Tested-by: Stefan Schantl > If a stream cannot be identified or if suricata has decided that it > cannot do anything useful any more (e.g. TLS sessions after the > handshake), we will allow suricata to bypass any following packets in > that flow > > Signed-off-by: Michael Tremer > --- >  config/suricata/suricata.yaml | 19 ++++++++++++++----- >  1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/config/suricata/suricata.yaml > b/config/suricata/suricata.yaml > index f02b93d76..6f37671c8 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -389,11 +389,19 @@ app-layer: >        # will be disabled by default, but enabled if rules require > it. >        ja3-fingerprints: auto >   > -      # Completely stop processing TLS/SSL session after the > handshake > -      # completed. If bypass is enabled this will also trigger flow > -      # bypass. If disabled (the default), TLS/SSL session is still > -      # tracked for Heartbleed and other anomalies. > -      #no-reassemble: yes > +      # What to do when the encrypted communications start: > +      # - default: keep tracking TLS session, check for protocol > anomalies, > +      #            inspect tls_* keywords. Disables inspection of > unmodified > +      #            'content' signatures. > +      # - bypass:  stop processing this flow as much as possible. No > further > +      #            TLS parsing and inspection. Offload flow bypass > to kernel > +      #            or hardware if possible. > +      # - full:    keep tracking and inspection as normal. > Unmodified content > +      #            keyword signatures are inspected as well. > +      # > +      # For best performance, select 'bypass'. > +      # > +      encryption-handling: bypass >      dcerpc: >        enabled: yes >      ftp: > @@ -810,6 +818,7 @@ stream: >    prealloc-sessions: 4096 >    checksum-validation: yes      # reject wrong csums >    inline: auto                  # auto will use inline mode in IPS > mode, yes or no set it statically > +  bypass: yes                   # Bypass packets when > stream.reassembly.depth is reached. >    reassembly: >      memcap: 256mb >      depth: 1mb                  # reassemble 1mb into a stream