Bypass - does this only work with TCP?

GB_GB · May 23, 2024, 8:28pm

Hi

I’m trying to disable checking of traffic in a flow for UDP traffic.

Looking at the documentation;

this talks about TCP sessions, I assume that this does not work for UDP as when I have configured this for UDP flows, it doesn’t seem to work.

many thanks

Also I found;

From everything I could find about ‘bypass’ in a rule was it can only be used in an alert and only with TCP. Is that not correct?

Philippe_Antoine · May 28, 2024, 8:05pm

This should also work for UDP…

How are you trying to bypass ?
Do you have a pcap to reproduce ?

Philippe_Antoine · May 30, 2024, 7:56am

Philippe_Antoine · May 30, 2024, 7:59am

This is really a bug

@GB_GB Can we use your pcap as a public test ?

710425820 · May 30, 2024, 8:43am

This seems to be a serious problem

GB_GB · May 30, 2024, 10:09am

Please use this, it contains the rules, suricata.yaml and pcap.

thank you

Philippe_Antoine · May 30, 2024, 12:49pm

Topic		Replies	Views
Suricata in IPS mode dropping tcp traffic Help ips	16	2130	April 24, 2024
Netflow as input for Suricata Help	4	2671	June 11, 2021
Suricata with netmap works only in one thread? Help ips	3	205	February 20, 2024
Dropping UDP Traffic Using Suricata with XDP Rules ips , xdp	2	161	April 25, 2024
Suricata with BPF to prevent loopbacks Help	0	470	December 2, 2021