Looking for some help with ignoring the looping traffic (all the beats stuff) I have been able to figure out the CLI for applying the bpf (I think) BUT I am struggling with the logic to filter the port 9200 traffic and which interface to apply it to. AS of right now I have 2 x interaces, one for network comms to the elasticsearch and the other is the sniffer (interface on promisc. connected to a mirror port on my sw).
At the command line I try this:
suricata -i ens19 -v ‘not ( host 10.10.20.106 or host 10.10.20.200 or host 10.10.20.201 or host 10.10.20.202 ) and ( port 9200 )’ &
I tcpdump and still see port 9200 between only the elasticsearch and 10.10.20.106??? The logic above I THINK should drop (ignore) that I thought?
LOOKING for any help. Thanks.