suricata // tuning

BPF

since that is TCP you need to skip the replies also, which makes the filtering rule even easier

vi /etc/suricata/capture-filter.bpf

not (host 10.200.1.5 and ip and tcp and port 8480)

enable

cp -pi /etc/init.d/suricata /etc/init.d/suricata.dist
chmod -x /etc/init.d/suricata.dist
vi /etc/init.d/suricata

SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D -vvv $USER_SWITCH -F /etc/suricata/capture-filter.bpf"

systemctl daemon-reload
systemctl restart suricata

nftables

resources

https://docs.suricata.io/en/latest/performance/ignoring-traffic.html

https://biot.com/capstats/bpf.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun