With CU189 we now have a cool graph that shows scanned, bypassed and whitelisted rates. What determines if a packet gets bypassed (not scanned)?
2 Likes
Hi Tim,
Just to clarify, nothing’s actually changed with how the IPS works—it’s just that now you can see it happening in the cool new graph.
The IPS bypasses certain traffic automatically, especially when it’s not worth the system resources. A great example is encrypted traffic. Scanning the payload of encrypted packets is pointless since the contents can’t be inspected, so Suricata bypasses these after the initial handshake. However, it still checks things like where the packet is coming from and going to.
Hope that helps clarify things!
Cheers,
A G
4 Likes
Understood. I knew nothing changed about how the IPS works. But I wanted clarification on what traffic is skipped now that it’s more obvious that that is occurring.
So is outgoing traffic scanned? I’m not clear on if outgoing traffic is encrypted before or after the IPS. I assume nearly all inbound traffic is already encrypted, so doesn’t get scanned?
It would be nice to have documentation on exactly what gets scanned and what doesn’t.
2 Likes
I believe it’s mainly encrypted traffic, but more can be defined by the signatures themselves.
The Suricata documentation mentions that “bypass” can be done at the signature level, so it depends on the IPS rules you have enabled.
Yes, outgoing traffic is also scanned, but the encrypted packets or packets deemed not worth scanning by the IPS rules are not. Also, traffic is encrypted before IPS scanning.
Thanks,
A G
If encrypted traffic is not scanned, what is? It seems that nearly everything now is encrypted. This kind of sounds like web proxy logging, where almost nothing is logged because almost everything is encrypted. It makes me wonder what is the actual value of an IPS that only scans unencrypted traffic.
2 Likes
Hi Tim,
The IPS (Suricata) can’t inspect the contents of encrypted packets, but it can still monitor the behaviour of encrypted traffic, which is just as important.
This is where IPS differs from traditional antivirus scanning, which focuses on inspecting the contents of files or packets. Suricata, on the other hand, looks at how traffic behaves, even if it’s encrypted. It checks metadata like IP addresses, ports, and the flow of connections to spot suspicious behaviour—such as unusual connections, traffic to known malicious IPs, or odd protocol usage etc.
So, while it’s not reading the content, it’s still monitoring the traffic patterns, which is crucial for catching threats.
Hope that helps!
Cheers,
A G
4 Likes
Adam, this is very useful information, and if it’s not already, it should be in the IPFire manual in the IPS section.
1 Like
Thanks Tim,
You’re an active member of the IPFire community, feel free to edit the documentation yourself.
Just follow the documentation guidelines and the syntax reference and click on the big Edit Page button at the bottom of the wiki.
Thanks,
A G
3 Likes
I had that thought, but wondered if there was an issue with “plagiarism” by copy/pasting someone else’s knowledge. I will just reference this thread and that should cover it.
1 Like
Personally, I think that if people are happy to provide knowledge in public, then it’s ok to document in public also.
To be fair most of this is already documented on the Suricata User Guide anyway.
2 Likes
Please don’t reference the thread. Just literally copy and paste if it is suitable - or just write everything down in your own words.
The forum is a dynamic place. It ages, threads might be removed because people as us to close accounts and what not. The wiki is a much more stable resource - which is why we have it in the first place - and so it should not reference the forum too much.
This is not really plagiarism as I am sure people are very happy if their information is being taken to as many people as possible. However, don’t copy from other copyrighted sources.
2 Likes
I am sure we can do better and describe this all in one sentence instead of a whole book 
1 Like
I updated the user manual. Specifically, under the “How does it work?” heading near the top.
4 Likes
I agree. I’ve added a simple sentence to the IPS wiki, for now. (Original link) before @bloater99’s recent edit
But I might work on the IPS wiki in general to update some other things. Like, it references:
However, the Location Block is working in front of the IPS
Which I believe is no longer the case. Also, I think that IP Blocklists now work behind the IPS, so that might need to be updated too.
1 Like
This is correct. I am still undecided where it should live…