[PATCH 4/9] suricata: Enable bypassing unhandled streams

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 4/9] suricata: Enable bypassing unhandled streams
Date: Mon, 18 Oct 2021 10:10:17 +0000	[thread overview]
Message-ID: <20211018101022.15448-4-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 2197 bytes --]

If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/suricata/suricata.yaml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index f02b93d76..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -389,11 +389,19 @@ app-layer:
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: auto
 
-      # Completely stop processing TLS/SSL session after the handshake
-      # completed. If bypass is enabled this will also trigger flow
-      # bypass. If disabled (the default), TLS/SSL session is still
-      # tracked for Heartbleed and other anomalies.
-      #no-reassemble: yes
+      # What to do when the encrypted communications start:
+      # - default: keep tracking TLS session, check for protocol anomalies,
+      #            inspect tls_* keywords. Disables inspection of unmodified
+      #            'content' signatures.
+      # - bypass:  stop processing this flow as much as possible. No further
+      #            TLS parsing and inspection. Offload flow bypass to kernel
+      #            or hardware if possible.
+      # - full:    keep tracking and inspection as normal. Unmodified content
+      #            keyword signatures are inspected as well.
+      #
+      # For best performance, select 'bypass'.
+      #
+      encryption-handling: bypass
     dcerpc:
       enabled: yes
     ftp:
@@ -810,6 +818,7 @@ stream:
   prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
     depth: 1mb                  # reassemble 1mb into a stream
-- 
2.20.1

next prev parent reply	other threads:[~2021-10-18 10:10 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-18 10:10 [PATCH 1/9] suricata: Set most significant bit as repeat marker Michael Tremer
2021-10-18 10:10 ` [PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK Michael Tremer
2021-10-18 20:42   ` Peter Müller
2021-10-19  4:02   ` Stefan Schantl
2021-10-18 10:10 ` [PATCH 3/9] suricata: Define bypass mark Michael Tremer
2021-10-18 20:43   ` Peter Müller
2021-10-19  4:03   ` Stefan Schantl
2021-10-18 10:10 ` Michael Tremer [this message]
2021-10-19  4:03   ` [PATCH 4/9] suricata: Enable bypassing unhandled streams Stefan Schantl
2021-10-18 10:10 ` [PATCH 5/9] suricata: Always append rules instead of inserting them Michael Tremer
2021-10-19  4:03   ` Stefan Schantl
2021-10-18 10:10 ` [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set Michael Tremer
2021-10-19  4:04   ` Stefan Schantl
2021-10-18 10:10 ` [PATCH 7/9] suricata: Store bypass flag in connmark and restore Michael Tremer
2021-10-19  4:04   ` Stefan Schantl
2021-10-18 10:10 ` [PATCH 8/9] suricata: Introduce IPSBYPASS chain Michael Tremer
2021-10-19  4:04   ` Stefan Schantl
2021-10-18 10:10 ` [PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK Michael Tremer
2021-10-19  4:05   ` Stefan Schantl
2021-10-18 20:42 ` [PATCH 1/9] suricata: Set most significant bit as repeat marker Peter Müller
2021-10-19  4:02 ` Stefan Schantl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211018101022.15448-4-michael.tremer@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox