[Request] Ignore Ports When Nothings Listening

[hbednar]

I get a lot of events each day just from mass scans, which makes it hard to filter out the more useful events.
Would it be possible to ignore any scan on ports that are not in use to decrease the number of events.
As an example, i don't use telnet so every time that port 23 gets scanned can this be ignored, thanks.

[MikhailKasimov]

Hello!

USER_IGNORELIST variable is the way here: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L124-L125

Description: Location of file with ignore event rules. Example under misc/ignore_events.txt

Syntax of /misc/ignore_events.txt:

i don't use telnet so every time that port 23 gets scanned can this be ignored, thanks.

Hence, your case is *;*;23;*.

[MikhailKasimov]

Fixing the misorder: c7ab71c

Correct syntax for your case: *;*;*;23

[hbednar]

Thanks for your comment but, is there any way to automate this as am getting a lot of events around 5k to 10k each day and the ports are generally mixed, see example below.

Also looking at the example you gave, this will ignore both ingoing and outgoing connections.

[MikhailKasimov]

Thanks for your comment but, is there any way to automate this as am getting a lot of events around 5k to 10k each day and the ports are generally mixed, see example below.

Not sure on having automation "out-of-box" here. Please, provide also trail and info columns output here: perhaps, some other way could be applicable here.

Also looking at the example you gave, this will ignore both ingoing and outgoing connections.

Yes, because fields src_ip and dst_ip are *, which mains any.

I can see 23 (telnet) on picture. Is it before applying *;*;*;23 option or after?

[hbednar]

Not sure on having automation "out-of-box" here. Please, provide also trail and info columns output here: perhaps, some other way could be applicable here.

Giving people the option to enable this would make sense, as devices on an internal network are a lot less noisy.

Yes, because fields src_ip and dst_ip are , which mains any.
I can see 23 (telnet) on picture. Is it before applying ;;;23 option or after?

So there is currently no option to specify incoming and outgoing connections separately.

Is this what you are looking for:

[MikhailKasimov]

Hello!

Not sure on having automation "out-of-box" here. Please, provide also trail and info columns output here: perhaps, some other way could be applicable here.

Giving people the option to enable this would make sense, as devices on an internal network are a lot less noisy.

Thanks for the updated screenshot. It helps to propose to you the IGNORE_EVENTS_REGEX variable to apply:

https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L127-L128

Your case would be: IGNORE_EVENTS_REGEX mass scanner|known attacker

Yes, because fields src_ip and dst_ip are , which mains any.
I can see 23 (telnet) on picture. Is it before applying ;;;23 option or after?

So there is currently no option to specify incoming and outgoing connections separately.

Why not? Use two strings. E.g.:

*;*;192.168.1.1;23 <-- ignoring all incoming connections on port 23 to IP 192.168.1.1
192.168.1.1;*;*;23 <-- ignoring all outgoing connections on port 23 from IP 192.168.1.1

Netmasks/ranges are not supported, as far as I remember. So 192.168.1.0/24;*;*;23 <-- ignoring all outgoing connections on port 23 from all IPs from subnet 192.168.1.0/24 and 192.168.1.1-15;*;*;23<-- ignoring all outgoing connections on port 23 from all IPs of range 192.168.1.1-192.168.1.15 won't work. Perhaps, adding support of netmasks/ranges is reasonable here... What do you think, @stamparm ?

Is this what you are looking for:

Yes, it helps. Thank you!