Suricata running in AWS

HI all,
I have configured vpc traffic mirroring in my AWS account, that uses an NLB as the target with suricata instances behind it. It receives the vlan traffic of interest from the hosts being monitored, however it also captures its own traffic which is going into the eve log, which we don’t want. Is it possible to create a dummy interface for suricata to listen on and forward udp 4789 to the dummy interface? Or something similar?

I posted something about this before but seems to have gotten lost.

many thanks
Darrin

You might want to create a separate interface and mirror onto it and have Suricata sniff the mirror interface only.
You might also just negate/exclude the shipping traffic specifically -
https://suricata.readthedocs.io/en/suricata-6.0.3/performance/ignoring-traffic.html

Thanks, I have been able to create a vxlan0 interface and have suricata watch there.