Suricata

In a high-load IPS environment, the stream reassembly memory becomes challenging to manage because a large number of flows each exceeding the reassembly depth necessarily requires a lot of memory. However for many common rules, I believe it should be possible to substantially alleviate the memory usage by avoiding reassembly when the reassembled stream is not needed for detection or logging. Consider the following rule:

pass tcp any any -> any 443 (msg:"Allow all to 443"; sid:1)

This rule should be possible to evaluate without the reassembled stream bytes, but Suricata today will still reassemble them. It's possible to disable that using the "bypass" keyword but that places the burden on rule authors to optimize rules.

This request is for an "auto bypass" feature that would auto-enable the bypass option on rules when it is determined to be safe (does not change the ruleset behavior). This seems like it should be possible at rule loading time or even by a standalone rule preprocessor. The benefit of this type of feature would be a substantial memory savings for many common IPS/firewall rulesets.