@bmeeks said in Suricata 6.0.3_4 Package Update Release Notes (currently for DEVEL only):
The idea for enabling this option would be to not burden the signature analysis/compare engine with needlessly testing packets the OS is probably going to discard anyway and never forward.
I understand, but now I'm concerned about the following use case:
If a special crafted payload is sent in order to avoid the engine, this option will help to evade Suricata.
Are you sure the packets will be droped by the OS? I mean I inderstood the performance gain, but there is any reason for concern about security?
I don't want to trade security for some performance gain.
Just asking you're opinion here, nothing else.
You are way overthinking this ... 🙂. The default forever in the package has been to "not drop invalid" (the checkbox was essentially "not checked" because it did not exist), so just leave it unchecked if you are concerned. I simply added the ability for more control over how the application is configured. And don't forget that the overwhelmingly vast majority of all traffic passing through your firewall is encrypted, so Suricata is not inspecting most payloads anyway since it can't peer into encrypted data.