In Suricata IDS mode. is it possible to block/drop/pass good traffic so it will not be seen in kibana?

Newbie to Suricata here.

In Suricata IDS mode. is it possible to block/drop/pass good traffic so it will not be seen in kibana?

drop ip any any <> any any (msg:“pass traffic for test”; sid:123;)
drop ip xxx any <> xxx any (msg:“pass traffic for test”; sid:123;)

These syntax did not work. i was still seeing traffic from that IP address. Please help

i also tried several commands such as supress, not, pass

Hi,

As far as I know it is not possible, it can only be in IPS mode.

Hi MYK,

I haven’t used Kibana myself, so I’m not sure, but could some of the options in ignoring traffic be useful for you, perhaps? There are a few possibilities there, from filtering, to adding pass ou suppress rules, to bypassing traffic… 9.7. Ignoring Traffic — Suricata 7.0.0-dev documentation

Welcome to our forum and let us know if you found something that works for you! :slight_smile:

I’m guessing trying to filter on Elastic ingest is too heavy?

Are you ingesting the drops.json separately? Or everything in 1 eve json output?

If you drop any any in IPS mode I assume you would get nothing through the wire and everything in eve drops output.

Ah, re-read what suricatalfon said, yes you can not drop in IDS mode.

You could write alerts to a separate json file and ingest only that. Or filter with logstash/filebeat to only send alerts from your eve output.

Ok Thanks Guys. Ive tried several commands such as drop, pass, supress,bypass with not luck in IDS mode. Seems like the only command that works is “Alerts ip any any <> any any (msg:“pass traffic for test”; sid:123;)” Pretty much what im trying to figure out is how to ignore ignore traffic, so it wont show in kibana. As of right now were just seeing alot of good traffic and were trying to ignore those traffic within suricata. For example were seeing nessus scanning traffic. We would like to ignore the Nessus scanner IP addresses.

Hi Ju. Thank you but i have visited that site and tried those BPF commands but unfortunately did not work. not sure if BPF workds in IDS mode. our monitoring system is configured for IDS mode only

1 Like

Any system behind a tap, SPAN port cannot affect traffic flow as the system(s) receive a copy of traffic that’s already been transmitted.

You can configure Suricata to ignore traffic from specific IP addresses, CIDR blocks through BPF and/or setting up the rule variables HOME_NET and EXTERNAL_NET

@jufajardini posted a link with examples recently …
see In Suricata IDS mode. is it possible to block/drop/pass good traffic so it will not be seen in kibana? - #3 by jufajardini

1 Like

Thanks Jeff. These are the commands that ive tried with no luck

drop ip any any <> any any (msg:“pass traffic for test”; sid:123;)
drop ip xxx any <> xxx any (msg:“pass traffic for test”; sid:123;)
Pass HOME_NET any <> External Net (msg:“pass traffic for test”; sid:123;)
supress any any <> any any (msg:“pass traffic for test”; contains “google.com”; sid:123;)

can you give me an example of how to “ignore” traffic like DNS or IP? any help would be appreciated. thank you.

Again – you won’t be able to drop traffic using Suricata in IDS mode. You won’t be able to drop traffic behind a network tap, span port, or similar.

Here’s a BPF filter to ignore UDP traffic sent to the default DNS port: udp dst port not 53. You can add this to the end of the Suricata command line

1 Like