 14 hours 0.0.0.0:3389->3389/tcp
snare Up 14 hours 0.0.0.0:80->80/tcp
spiderfoot Up 14 hours (healthy) 127.0.0.1:64303->8080/tcp
suricata Up 14 hours
tanner Up 14 hours
tanner_api Up 14 hours
tanner_phpox Up 14 hours
tanner_redis Up 14 hours 6379/tcp
tanner_web Up 14 hours
Issues
I have reconfigured logstash to send to our own Elasticsearch on port 19200. Suricata and P0f are picking this traffic up and logging it (a lot of it). How can I get Suricata and P0f (and TPOT in general) to ignore certain traffic based on src ip or port or dst ip or port? I want to still allow the traffic but not have it sent to Elasticsearch.
I should also mention that the DNS lookups to my chosen resolvers are being logged as well.
I saw the issue posted here which almost asks what I'm looking for but not quite.
Basic support information
18
Hardware
14 hours since last reboot
no
yes - logstash's elasticsearch hosts
no
htop
)?58GB Free
htop
)?Load is 2.7
htop
)?0
sudo df -h
)?803GB available
sudo dps.sh
)?NAME STATUS PORTS ciscoasa Up 14 hours
conpot_guardian_ast Up 14 hours 0.0.0.0:10001->10001/tcp conpot_iec104 Up 14 hours 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 14 hours 0.0.0.0:623->623/tcp conpot_kamstrup_382 Up 14 hours 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 14 hours 0.0.0.0:22-23->22-23/tcp cyberchef Up 14 hours (healthy) 127.0.0.1:64299->8000/tcp dionaea Up 14 hours
elasticpot Up 14 hours 0.0.0.0:9200->9200/tcp elasticsearch Up 14 hours (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 14 hours
glutton Up 14 hours
head Up 14 hours (healthy) 127.0.0.1:64302->9100/tcp heralding Up 14 hours 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp kibana Up 14 hours (healthy) 127.0.0.1:64296->5601/tcp logstash Up 14 hours (healthy)
mailoney Up 14 hours 0.0.0.0:25->25/tcp medpot Up 14 hours 0.0.0.0:2575->2575/tcp nginx Up 14 hours
p0f Up 14 hours
rdpy Up 14 hours 0.0.0.0:3389->3389/tcp snare Up 14 hours 0.0.0.0:80->80/tcp spiderfoot Up 14 hours (healthy) 127.0.0.1:64303->8080/tcp suricata Up 14 hours
tanner Up 14 hours
tanner_api Up 14 hours
tanner_phpox Up 14 hours
tanner_redis Up 14 hours 6379/tcp tanner_web Up 14 hours