To not log certain traffic (namely ES data to external cluster and DNS traffic)

[landonstewart]

Issues

I have reconfigured logstash to send to our own Elasticsearch on port 19200. Suricata and P0f are picking this traffic up and logging it (a lot of it). How can I get Suricata and P0f (and TPOT in general) to ignore certain traffic based on src ip or port or dst ip or port? I want to still allow the traffic but not have it sent to Elasticsearch.

I should also mention that the DNS lookups to my chosen resolvers are being logged as well.

	Time	type	dest_ip	dest_port
	November 29th 2018, 10:10:44.326	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:43.843	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:43.394	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:43.332	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:28.065	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:10.231	Suricata	8.8.8.8	53
	November 29th 2018, 10:10:09.999	Suricata	8.8.8.8	53
	etc (thousands)

I saw the issue posted here which almost asks what I'm looking for but not quite.

Basic support information

• What T-Pot version are you currently using? 18
• Are you running on a Intel NUC or a VM? Hardware
• How long has your installation been running? 14 hours since last reboot
• Did you install any upgrades or packages? no
• Did you modify any scripts? yes - logstash's elasticsearch hosts
• Have you turned persistence on/off? no
• How much RAM is available (login via ssh and run htop)? 58GB Free
• How much stress are the CPUs under (login via ssh and run htop)? Load is 2.7
• How much swap space is being used (login via ssh and run htop)? 0
• How much free disk space is available (login via ssh and run sudo df -h)? 803GB available
• What is the current container status (login via ssh and run sudo dps.sh)?

  
  # dps.sh 
  ========| System |========
  Date:  Thu Nov 29 18:07:37 UTC 2018
  Uptime:  18:07:37 up 14:39,  1 user,  load average: 3.02, 2.86, 2.82
  CPU temp:                      

NAME STATUS PORTS ciscoasa Up 14 hours
conpot_guardian_ast Up 14 hours 0.0.0.0:10001->10001/tcp conpot_iec104 Up 14 hours 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 14 hours 0.0.0.0:623->623/tcp conpot_kamstrup_382 Up 14 hours 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 14 hours 0.0.0.0:22-23->22-23/tcp cyberchef Up 14 hours (healthy) 127.0.0.1:64299->8000/tcp dionaea Up 14 hours
elasticpot Up 14 hours 0.0.0.0:9200->9200/tcp elasticsearch Up 14 hours (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 14 hours
glutton Up 14 hours
head Up 14 hours (healthy) 127.0.0.1:64302->9100/tcp heralding Up 14 hours 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp kibana Up 14 hours (healthy) 127.0.0.1:64296->5601/tcp logstash Up 14 hours (healthy)
mailoney Up 14 hours 0.0.0.0:25->25/tcp medpot Up 14 hours 0.0.0.0:2575->2575/tcp nginx Up 14 hours
p0f Up 14 hours
rdpy Up 14 hours 0.0.0.0:3389->3389/tcp snare Up 14 hours 0.0.0.0:80->80/tcp spiderfoot Up 14 hours (healthy) 127.0.0.1:64303->8080/tcp suricata Up 14 hours
tanner Up 14 hours
tanner_api Up 14 hours
tanner_phpox Up 14 hours
tanner_redis Up 14 hours 6379/tcp tanner_web Up 14 hours

[t3chn0m4g3]

You need to replace /etc/suricata/capture-filter.bpf with a volume of your own capture-filter.bpf. AFAIK p0f does not offer this option.

[landonstewart]

Excellent, thank you @t3chn0m4g3.