Ignoring Traffic
================
-In some cases there are reasons to ignore certain traffic. Maybe a
-trusted host or network, or a site. This document lists some
-strategies for ignoring traffic.
+In some cases there are reasons to ignore certain traffic. Certain hosts
+may be trusted, or perhaps a backup stream should be ignored.
+
+This document lists some strategies for ignoring traffic.
capture filters (BPF)
---------------------
If some hosts and or nets need to be ignored, use something like "not
(host IP1 or IP2 or IP3 or net NET/24)".
+Example::
+
+ not host 1.2.3.4
+
+Capture filters are specified on the commandline after all other options::
+
+ suricata -i eth0 -v not host 1.2.3.4
+ suricata -i eno1 -c suricata.yaml tcp or udp
+
+Capture filters can be set per interface in the pcap, af-packet, netmap
+and pf_ring sections. It can also be put in a file::
+
+ echo "not host 1.2.3.4" > capture-filter.bpf
+ suricata -i ens5f0 -F capture-filter.bpf
+
+Using a capture filter limits what traffic Suricata processes. So the
+traffic not seen by Suricata will not be inspected, logged or otherwise
+recorded.
+
pass rules
----------
pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)
-A big difference with capture filters is that logs such as http.log
+A big difference with capture filters is that logs such as Eve or http.log
are still generated for this traffic.
suppress
projects / thirdparty / suricata.git / commitdiff
