recently I have been trying to completely bypass encrypted traffic. For that, I have found a TLS setting in the app-layer section of the suricata.yaml file to completely bypass the encrypted traffic (
I am not sure if I am doing something incorrectly but the setting does not seem to have an effect in my setup. Actually, with the setting set to
full I receive 3 packets less compared to
bypass value. I have tried it both on af-packet (with retransmission) and with offline reading of PCAP file, both leading to the same results.
Maybe I have an incorrect understanding of what the setting should do but I think with bypass set, Suricata should offload the encrypted flow as soon as the first TLS packet arrives (offloading with the first Client Hello message). This bypass should be equal to the
bypass keyword used in rules.
I am attaching also the suricata.yaml file. I think the behavior can be tested with arbitrary TLS traffic.suricata.yaml (71.5 KB)
I’d also mention that in order to test the bypass functionality I am using the following rules:
alert ip any any -> any any (msg: "Packet!"; flow: to_server; sid: 999; rev:1;) alert ip any any -> any any (msg: "Packet!"; flow: to_client; sid: 998; rev:1;)
With these rules, I expect to log any packet that got into Suricata detection module. With these rules, I got the above-mentioned results, meaning, an alert was generated for every packet of the PCAP file - even for TLS application data. When I had the same rules but additionally with the
bypass rule keyword, then bypassing worked as it should - the number of alerts in fast.log were dramatically reduced.