Bypassing encrypted traffic does not seem to work

Hi meerkats,

recently I have been trying to completely bypass encrypted traffic. For that, I have found a TLS setting in the app-layer section of the suricata.yaml file to completely bypass the encrypted traffic (app-layer.protocols['tls'].encryption-handling).
I am not sure if I am doing something incorrectly but the setting does not seem to have an effect in my setup. Actually, with the setting set to full I receive 3 packets less compared to bypass value. I have tried it both on af-packet (with retransmission) and with offline reading of PCAP file, both leading to the same results.
Maybe I have an incorrect understanding of what the setting should do but I think with bypass set, Suricata should offload the encrypted flow as soon as the first TLS packet arrives (offloading with the first Client Hello message). This bypass should be equal to the bypass keyword used in rules.

I am attaching also the suricata.yaml file. I think the behavior can be tested with arbitrary TLS traffic.suricata.yaml (71.5 KB)

I’d also mention that in order to test the bypass functionality I am using the following rules:

alert ip any any -> any any (msg: "Packet!"; flow: to_server; sid: 999; rev:1;)
alert ip any any -> any any (msg: "Packet!"; flow: to_client; sid: 998; rev:1;)

With these rules, I expect to log any packet that got into Suricata detection module. With these rules, I got the above-mentioned results, meaning, an alert was generated for every packet of the PCAP file - even for TLS application data. When I had the same rules but additionally with the bypass rule keyword, then bypassing worked as it should - the number of alerts in fast.log were dramatically reduced.

Thanks,
Lukas

I would like to also add that if I use these rules:

alert ip any any -> any any (msg: "Packet!"; flow: to_server; sid: 999; rev:1;)
alert ip any any -> any any (msg: "Packet!"; flow: to_client; sid: 998; rev:1;)
alert tls any any -> any any (msg: "TLS bypassed!"; flow: to_server; bypass; sid: 997; rev:1;)
alert tls any any -> any any (msg: "TLS bypassed!"; flow: to_client; bypass; sid: 996; rev:1;)

the amount of generated alerts also heavily decreases. The last two rules should only match TLS traffic and immediately bypass it after the first packet of TLS session. I think this is the closest (it still analyze one TLS packet) of what I imagine the setting app-layer.protocols['tls'].encryption-handling: bypass should do.

I am also attaching a PCAP I am using for the testing. shmu-tls.pcap (1010.7 KB)

what version are you using for the testing?

Ah sorry, I was using a compiled master branch of the Suricata repository. So version is 7.0.0-dev

Dňa ne 28. 11. 2021, 0:23 Andreas Herz via Suricata <suricata@discoursemail.com> napísal(a):

I took my time and went through the code to solve the problem. I’ve learned that in order to bypass encrypted traffic you also need to set stream.bypass setting to true. So bypass setting needs to be enabled in both places of the configuration file.

Sounds like something we should check at startup.