Ok, so I realized that I needed the bypass keyword in the signature definition, i.e:
pass ip 10.1.10.10 any → any any (msg:“BYPASS”; bypass;sid:1000001; rev:1;)
So this brings me to the follow up question - TLS bypass does not seem to work.
I’ve followed the advice on this thread: Bypassing encrypted traffic does not seem to work - Help - Suricata
And enabled stream.bypass and set app-layer.tls.encrypt-handling to bypass, but still no mark.
I even tried a super explicit signature:
alert tls 10.1.10.10 any -> any any (msg:"TLS_BYPASS"; bypass; nfq_set_mark:0x1000/0xf000; sid:1000001; rev:1;)
And I do get the alert, but not the mark, which now makes me question my sanity.
BTW, Forgot to mention, I’m running Suricata 6.0.1