Hello,
In order to prevent some streams to be analyzed by suricata, like some known big backup and cifs/smb streams, I’m trying to comprehend the difference between bypass and pass.
alert http any any → any any (content:“suricata-ids.org”; http_host; bypass; sid:10001; rev:1;)
Decodes the traffic and then totally ignores is?
pass ip 1.2.3.4 any <> any any (msg:“pass all traffic from/to 1.2.3.4”; sid:1;)
Pass seems to pass the packet and the rest of the flow, but logs it to eve.json and such?
will not generate alerts , but Suricata will continue to generate any and all network protocol logs to/from that ip - ex: DNS / SMB / DCERPC / FTP / TLS / HTTP / Fileinfo etc etc
pass ip 1.2.3.4 .....(content:“something”; bypass; sid:123; rev:1;)
will make Suricata not generate any type of logs for that ip.