Hey @Gabbar,
for the record, I am attaching the config I have used. For the testing, I’ve used the 2 above-mentioned rules and ran Suricata in offline mode (reading PCAP directly).
So it looks something like:
sudo suricata -c ~/suricata-tlsbypass.yaml -S ~/suricata-two-all.rules -vvv -r ~/pcap/shmu-tls.pcap
Also, you mentioned you are seeing TLS traffic - the bypass will not filter all TLS traffic, it will only filter out the encrypted part (Application Data and probably Encrypted Alerts too), so TLS handshakes are still present. After the initial handshake is done, Suricata sets bypass on the given TLS flow. It might also happen that if the flow is inactive for some time, it is timed out. Then, if new encrypted data come, Suricata inspects the traffic too. The timeout settings can also be found in the config. But I guess seeing the TLS traffic after the flow has been timed out is not your case.
suricata-tlsbypass.yaml (71.5 KB)