Project

General

Profile

Actions

Support #3251

closed

Bypass question

Added by Dan Collins about 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Low
Affected Versions:
Label:

Description

When using bypass in an alert rule, do the default action-order rules still apply where pass and drop are done before the alert bypass is done? or does bypass override other actions. I could not find an answer to this in any documentation.

Should I change the action-order so alerts come before drop. I only use my one custom rule where drop drops anything not passed in a pass or bypass rule.
What I am seeing now is the bypass rule and the drop rule in the log for the same packet.

Actions #1

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
  • Target version set to Support
Actions #2

Updated by Dan Collins about 5 years ago

Anyone.......

Actions #3

Updated by Peter Manev about 5 years ago

The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.

You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?

Actions #4

Updated by Dan Collins about 5 years ago

Peter Manev wrote:

The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.

You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?

My question is for the use of bypass in a rule such as this one
alert tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)
Does the action-order apply here?

Actions #5

Updated by Peter Manev about 5 years ago

The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use

pass tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)

Actions #6

Updated by Dan Collins about 5 years ago

Peter Manev wrote:

The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use
[...]

From everything I could find about 'bypass' in a rule was it can only be used in an alert and only with TCP. Is that not correct?

Actions #7

Updated by Dan Collins about 5 years ago

And if I use pass. what is the advantage to using bypass rather than just a plain pass statement?

Actions #8

Updated by Andreas Herz over 2 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF