Bypass - does this only work with TCP?


I’m trying to disable checking of traffic in a flow for UDP traffic.

Looking at the documentation;

this talks about TCP sessions, I assume that this does not work for UDP as when I have configured this for UDP flows, it doesn’t seem to work.

many thanks

Also I found;

From everything I could find about ‘bypass’ in a rule was it can only be used in an alert and only with TCP. Is that not correct?

This should also work for UDP…

How are you trying to bypass ?
Do you have a pcap to reproduce ?

This is really a bug

Fix could be bypass: really bypass udp flow from first packet by catenacyber · Pull Request #11182 · OISF/suricata · GitHub

@GB_GB Can we use your pcap as a public test ?

This seems to be a serious problem (68.9 KB)

Please use this, it contains the rules, suricata.yaml and pcap.

thank you

Thanks, used in bypass: adds a test with a UDP flow by catenacyber · Pull Request #1870 · OISF/suricata-verify · GitHub