Project

General

Profile

Support #3225

Bypass feature

Added by Dan Collins 10 days ago. Updated about 13 hours ago.

Status:
New
Priority:
Low
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Outreachy

Description

I want to setup a bypass rule for any traffic going out from my local network.

Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)

Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.

My ultimate goal is for performance. Any help or suggestions is appreciated.

History

#1

Updated by Andreas Herz 9 days ago

  • Assignee set to Dan Collins
  • Target version set to Support

If you're looking into performance you might use BPF filter for that scenario:

https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html

Or go even further and use XDP bypass:

https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst

#2

Updated by Dan Collins about 13 hours ago

Dan Collins wrote:

I want to setup a bypass rule for any traffic going out from my local network.

Would this work? (This is just an example)
alert tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP out bypass"; bypass; sid:9900001; rev:1;)
And is bypass better for performance than...
pass tcp $EXTERNAL_NET [0:1023] -> $HOME_NET any (msg:"TCP Ports"; sid:9900001; rev:1;)

Do I understand correctly the bypass feature will turn any TCP rule into a bypass rule by adding 'bypass' to the argument? I cannot find any rule examples of the bypass feature anywhere.

My ultimate goal is for performance. Any help or suggestions is appreciated.

I do not have the luxury to use BPF or XDP because I am just using the Suricata package in OPNsense.

Another question is, Do the default action-order rules still apply where pass and drop are done before the alert bypass is done?

#3

Updated by Dan Collins about 13 hours ago

And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter.

#4

Updated by Dan Collins about 13 hours ago

Dan Collins wrote:

And by the way, I have tested the above rules and they do work. But now I have concerns that the drop rule is happening before the bypass because of the action-order. If using bypass, shouldn't the alert action be first, or doesn't that matter with bypass.

Also available in: Atom PDF