Hi
I’m trying to understand the behaviour of bypass when using rules on native Linux compated to when on Suricata in Corelight using the Napatech card.
I’ll explain the scenario;
I have 2 rules;
- match good traffic and set bypass
- alert
So when a new UDP (good) flow occurs, I then set this to bypass;
In the suricata.yaml I have the UDP bypass set to 900s (the default is 100).
As long as the flow is not idle for >900 seconds I never see any alerts. I’m assuiming that whenever a packet for this bypassed flow comes into Suricata the cache timeout for that flow is refreshed.
If I send a flow that doesn’t match the good signature, it’s not bypass and as such is alerted on.
This works without issue.
On Suricata on Corelight I belive that this uses capture bypass, so once the flow is bypassed Suricata will never see this and as such will never be able to refresh the cache;
From; Suricata bypass feature
In capture bypass, when Suricata decides to bypass it calls a function provided by the capture method to declare the bypass in the capture. For NFQ this is a simple mark that will be used by the ruleset. For AF_PACKET this will be a call to add an element in an eBPF hash table stored in kernel.
If the call to capture bypass is successful, then we set a short timeout on the flow to let time of already queued packets to get out of suricata without creating a new entry and once timeout is reached we remove the flow from the table and log the entry.
So does this mean that for Capture bypass the timeout is hardset on the capture method and doesn’t refresh like it does for local bypass as Suricata will then never see it ?
E.g if using capture bypass and a flow is bypassed, then I need to know how long that flow is going to live for before it is removed from the hardware capture (e.g Napatech). As Suricata will never see this again.
many thanks