Support #3225
closedBypass feature
Description
I want to setup a bypass rule for any traffic going out from my local network.
Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)
Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.
My ultimate goal is for performance. Any help or suggestions is appreciated.
Updated by Andreas Herz about 5 years ago
- Assignee set to Dan Collins
- Target version set to Support
If you're looking into performance you might use BPF filter for that scenario:
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
Or go even further and use XDP bypass:
https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst
Updated by Dan Collins about 5 years ago
Dan Collins wrote:
I want to setup a bypass rule for any traffic going out from my local network.
Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.
My ultimate goal is for performance. Any help or suggestions is appreciated.
I do not have the luxury to use BPF or XDP because I am just using the Suricata package in OPNsense.
Another question is, Do the default action-order rules still apply where pass and drop are done before the alert bypass is done?
Updated by Dan Collins about 5 years ago
And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter.
Updated by Dan Collins about 5 years ago
Dan Collins wrote:
And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter with bypass.
Updated by Andreas Herz almost 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs