Hi,
I’m trying to use the Suricata bypass-mark feature when running in inline NFQ mode.
I’ve configured the bypass mark settings in suricata.yaml:
nfq:
bypass-mark: 0x1000
bypass-mask: 0xf000
I have the following bypass rule I use for testing:
pass ip 10.1.10.10 any -> any any (msg:"BYPASS"; sid:1000001; rev:1;)
And I have the following iptables rules:
(nat table)
-A POSTROUTING -m mark --mark 0x1000/0xf000 -j LOG --log-prefix "BYPASS_SET " --log-level 6
(filter table)
-A FORWARD -j NFQUEUE --queue-balance 1000:1003 --queue-bypass --queue-cpu-fanout
And I run suricata in a docker container with:
suricata -q 1000 -q 10001 -q 10002 -q 10003 -c /etc/suricata/suricata.yaml
I’m running a simple curl from 10.1.10.10 to another server, packets being routed via the machine where suricata is running (which is why the NFQUEUE rule is in the FORWARD chain and not INPUT/OUTPUT).
The bypass is working (I’m not triggering later signatures that do trigger without the bypass rule), but I don’t get the LOG message from the POSTROUTING chain, meaning that the packet is not being marked as expected.
What am I doing wrong here?
EDIT: Solved, see my next reply. But still have a follow up question for TLS bypass.
Follow-up question - is this feature (bypass mark) expected to work with TLS bypass as well? Or is it just for bypass signatures? I read the very little documentation on the subject, including the external links, and from my understanding it should work, but it’s not quite clear.
Thank you.