Suricata

Anyone.......

The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.

You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?

Peter Manev wrote:

The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.

You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?

My question is for the use of bypass in a rule such as this one
alert tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)
Does the action-order apply here?

The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use

pass tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)

Peter Manev wrote:

The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use
[...]

From everything I could find about 'bypass' in a rule was it can only be used in an alert and only with TCP. Is that not correct?

And if I use pass. what is the advantage to using bypass rather than just a plain pass statement?