Suricata rule bypass and pass keywords

In order to prevent some streams to be analyzed by suricata, like some known big backup and cifs/smb streams, I’m trying to comprehend the difference between bypass and pass.

alert http any any → any any (content:“”; http_host; bypass; sid:10001; rev:1;)
Decodes the traffic and then totally ignores is?

pass ip any <> any any (msg:“pass all traffic from/to”; sid:1;)
Pass seems to pass the packet and the rest of the flow, but logs it to eve.json and such?


pass ip .....

will not generate alerts , but Suricata will continue to generate any and all network protocol logs to/from that ip - ex: DNS / SMB / DCERPC / FTP / TLS / HTTP / Fileinfo etc etc

pass ip .....(content:“something”;  bypass; sid:123; rev:1;)

will make Suricata not generate any type of logs for that ip.

However you might also want to look at conditional protocol logging: 6.33. Config Rules — Suricata 6.0.11 documentation