1

I have not found any examples on using the 'bypass' keyword. Does it work in any rule? Are there performance implications using 'bypass'.

For example, would this bypass all tcp traffic?

alert tcp any any <> any any (msg:"Allow all TCP"; bypass; sid:9900001; rev:1;)
schroeder
  • 123,438
  • 55
  • 284
  • 319
dcol
  • 11
  • 1

1 Answers1

1

Are there performance implications using 'bypass'.

Since it makes sure that no more packets of the flow get analyzed it has obvious performance advantages. See the article "Suricata bypass feature" for some impressing numbers.

Does it work in any rule?

Since it changes the future behavior of a flow it makes sense only in rules which match parts of a flow, i.e. usually TCP and UDP.

For example, would this bypass all tcp traffic? ...

It likely would but it would not be the best option to bypass all TCP traffic. It might be better (faster) to make Suricata ignore this traffic in the first place. See Ignoring Traffic in the documentation.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I Appreciate the quick response. I am using Suricata IPS in OPNsense. Not sure how to implement capture filters. Is this something I can add to suricata.yaml? – dcol Oct 07 '19 at 17:21
  • Also, I did see the "Suricata bypass feature article" which started me thinking about using it, but it didn't state that it was usable with any TCP rule. My intended rule was to bypass all email ports to a specific servers IP like this 'alert tcp external_NET any -> 1.2.3.4 [25,143,993,465] (msg:"Allow email ports"; bypass; sid:9900001; rev:1;)' and bypass all outbound local traffic like this 'alert tcp 192.168.0.0/16 any -> external_net any (msg:"Allow Local TCP"; bypass; sid:9900002; rev:1;)' – dcol Oct 07 '19 at 17:29
  • 1
    @dcol: *"I am using Suricata IPS in OPNsense. Not sure how to implement capture filters"* - this is a different question and thus should not be asked in a comment. This is not a discussion forum but a strict Q+A site. – Steffen Ullrich Oct 07 '19 at 18:07