Alert tuning advice - threshold or bpf?

[RollingMoses]

I am reviewing false positives and have started researching ways to tune out the noise and I'm looking for recommendations. As an example, we have traffic between specific hosts communicating over a specific port that are firing the Suricata sid 2023207. This is expected behavior. I would like to suppress this alert for that sid, but only for that destination port involved. Doesn't look like thresholds track by port, correct? If so, I could work on a bpf nids: filter, but in that case, it looks like it would tune out ALL alerts that apply to that filter, which isn't my goal. Looking for some advice to meet in the middle between the two options.

[TOoSmOotH]

Threshold is what I would use.

[abs0248]

I think BPF is more suitable for tuning the packet capturing load on the sensor so the Heavy/Burst/Elephant-Flow (long standing flow) not overwhelming the sniffing NICs.Trusted flow like Backup-over-LAN , DB-Replication can benefit from BFP.
Some tip to make the sensor cope better with heady loads :
While the SO use the modern AF_PACKET for load-sharing and better flow handling , it is still struggling the same way as the old PF_RING on commodity hardware (i had 15% packet loss on ZEEK when traffic reach 800Mbps on 4 Server-Class NICs) .i find out it is much better to suppress the trusted flow on the SPAN source (Network switch) via Flow-Based SPAN (if your device support it) .So you can suppress those flows on the sources and those flows never hits the NICs.