If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f02b93d76..6f37671c8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -389,11 +389,19 @@ app-layer: # will be disabled by default, but enabled if rules require it. ja3-fingerprints: auto
- # Completely stop processing TLS/SSL session after the handshake - # completed. If bypass is enabled this will also trigger flow - # bypass. If disabled (the default), TLS/SSL session is still - # tracked for Heartbleed and other anomalies. - #no-reassemble: yes + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + encryption-handling: bypass dcerpc: enabled: yes ftp: @@ -810,6 +818,7 @@ stream: prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream