Suricata is a very popular, open-source IPS/IDS security solution that was first introduced in July 2010. As expected, new features are gradually added based upon demand, efficacy and other factors.
One of the most substantial features to be added to the Suricata software is flow bypass which was introduced with release 3.2 (December 2016). The idea is to let Suricata bypass or not process flows (based on 5-tuple) that are not of interest such as encrypted traffic; well-known traffic such as Netflix or YouTube; or any other non-interesting traffic. This is a very valuable Suricata feature, but it is also very CPU intensive and is an ideal candidate for offload to a hardware adapter.
To give you an idea of how taxing this feature is on the CPU (and a good vector for hackers to exploit) read this statement that comes right out of the official Suricata user guide:
“For packets not yet belonging to a flow, Suricata creates a new flow. This is a relatively expensive action. The risk coming with it, is that attackers/hackers can attack the engine system at this part. When they make sure a computer gets a lot of packets with different tuples, the engine has to make a lot of new flows. This way, an attacker could flood the system. To mitigate the engine from being overloaded, this option instructs Suricata to keep a number of flows ready in memory. This way Suricata is less vulnerable to these kind of attacks.” Source: Official Suricata User Guide, release 4.1.0 (page 148)
To learn a better and more efficient way to perform flow bypass with Suricata, please read the tech brief below.