From ceed02cc9cb5335975a267ecbcfa6ec40f761cc8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 26 Aug 2023 11:02:01 +0200
Subject: [PATCH] How-To added for suricata bypass feature  (#485)

---
 source/manual/how-tos/ips-bypass.rst | 69 ++++++++++++++++++++++++++++
 source/manual/ips.rst                |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 source/manual/how-tos/ips-bypass.rst

diff --git a/source/manual/how-tos/ips-bypass.rst b/source/manual/how-tos/ips-bypass.rst
new file mode 100644
index 00000000..18f1daca
--- /dev/null
+++ b/source/manual/how-tos/ips-bypass.rst
@@ -0,0 +1,69 @@
+=============================================
+IPS Bypass local traffic from inspection
+=============================================
+
+.. Note:: This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks. With bypass enabled, routing performance is improved significantly between local networks while IPS is used. 
+.. Tip:: If you only have 1 interface selected in Intrusion Detection, you don't have to follow this tutorial. There won't be any performance benefit.
+.. Warning:: Traffic between local networks won't be inspected anymore, so use this with care!
+
+-------------
+Prerequisites
+-------------
+
+- Some features described on this page were added in the latest version. Always keep your system up to date.
+- Intrusion Detection should be **enabled** and **IPS mode** selected. 
+- Only **internal networks** should be selected in **Interfaces** (LAN, OPT1 etc..), **not the WAN interface**.
+
+-----------------
+Create new Rules
+-----------------
+
+To start go to :menuselection:`Services --> Intrusion Detection --> Administration` and select the tab :menuselection:`User defined`.
+
+Select **+** to add a new rule.
+
+- Input the **Source IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
+- Input the **Destination IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
+- Select the **Action** as *Pass*
+- Enable the **Bypass** checkbox
+- Set the **Description** as "Bypass net 10.0.0.0 to 10.0.0.0"
+
+Select **+** or **clone** to create additional new rules.
+
+* Repeat the above steps to create rules between each of the RFC1918 Private IPv4 subnets, ``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``. Don't forget to adjust the description.
+
+.. Note:: The finished ruleset for IPv4 should include the following rules:
+    
+    ==================  ==================  ==========  ==========  ======================================
+    **Source IP**       **Destination IP**  **Action**  **Bypass**  **Description**
+    ==================  ==================  ==========  ==========  ======================================
+    10.0.0.0/8          10.0.0.0/8          Pass            X       Bypass net 10.0.0.0 to 10.0.0.0
+    10.0.0.0/8          172.16.0.0/12       Pass            X       Bypass net 10.0.0.0 to 172.16.0.0
+    10.0.0.0/8          192.168.0.0/16      Pass            X       Bypass net 10.0.0.0 to 192.168.0.0
+    172.16.0.0/12       10.0.0.0/8          Pass            X       Bypass net 172.16.0.0 to 10.0.0.0
+    172.16.0.0/12       172.16.0.0/12       Pass            X       Bypass net 172.16.0.0 to 172.16.0.0
+    172.16.0.0/12       192.168.0.0/16      Pass            X       Bypass net 172.16.0.0 to 192.168.0.0
+    192.168.0.0/16      10.0.0.0/8          Pass            X       Bypass net 192.168.0.0 to 10.0.0.0
+    192.168.0.0/16      172.16.0.0/12       Pass            X       Bypass net 192.168.0.0 to 172.16.0.0
+    192.168.0.0/16      192.168.0.0/16      Pass            X       Bypass net 192.168.0.0 to 192.168.0.0
+    ==================  ==================  ==========  ==========  ======================================
+    
+.. Tip::
+
+    - If you use IPv6 - e.g. with *Track Interface* or *Static IPv6* - create an additional rule. 
+    - You can find your *IPv6 prefix* in :menuselection:`Interfaces --> Overview --> WAN` - e.g ``2001:db8:a:aa00::/56``.
+    - You only have to create 1 rule, because all of the *Track IPv6 Interface - IPv6 Prefix ID* networks - e.g. ``2001:db8:a:aa01::/64``, ``2001:db8:a:aa02::/64`` - are already included in the ``/56`` Prefix.
+    - Please note that this only works if your Prefix is static.
+
+-------------------
+Apply configuration
+-------------------
+
+Apply the configuration by pressing the **Apply** button at the bottom of
+the form.
+
+-------------------
+External Resources
+-------------------
+- https://docs.suricata.io/en/suricata-6.0.0/rules/bypass-keyword.html
+- https://docs.suricata.io/en/suricata-6.0.0/performance/ignoring-traffic.html
diff --git a/source/manual/ips.rst b/source/manual/ips.rst
index c6b9a7e7..a51919be 100644
--- a/source/manual/ips.rst
+++ b/source/manual/ips.rst
@@ -335,3 +335,4 @@ How-tos
 
    how-tos/ips-feodo
    how-tos/ips-sslfingerprint
+   how-tos/ips-bypass