Stream bypass documentation note

For the Suricata docs:

There is a comment:

bypass can lead to missing important traffic. Use with care.

I’d like to understand more about what this means; if the stream has reached it’s reassembly depth, doesn’t that mean that any new packets wouldn’t be inspected by Suricata anyway?

How would bypassing this traffic cause Suricata to miss traffic?


There are a lot of factors that play a role when parts of a flow are not further investigated. But yes, depending on your setup another option might already result in passing packets. The main idea is that in general you don’t want to look into a huge payload in the middle. Especially elephant flows consume a lot of resources without any good reason, thus you’re mostly interested in the metadata and the first parts of the payload.