4.11. Bypass Keyword¶
Suricata has a
bypass keyword that can be used in signatures to exclude traffic from further evaluation.
bypass keyword is useful in cases where there is a large flow expected (e.g. Netflix, Spotify, Youtube).
bypass keyword is considered a post-match keyword.
Bypass a flow on matching http traffic.
alert http any any -> any any (content:"suricata-ids.org"; \ http_host; bypass; sid:10001; rev:1;)