Suricata (Dport 80/443)

Hey All, I have been tuning for a while and need some assistance, I feel like I am chasing my tail.

I have port 80 and 443 opened to the public web, this is HA Proxy that reverse proxies to backend servers. The issue I am having is I am getting scanned, hit and attempted failed logins to my web servers/backend services.

I see that if I setup a WAN interface in Suricata and enable all rules, a bunch of alerts are generating, as I would expect, aside from getting bunch of random ports that are hit and alerted, I don’t need this noise, BUT I do get Dport 80 and 443 that get hit also. What I am wondering if there is a way to apply rules on the WAN interface that target port 80 or 443, and block anything that matches a suspicious rule.

I do see Tom shows his production suricata instance, but does not go into detail. I see ports 80 and 443 are the only ones listed that are his web servers and alerts are only shown for these ports which I am assuming he is also blocking.

Here’s the video, takes you to the timestamp:

I am wondering how I can do the same, eliminate the noise on already blocked ports since I am not allowing them through the firewall these are dropped by default, such as 22, 25, etc. and only block attempted attacks on ports 80 and 443.

I have never tried but there might be a way to pass that parameter over to Suricata via some of the advances menus