8.14. Bypass Keyword

Suricata has a bypass keyword that can be used in signatures to exclude traffic from further evaluation.

The bypass keyword is useful in cases where there is a large flow expected (e.g. Netflix, Spotify, YouTube).

The bypass keyword is considered a post-match keyword.

Note

bypass cannot be used in firewall mode, not even with Threat Detection rules, as this could lead to bypassing the firewall altogether.

8.14.1. bypass

Bypass a flow on matching http traffic.

alert http any any -> any any (http.host; content:"suricata.io"; bypass; sid:10001; rev:1;)