Hi,
I’m looking at Arkime and see a particular IP that has been appearing all the time. This is obviously a false positive, and I would like to exclude it from further scanning.
I selected all and then added a tag: “exclude scanning,” which didn’t help at all. I can still see the same IP address when I search for it.
Do you know exactly what needs to be done to exclude IPs from further scanning?
Thank you,
Regards
Hi,
Adding a tag in Arkime will not exclude the IP from future capture. Tags only label existing sessions, so the IP will continue to appear if the sensor still sees that traffic.
For Arkime, the exclusion needs to be done on the capture side, for example:
[default]
bpf = not host 1.2.3.4
or, for IP/CIDR lists:
[packet-drop-ips]
1.2.3.4=drop
10.10.10.0/24=drop
This only affects new traffic. Existing Arkime sessions will remain searchable until they expire or are deleted by retention.
Since this is in the Suricata context, I would also check whether Suricata itself is alerting on that IP. If the issue is only Arkime visibility/noise, Arkime-side filtering is enough. If Suricata is generating false-positive alerts, it is usually better to tune Suricata using rule suppression/thresholding or rule tuning, rather than completely excluding the IP from inspection. A Suricata BPF filter can exclude traffic too, but that means Suricata will no longer inspect that traffic, so it should be used carefully.