Bypass - does this only work with TCP?

GB_GB · May 23, 2024, 8:28pm

Hi

I’m trying to disable checking of traffic in a flow for UDP traffic.

Looking at the documentation;

this talks about TCP sessions, I assume that this does not work for UDP as when I have configured this for UDP flows, it doesn’t seem to work.

many thanks

Also I found;

From everything I could find about ‘bypass’ in a rule was it can only be used in an alert and only with TCP. Is that not correct?

Philippe_Antoine · May 28, 2024, 8:05pm

This should also work for UDP…

How are you trying to bypass ?
Do you have a pcap to reproduce ?

Philippe_Antoine · May 30, 2024, 7:56am

Philippe_Antoine · May 30, 2024, 7:59am

This is really a bug

@GB_GB Can we use your pcap as a public test ?

710425820 · May 30, 2024, 8:43am

This seems to be a serious problem

GB_GB · May 30, 2024, 10:09am

Please use this, it contains the rules, suricata.yaml and pcap.

thank you

Philippe_Antoine · May 30, 2024, 12:49pm

Topic		Replies	Views
Bypassing encrypted traffic does not seem to work Help	8	1740	December 10, 2021
DNS UDP bypass rule not working, advise please Help rules	5	38	November 5, 2024
Encrypted TLS bypass dependency on stream.bypass Developers suricata	10	780	August 30, 2023
Do pass action allows all payload going through same TCP stream? Help	4	514	June 9, 2023
Suricata in IPS mode dropping tcp traffic Help ips	16	2236	April 24, 2024