Hello,
Is it possible with suricata-update modify.conf/disable.conf to disable all ET/ETPRO rules with the following content: alert http $EXTERNAL_NET any → $HOME_NET any (msg:"ET SCAN
More specific source is $EXTERNAL_NET and msg starts with “ET SCAN” or “ETPRO SCAN” .
Or maybe better to change $EXTERNAL_NET to $HOME_NET as source to keep track on internal scanning?
I think excluding “ET SCAN” rules hits on a particular network spanport/interface is unable?
Reason is it is filling op the pcap directory where I save pcap files from alerts because like everyone else we are port scanned around the clock 24/7 a lot.
Any help appriciated!
Cheers,
Andre