In order to prevent some streams to be analyzed by suricata, like some known big backup and cifs/smb streams, I’m trying to comprehend the difference between bypass and pass.
alert http any any → any any (content:“suricata-ids.org”; http_host; bypass; sid:10001; rev:1;)
Decodes the traffic and then totally ignores is?
pass ip 126.96.36.199 any <> any any (msg:“pass all traffic from/to 188.8.131.52”; sid:1;)
Pass seems to pass the packet and the rest of the flow, but logs it to eve.json and such?
pass ip 184.108.40.206 .....
will not generate alerts , but Suricata will continue to generate any and all network protocol logs to/from that ip - ex: DNS / SMB / DCERPC / FTP / TLS / HTTP / Fileinfo etc etc
pass ip 220.127.116.11 .....(content:“something”; bypass; sid:123; rev:1;)
will make Suricata not generate any type of logs for that ip.
However you might also want to look at conditional protocol logging: 6.33. Config Rules — Suricata 6.0.11 documentation