doc/stream: briefly explain bypass

6 years ago · d5009c5d8c
parent 8aeff8f973
commit d5009c5d8c
2 changed files with 10 additions and 2 deletions
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@ -1194,11 +1194,17 @@ anomalies in streams. See :ref:`host-os-policy`.
    async_oneside: false         # do not enable async stream handling
    inline: no                   # stream inline mode
    drop-invalid: yes            # drop invalid packets
+    bypass: no

-The 'drop-invalid' option can be set to no to avoid blocking packets that are
+The ``drop-invalid`` option can be set to no to avoid blocking packets that are
 seen invalid by the streaming engine. This can be useful to cover some weird cases
 seen in some layer 2 IPS setup.

+The ``bypass`` option activates 'bypass' for a flow/session when either side
+of the session reaches its ``depth``.
+
+.. warning:: ``bypass`` can lead to missing important traffic. Use with care.
+
 **Example 11   Normal/IDS mode**

 Suricata inspects traffic in chunks.
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1303,7 +1303,9 @@ flow-timeouts:
 #   inline: no                  # stream inline mode
 #   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
 #   max-synack-queued: 5        # Max different SYN/ACKs to queue
-#   bypass: no                  # Bypass packets when stream.depth is reached
+#   bypass: no                  # Bypass packets when stream.depth is reached.
+#                               # Warning: first side to reach this triggers
+#                               # the bypass.
 #
 #   reassembly:
 #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number