you can filter out some rules at various layers
the first one is obviously to disable rules
suricata-update disable-source ... suricata-update
vi /etc/suricata/disable.conf # ET INFO User-Agent (python-requests) Inbound to Webserver 1:2017515 suricata-update
the second one (my favorite one) is to tackle the log collector e.g. fluent-bit here
e.g. in case you want to avoid flow dns
cd /etc/fluent-bit/
vi custom_streams.conf
[STREAM_TASK]
Name flow_no_dns
Exec CREATE STREAM flowfix WITH (tag='source.flowfix') AS SELECT * from STREAM:tail.0 WHERE NOT dest_port = 53;
vi fluent-bit.conf
[SERVICE]
streams_file custom_streams.conf
vi flb_suricata.conf
[FILTER]
name ...
match source.flowfix
one could also consider grep or expect
the third one is to make-up a tcpdump-style filter and build it into suricata at runtime
since that is TCP you need to skip the replies also, which makes the filtering rule even easier
vi /etc/suricata/capture-filter.bpf not (host x.x.x.x and ip and tcp and port xxxx)
enable
cp -pi /etc/init.d/suricata /etc/init.d/suricata.dist chmod -x /etc/init.d/suricata.dist vi /etc/init.d/suricata SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D -vvv $USER_SWITCH -F /etc/suricata/capture-filter.bpf" systemctl daemon-reload systemctl restart suricata
well and there’s also brute-force of course, just block the unwanted traffic by means of a firewall
https://docs.suricata.io/en/latest/performance/ignoring-traffic.html
https://biot.com/capstats/bpf.html