From cd1545acab3b0cb4238402547cde3bc496fa398e Mon Sep 17 00:00:00 2001
From: Lukas Sismis <lukas.sismis@gmail.com>
Date: Thu, 19 Sep 2024 10:47:15 +0200
Subject: [PATCH] bypass: verify bypass behavior

Ticket: 6788
---
 tests/bypass-depth-disabled/README.md  |  13 +++++++++++++
 tests/bypass-depth-disabled/input.pcap | Bin 0 -> 6722 bytes
 tests/bypass-depth-disabled/test.yaml  |  18 ++++++++++++++++++
 tests/bypass-depth-enabled/README.md   |  13 +++++++++++++
 tests/bypass-depth-enabled/test.yaml   |  20 ++++++++++++++++++++
 tests/bypass-ssh-enabled/README.md     |  14 ++++++++++++++
 tests/bypass-ssh-enabled/input.pcap    | Bin 0 -> 9592 bytes
 tests/bypass-ssh-enabled/test.yaml     |  18 ++++++++++++++++++
 tests/bypass-tls-disabled/README.md    |  13 +++++++++++++
 tests/bypass-tls-disabled/test.yaml    |  20 ++++++++++++++++++++
 tests/bypass-tls-enabled/README.md     |  14 ++++++++++++++
 tests/bypass-tls-enabled/test.yaml     |  20 ++++++++++++++++++++
 12 files changed, 163 insertions(+)
 create mode 100644 tests/bypass-depth-disabled/README.md
 create mode 100644 tests/bypass-depth-disabled/input.pcap
 create mode 100644 tests/bypass-depth-disabled/test.yaml
 create mode 100644 tests/bypass-depth-enabled/README.md
 create mode 100644 tests/bypass-depth-enabled/test.yaml
 create mode 100644 tests/bypass-ssh-enabled/README.md
 create mode 100644 tests/bypass-ssh-enabled/input.pcap
 create mode 100644 tests/bypass-ssh-enabled/test.yaml
 create mode 100644 tests/bypass-tls-disabled/README.md
 create mode 100644 tests/bypass-tls-disabled/test.yaml
 create mode 100644 tests/bypass-tls-enabled/README.md
 create mode 100644 tests/bypass-tls-enabled/test.yaml

diff --git a/tests/bypass-depth-disabled/README.md b/tests/bypass-depth-disabled/README.md
new file mode 100644
index 000000000..3d4977267
--- /dev/null
+++ b/tests/bypass-depth-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed even with minimal reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-disabled/input.pcap b/tests/bypass-depth-disabled/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2791053c45411ea488101f3f5c627df430987e0a
GIT binary patch
literal 6722
zc-n=T1yEFd+s4nbbnXHY%Mv0=cP`xxBAp_LODiA^(x9|-hct+EONf9-iAYH(9n#WB
zeGBtG^L_d{&v$12b7Ic<UDtKbIrq%oJJM103JpL9{@E@s0RV*BL)ip05plSHGU`|v
z_<h3$<N!bvb}R`<V%~i3i+bQ{C3{2FX<cmtuI|W2D=E3)0su7h%W-rxY+Q_JN6)M4
zATSu~ifr(&WB|A#i#Gj3hN>rf_f<V~M$rSaiT|5?wf-SHqsY=IlJwume6W*i&pm&5
z4n)yi{2(CR3ntV>(En1eh$Qj2fGdjN`ZuB#?AJ9h{;xy|6w&y1q8|^+DS(4|o(=%O
zXn-H8<RZqG9dx9-gGAw5&v@HQx#&ivZiKK1mrd_2>3EmNQe3%EivPD<#6(vvSgQZ1
zm<!5D{U5o!{>jCXhzp2;f$Q}r5zI*pxgs*w|CNZ!1!DM}NQO#v4-Ej+z+g=QHfY5L
zjyHtJ7IDX!nH=Qcvf?9#EzQ8TA*>}E56~$d?P?xZ-@H{2uTHwkLpgV1x^+2q!cwHO
zs`sw_;~P5w<p|>vgnAEAR8R*V0BQq3%>by8D*#lBS~O@lz<wd;@amahCl>)G4oiq)
z$Pobugn<EY(Q;FBQDK60(82hm+K-+()5$z?a<)cVKQwcGM5n1G#YIC-z|G5r;O6Jy
z=I7?-G9)M9xjN<j&*}dU@Xz|cnjj1S>>mkm`G=zU`vax?EOEYFcPWyqva(P4mgmDW
z$K_+NzAA<l$%OxUcUj*%YO3G5$VmqmKat+AU`(y60JSAamUObfOXD1BqT(lo`fBcz
z*7Z{&S21@}Hk9yVa1xhO=a5T57MwY%3pY!pT{a?q98P3P_EDpCL|E;x%EPM}5iW!*
zofGMGHEL*JRMq|{2^i(eQbx5XPkfz<hshy)YW?D8wF4r7kN3{Db{+l6+~{(LYvNKn
zshLs!d%Kn8ZQ#yEvm)bx*i+;U!Ss^nN!#?3`uE=Q{`e>_JJgfG-;cy#uCXw+pSwvQ
zXH|+Rb7Ss9=f|2~9en3Xh(3By7#E*L1%r;4oxSlPFU;=Ht$;0+=j!bk#0P*rK(eT-
zFSW#O=?A*cGAJm|-+MD;QZUQD4LFotdOrd&dAavYg51BNi?aa##PwMxPZyGT#ME5&
z!!d6nV}@*xU?^}E5e)?RrLaiGYQPn><$I)hk}W{>`t9>iaH90=L-vd!pLMF_q*+ir
zR;5c(PM=O!J$O_Dq3krmEDJ5%Yf8V*$)C5KrOvFToH>iQP>p3E{1K73U6nWNS|C2k
zQ~q<+Rg+Qs=KAz2boUKD*v=823wH~I60Hi?=dlHu`*P__8MU-R&s8RL!vC~Nqr`u0
zJEzx8qWg~~QQudEbU=Nc=6`&iURT8CR9v6|MQHdNu>^K@P1N`+kpe}`{GE7ZRvvQY
zPtwmV0J3XIqm9L9$9-w*H<mQ5d$+CNQraT6jntq0>n0~l^ykPneNqvq^UA%}Y~Dxo
z9{RpAxMFhfqRHW&s&i5l3Iw_W(p5zD-eY2aAF}dxUWzEq5}lfnWN)S>X#d6Alhzo+
z)`qJbpVM#wdz5eczvVC`hF&+Wkl))3(t+01j{UlQYW<$$|A>bLvoyiJlp*_+S`}&6
zt^DI|4#!|ih+!eMRS=Md9-Axi(R5tE8YO1^H*q7_`E?O9e=njPJIX-XbrJ9WE>4b;
zrRP|RBY@t(VAB9%u%OS&-!F;Yg}q78`e>KbFZ324t(*2*xG)13h=2mu>rY{*4>9qT
zFeUPj)M+Sj?W@#8Pyb68Dp$HAZ~rUA%!+1oU?mJOV8eK`!QD)x)n(v4LV}1Vqv~?9
z@OFsvRJmB+19I%r1-Xp<V3oHD`v*Z%3LI<%&1r~p@Y|5OZG!a_=pA;Fs0)&nqjbM0
zE1DC`U8`XmYl4|MU;Q2R5wzIS9)GK`dn)iKO7q<8{bBMpf^V1+#&(oE<4$`nTYU+%
zp_#!TyV6QZK6|r6%<L1jX|YquH4hlY{TA1AtKj|a2Lg9i46yAJ`)l%|4_I@0zV0+)
zlXHCC?N%YAJ3Uu_{jM@lu+8(GwP?CmVnGl3LxhH-lfJXSxM4}D&+9l>^9o`22ya6;
zox2GMy@BiyUqIsno)?H)3`<57gK3iccu$%PXz~Gv2!;@WAdI;MJS|g~M!C`D0N^VY
zLL6>}v-{?N#D3+$BAb8xr`4(9;A&_%S<e`Ezyyi&ubQKlCjZedyft0~PPPTfXZ*_<
ztRJvt9^(cDlrWYXY~FTQ+X!^TtMDOFr#S2F;7yW+m<NLbn)6q0lJsX$*_4kK_b@pb
z4=7W&4975i(l(4qATr_E8KvbczOPjKrU~!CQnY|Mey{R8**6E#V+anTzOD<{kxh57
zf+Tz$DpgvjYQ*nQ9c^lJlHGEs@9UpmvrRIg%F)qubX?bWFLHZ)fU4<fD5n|vf_&2p
zi`>BzX%^CYhHsA1Sr(ViSBo2szh+K6L6h|Idz`R`wi6b<<>MS0XPhYe@)E-`(<z{<
z+s+Pu1=E20CwkS4^MF*B0<j~aao2|4Y!?(l>$bsZ#tNSu`q4YLGw%~olk>5(uH}xA
z71L|h?TaP9F3T~}B|Zo19w{&uwz^0q8zx!}e9R!Mno(lWFrI)X(Go;jLQj{!*&TrB
zm}8ljB5e#Q$lQ4$kJk>@ns+#NCHqy`d&l^#*mG&OA5{uf#!_24yaG?Z|4d9G-0)Ll
zQa>aO&5Lxtv;30t5dPzgI**S^{)rRLmuJ7s&jna_dnyt($%(f_v_iBIQ^DxOY2{JA
z_7v}UXZYJ-{N;PG;~kcL#U@OmDmxIl+&Y2}v9BIRwmFV;rIq(?=gf0#$dfmr*ZbeI
zNTm*3ms=k1Z{1XtANAyv^?Z<xochQ?-HpC7WF5FWcThah&v=&*&iOK7YclQUW1;HR
zjDfPP_s6ddT_igC>s>s6$m(}8W8$p^Vg9Q#PHdPP-mhJ}ViVHK=Vz)<zdg{s3z-(<
zS)|v~;#SA6uwqJ&gLtOApoI<l{vym3wRYuum8(*RfOYhJoGeZQ;tlaY&Vj8;L6^64
z*<dNgN%!IBST4t%uGxncQu05D)?`0jl$kE3&~6*%D2e+!(uBnSQ1w-5&okZ7%k(S4
zJEoy&m6h&k9wdltFZW%t9KAG1LfCmB-8em#8yt%S0bf#HhTB~_A@JPpW+AXDrefnc
z>A5JPPCeJkIG%0<O4&&N%H*=U_a>fFhH=7yxA4Fm1!<O>?7oB{UJtk2i9ztH5ypmT
zk9L(=1*clN!)_SFfO7OESth*|z5TH97Pq}6qpN*!Aff7%=LN-nexgaLc&)@B#ff-C
zxCP;Doob$Wm0lhPA(;R=%u;T4vq#Z)3t+uT+qC6lOVvk|m>+IIv09T9Rxbudo)ym?
zk66Kqs)@$^w+(1?4f%L2){1%rTVUuv?UeiP7BgU+W{f=RG(Q6Gh05y9#~Yc&(0a^#
zj(P0b=pbR!)c&;Dd06$c_!q0mj>vgwAFFns=93e+*l_^N_BM?wlLe;kz;j)^bx-4u
zcYE*^oThF&a_bAa5oY0kAmySMqexxM#!6_%si?d6upO7}!NF$3G+yCSg+ciPlBu7!
zejO@nED*>jl{}zw{nmNhTwaVf?8n>BTbSO6>~?%83K}T9CB!#F?!LvfXX!CT(4S_a
zJ@+xk?d{U2j8#>XH0NqNO};W^=bU|}?RFr%`UUcx)VJ@SriqD()5OETp84burl5N%
z9WrDrhWFB7YXLs26;&!4CVFj#-iE3ZX=sZ9;PYg~#rq1>&QB&MkO?+RRj{R7Y!~q<
zdj@t*orcnZ1Y&iH==!W1>8rPsxrVD}i!J5|CM~MD7g|L3F66TtHvJ@I6<?uOL~yoL
zgVpFT6P!+Cds!sDfYim9i5xS-nEX2N0>I_Qq-R!5chm|Ay1I4;zRi>B>$|((8!0`W
z+*U69)IP?>xL0;jpnEzwU1D_VtuCb4paDj>$})O+1vHA826lwo1rf4jYF4odz6>k?
zKX=Aorn;qKL{|2yzSxtM?O-XNt)uof--{z=D;rbm3axE#hMVpCvz4<K3hmq-{r3%A
zB+_2>lk~}jDtK3WOPXv?^+wSLhj81g1iMyhGQMT*-bnOay0r&mJG*U5_@h8;!t}#4
zS#UF`!G)3Y33pd-H`Yi~&@XnDfqCR)lcCTm+><$iPpi!#K`EOpNvb<9+aS9wso5q+
zvM@Yai;j8oM&?RZzK)$ny~Wwf;aFC(RULyFPfPfhOs!z?&s;INuLu^Jy4VA!tx3I@
z$b=m})eRc3->J8&wo5c+c{KEl6X!eU+SHlq2P?&U!ZPbPc!p=>lWYBZL+C@yItrA`
z>zS<J?gN~bO9-u}GRX9@sxpx#O*Cczsp#~s0_L%ySu>htIg{~SXuxb;A(lqAd%<X>
z&}Gh0hFGMw6Fa~BqFD-ys;zh28oCVOh3Z5znT}X?{;U?8l2anJuB8%sn~sLP<mET`
zFhQ4R+5MMeXgUQ`s;SL1!L;W6ovwO6K@RS+uM8`UlZZUGIoTxYhii8zbRCA`Ygg24
zwQtD8w?@iYwcu|uVm>-wJf=t*$Km$-y!VnMFw5p(fSK!z{!1#2L49hRet@VQtvR|4
z_hUU6JEl#7e8goz4Prj2Sje3YNxO@$KOH}83hYZb-fwlTFaUqkX~T(vTCbRS4birw
z3_u>*KZIaK^OJ}+uw69G9=qSP5T!foUG#jlC&rB6tx2BWFZD8DcMsm#9n*hAzWy+y
z-o_1iaFHd2?3VSLgK>@7KDqS>kGq^VARSwD@XPom20+Z@J)4>O0;+1&&VMP9I<8{H
z>78Ts8Z!f#hH%QOD61&QTX>Rf!0F@}J}yX>h*{$D^~>f(4lWDs&(~<gNKcZ-tYVbB
z)Rh%PttB1%WzKQ2va>QkeV`=WhdB}ZyAXt#U8LCOY-QOXu&p17QAE~mCc#;JgAdd4
z*j=srhoTSMD=~y<7GbQKLm>{T{1QAutkGnpW^vhT(*?4_+J>@+qy}0Yf@agF-_L_G
z_C~(9EWA^w=|SuFOn%_6Cfb-psQhRn)lNTb%h2kmNLtQ5x1&gjeN3vkTi|XAwP`}N
z-sFa!JZFh;)YQ@^d(u^>XUM7-ZPU{HCN#qj^u)xGq0dKB!#>edh<s$VQOf9L=Vl!k
zhr3X1B&|VN-A&CSxEu)(9F@Udzvy38Ja_r5qL9;Vc)%Iv!rQ3az0NY7=JlMB19Kv+
zbSu5RdpF}ovc;p>Oo6~)Srh7riqv5~J-tTZjY}H7wYUdg_8Q7@`gqgWj0+Vq6OEUs
zDa0bTm}Q2m-}pv9BEe<vI{+2U-uH$r;0y9@SV~eJk8)YZN?U)9z}j8i;KWSFOL3!r
z@CK%a!5H__trlse)vd;L#)ENI3r!BxN$$8^@@#FpbV>^&PWF3MnozOp+jwY{PV-wM
zQMUm;dChNHb_>}M>*oTDZH){v%SWMG1l_uxY@UyW(2_16n-t*@n9v_c*w2Oz0crW`
zVw@c6=hVrRM@KbZdGsDnQNeZVs>t&=UbT3?wA!O&&t{Uf6f>EXt3nPk`)F!BQyMHm
zFD__?p-<o;$|~=M^1{Cry(m1S?xj=Q7hm9y@k`avLiD|;GS|vgjZ~JSD+(vsNhn8y
zgD+;-D#}{3>XcY1h^h!rx-7DkEXpu=n@e1#ozp|+>d`89Gd{M{?M}-*ZC1{nI}9g0
zCAxJvOj8;wZa71Khf7C7hj@^Nt`H!?@abv5_7e81i@~?ec>>8vDzn|{ml!c%s=54O
z5GjAaYhU!`7Xnu)dhWKPhv+08Ra}FXVAfWUFw^G6YGzZ5kb^ehIC5gzx7Wv@#-o>>
zBfx{{P5<PnzDsbp{^a+iJ+2i60b6q{nlav5O$l6gpL?L;0Y@%ZW>E6?i88i1^2W07
z7RxbTnkZv)-mu<x8;|}KFlf~tx%H+3L_)o=ke@X4B=0eqj>L1`?83@?`)H7gu6(Gm
zm+2?+bH<%AIlJj~V`eVl>IEH3b0EsI7B0^SD-Mfoig!Ne%!HPOHq6+RANsE(=V6-&
z<5o*n`R?5s-R{+R2!7wt{zk>U7pbymG2xmnf|KPtC6eZ#0woaZp4YjjS;ahWF-t`d
zY8x418nynNBkJ?+*)nsSbHAEPy!Q$R;i@>qSGV`py2g^wtOkxb@|`F_QfGnsk8H(E
zyu?!n?I@$D+GWwtWYpnGb=BF(91N0>PIn{g{m_HJ*V!f`mx%JqG+}ZQ{pp8+9yiFc
zB=u{jW8r%PJ%XYsC-Oz`TxR#sY=4bI_lgv%S*BBCXkJh9_(Jjn-;DvYZvjCuqMEYX
zxpywDf{nYL)fyDrJFk6pY7KBi9xrf}N@o~$>-5-t?K{9Op@_7KE|Gk15h#HEENAqn
zvD^`E-Y%2=xk=df#-J`*Wu2>n%gPZn#}j|XUr=UjR^>Ru|H1+1kpIK@S#%FPg{U?T
zX7LnzBB_19uWd0-GB?+Gc|I0qd{Bw-f5}t^zf+~LDStz)-y_dfwHDHy_tZOz+Thh!
zAG{-Owaj9LX&M`1{QNAUQv!yW(gS$nj--uR9yuh>dw)E0JpNcAD}9ac#*>K;)!Sit
zuL94<Vgzu8<b<*loupeWyhDRb=hU9Rs2W95tk(@05jdAo?xpC3V&N^)^4ELkc?7<Y
z7(3IcT!n!~3x&EA1;b~GP41D<nCjE%IKR8ky;g&<3scba3@9s`c%rPvR|GmZqjF;M
zD;c;UE<~GDNHzG2EBhgNn8qs6q=L0tnvyW{(#D$R>I`v5nC&~^LeQ3ZfEK^%<pl+e
zi1zovPl=LbO8T68QW?BIY$qPyZuDhF*KzVFa2lK`@aF!kuJt32r2*GQK$JsYVH>h#
z4d<<meVL23B$T+3@}<WUM_|*kdV!1~`lHz~%Q2WIkDTvwdUl=Hd;|>Impd(Ga8&B|
zu3(V$v-+rmk_ej(VUTvx`)ZX-kFR%Y+UgidhB#!WbTUtfy0-J0_4Lsqy+N5QAMjy=
z#hdo%)aJp&O1AGL+TZQ)y_@3C1KevJC0+RLK9ziqq_8w36S&i&0MTL3`oO&Oi5dhC
z64zPns5HJ{7f<D=+xQN7iFKcux`Ko*T#33kP+N#=R^u$UlAW||nwN2J-qu(q{$^B|
z@FNQBAPXBh=+ycBL#|^Fk0B}l@(&kiL<DbL=H8cQF$-rQ(&P^+OqFdRh4;QnP0HWU
z8|RjQj@UZ{Zafkq&B9*^e$s2mB~o)VlUnLO294kmDNla`?Fba!CvEyTrX>N#oG~qO
zPNcv#+O?T+V~LhY%k}U%;bS7*mJIE+otij(NR<)pHbM)Q_wn}UyKRMTLA6*we)J<V
zi^ueFcypJ}!0m{ii%tb<<McyMDHbKhvDP0C6u*)$U6U&U4djbt28KscP6x~4))^US
z4+UXXX?}Noc2lZUsv}xEbIG_r(FFA~+!wfn%74k-(`+{_+N=*MEg1>W*YF`USUe!K
zcxzL+ef*I(Sm6<5@8^&P@rOe_V8baEW1!tP=dA7KG&xd$4Bb|4;ZvK4ZdJFyY!B>n
z?d5uJy?{?Ij;wFc{76JWR^aR>&Qss7xYMH}MNf3^e-Uh2a|)rnwHbIdo7u_u*HJpj
z^+c-t_t}iw()DZx`d_2;>scLE=D$w=F0RK+oqvp(v{BS$KL~jLuhTyi(Evp-_#06L
zc6m)K{VS0I9k`JAop=Kb28bCxITT)O?<9)kKJLh$xVs5qxDr}H2??OU0)G=?`p-Wx
TpZ+Mu^3@$0=m5~^2>|~CE6FG>

literal 0
Hc-jL100001

diff --git a/tests/bypass-depth-disabled/test.yaml b/tests/bypass-depth-disabled/test.yaml
new file mode 100644
index 000000000..b2d87263e
--- /dev/null
+++ b/tests/bypass-depth-disabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-depth-enabled/README.md b/tests/bypass-depth-enabled/README.md
new file mode 100644
index 000000000..b052a679a
--- /dev/null
+++ b/tests/bypass-depth-enabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that traffic is bypassed after reaching the reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-enabled/test.yaml b/tests/bypass-depth-enabled/test.yaml
new file mode 100644
index 000000000..619d18728
--- /dev/null
+++ b/tests/bypass-depth-enabled/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../bypass-depth-disabled/input.pcap
+
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 11
+      flow_bypassed.local_bytes: 6126
diff --git a/tests/bypass-ssh-enabled/README.md b/tests/bypass-ssh-enabled/README.md
new file mode 100644
index 000000000..e2f28ad63
--- /dev/null
+++ b/tests/bypass-ssh-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the SSH traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://www.cloudshark.org/captures/9b72eb8febf9
+File: ssh-server-client.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-ssh-enabled/input.pcap b/tests/bypass-ssh-enabled/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d89f3d136dafa2f07a58ee62f5baca3910ef6608
GIT binary patch
literal 9592
zc-o~{2{ct**xvWL=8H?>iXs#;%RFYt6uK0WGG8Ra%~bi!^HBO!M2SdLh9+f-k`k3P
z5S1Z9iKJw#_|G{$EpGQe>tBCot;1gTob^1<`@HXd_ui+i;d&kx;K0(gumAuC`X9*>
zZ@X}T4Ol~CYvgzMn&Z*t&M#&HTLCaa-sT+parYt~3qO0*0F=OH0N##Z79pSuBaf9=
zpp#ctrIS}vVBF^`?d;~}k8}2?I0JwOm>7tJnZ%Apf<Z{;{(>YPBAF{gCBY&jvwuO7
z43RJj0iX#MZwOwbT>m%8T_D8(JzZen&xA>!8}q{)@Yv$C*2CaVSb~tF1OQkZeK`Oy
zR)gsZEC^*0aS?0NEQ~c(2jjqafaixf*+YB)!V`AlA_zTuvK;HK9f~e-hV_W9GgP{S
zA-q8nfgtoTX{j_|EY@lOOu*v(hc1mxbBL}oDqVvx9*Ia0vQ+|L#|~p@1sOSM{e1zh
ze$w(X3Q8<6aAOYuP|V2vhe%BZVMJs+4UsbtFq`eSMPPXuH8pDFpw9pVgT?y~WKRYW
z1lf)XSs6hl5ZFeJA=&q)=T7CGp1(}g^xDK=J)tGvUIYDX=eEz?eIHrclkDy7<LoQ#
z;qMnjktQE<^>p_2AWH{$I?GEzufQs{Pot_3MO5sfQW3nQ;$0m8e-Ozl{$}{|8S)6?
zVhjlIl=csBUQ8b+27{(z1ERu~O2w@u6>)IZO`XXB@(QZbu7Uni@K8-*X{ey2{QFn<
z1s7MT&2HoXWU%z63#_7(6;;JXM1>8Nim4?Plo9}3fAhJx{(m&VD*9HVst`j|Sg%x}
z{ktxV$N;R2j7k%ar;oGiVuF5;q}7y{KY>*QuEG586J31M4`f2!rJ7JPaBYwX98W$5
zFQ1%)q8Q)~jooQQw2MI;iO7vAqTr=Dq`(WnA6jv~e!k>o|EVsR^_v`O1V51o?$C%}
z3W~sNWdsxhRIFb#+ujTu1&P2;<;GYf1{6Zw8@{QrFqxa?VXR4W8d!xSB763;$fbF&
zF&R4;Ce<;sVSn^+WZ4Dj|NFfE+Zp?}bM0?u$=}xZ|EHS9YB9h98e7n+;VldjNDco(
zRl|j3k4>IX*3RC)f&g*D>jk{0VS;YLGIS0c7Fa;_U_q-UwrpBJYNB9eO>FXn80sMO
zSh-B3Cb*ddp}&~_HWCX9%^Yv?*L&Vmyx-`O64@p2Tmoysl<e^&5X)LusIlsdu%#)}
z;Z#Lj_m_0O8!hVk{Bn{kKHnU<Rkrsj`S@7g+d2?;GuXu;yz#r4-f*GH=l!e;dv1Ma
zsQ5gly8p-Sq}&T-xuTq*+XRP9#N91N2kf=(fzZl4*E{r?Z;X`%tY4nq$D?!cmuRbF
z40*3e*ZI;60hb9Ip*X9WoOTIDN=Al{2VTj-^mZohYoIsNBjWl{g?}9kWt5+4yw5o(
zMP!esJ0lj8KgyVY?B;{L<9=pV%{`Kjr_y)v64la8LO-Q@4X%E%k(fD0Pgw1rx;we#
zvgcCVuou|nxpOSVqIJ|wNbanta#u(8kc=cji_1_y;x3+E2ywSF<INt!skA``(<tR{
z1uw){@SH9F&-M=Izj#&qsaRXzj7!X4yTC_X=e>if(@U+0+&(6r&9DmZDpVDchzd(8
z74u6f#61C^>@M#c3@a0Lo>l)$>f|%nZ`0c4QT=F4B=?iLP-H<!scibF$yDxj>HGF?
z3xddB&tk9SY3HQQyi?OT+><lF2dh}yfT}_YQ9)X%LPvW^#hft!YGj^Oskl_){^YZU
z^bZ$Yw<MUG2{!)<Iv9afd0gz1;P4~v)=8PN1{1z>$*b(!b=qtqnkx5~@r3LP=@3Y?
zV1`vhwxFtzMpSI4QW3tS!ZIF!>fJ|lAJ`w|)y;izB%SvZ|9jJUz8B(xOoZuT`#`d?
z7VB(&sFLj6Rfm`vx5kLn=1diQWIVrX>t(0d)9;VlHYvg?p1;JRbahF9boH8*vraM+
z_5<qbxWTdIHFl;C3k;#LA+3m18Dx-%!l@!!tT7^6ToJU7ic%3=>*w!)li8O48}-T;
zRD~EsVKohfb&yZ7D-|xp;D9?cFW{RR3%g4aK5H<1PojbK6v7I8-~!{&X);3Fat!av
z<$w+YpGKg$(K{M@A#Gq=qsBG<BC|cGr;XPy@JCYe={x<t<rq~R-h9Q5F?pa|-7q_P
zccmdisaU*blST18r;5C7eaB6Sl*Y!9&2-|{T=HS5kH@!~hseHjEWZ6VruYI!lYq74
zA)vsYo)yfld`0YoP;g|HEw>QcgO>jE4NR?hU)Dbg9gt^<7vR1><s`kwc&b0*nG2nk
z%gMMv<&uDMifQP8>XCeRUghe_52R3wvnhVETj(7!hAcUfOm(>`k3D`eFSk%88Lf7{
z!!%l0hOV*zqvOb#zWu?B#d){zM*^<0$1AEVxm|H@KO9iY((&rV9hDIHCybv-(CKmP
zd<{FFNpMpklMiCTi-8F(GS?wFePKSKyP{5FKNYt1A24{9&FF`7%e{B`h9YzQ<dsrh
z+lD4-1Fw0Fciw@A>}xIuvt=a@u`YCoS|;eNm2@-mIH?&OMkkmzarDBd^oYn&H{M5f
z{Go<Ca`pFC7d4)&QFp!kuw(6`7jZU%cYj&DXpwHMOAcUWT{T;%!27vJt(yEQdPq6L
z_XqiE+PuDX|Lj^R_r|Z74H%p8^R=;7qhW974_QgJBz?~`*w;4U(tg?qTX$`g`+SzS
zzpTWKu+<B`fd?L&<GWkVJ<+ZvL=R1u&3qTuF?r_i@k6buYplAyqqsG3P2NHwzBKr|
z`GV6`cg_Z%M9YhfX&I0S9E<e<S6${Y9595c!;sd>rYcE?tZWxoR-N=!r0R%lf#Fam
z_^-+^pyCwUBUKk??X&EwZLJfyYc)!yy4P&lS{l(@&~J0+b&X1I%jy$nJozg^Z^aF`
zgzY$+{DOZ<T)z3HK+(u8*)JTJ@QmI2jLqZ%C49zv4Y5l3^VbIsxaIMz?y_!a>L+@~
z_r8+rZf2q=pLMJ+ufy+_sbEiHXVL#z->sX+#QiiV?0ZT?uC11+;5EVL*H-EK8)d%R
zFmmQfxWmVbKh_Rq%sI>iC*2&?_E6|1O-^kTUE7X7-dC8Sye8(>uwT1Ql*HQET-ow%
zB;`BqZ$1mnk(>j}hjQ0#m{WY{csl2Prqk(^r^EnHj<(F5Pb+`%9+`i#QSB6~h>CJ^
z&*Y8z?$><_%jWV_Hg0*hS=kp<C2>e!C|c>N%-tndJA)7)Jj?2pdmPy!9NK|g7U^L}
zse0H`7@0(1**e(09P8f~s916c))5+5&!AHb;oXY$dwncDT5px7wfFiDi%1}}H`9)m
zCygF>L1QmksCyU`Xr1<SdX`XYpndu=^+?0HHEz*)+v|@x9h%}~HFm0K-YViQa@IRP
z=coNt%n1j+HOJSHl66yYR&9COQhoOmVdnP@^k`k39?9M<s_Z?p#ckn&I<Z`T&hjXj
zMpi_z5^Ikn1A-Mr6N|_um%j>tsm-{`&eu+SChQf@Jm=n)Sb1mMq?4!Hma%<y($Q|@
z;J4Scx39i#E-aS6>c}UzNjBH@cr(oGAi#jOhHpmvGg;~17A~@fEDkzfb&;~6=b7Xq
zhN+l!N5b_(-YBZxovt18&1Thj%qz*KUt5z?XLfo1`2$Ib!l5Cjy0+=<Tyq~nFQqf?
zh)!S?oSVMN;emYk5obXAxTT1wh^10tg{UBMbVWfYhMyGYoJB87Oc>De!iacTzS2us
z9E4{>BH%~+y_V-iI)niv!(&=lp^{7pmLp9pB7W2&5P-?RH`7y-h3h6?4#!_SxIZoP
zl47CrcE(VRhb+UBN-@%H1$|N$*V5Iav<_HhpSjP*E;er6Q@AC3uix$WB4Wk5J)PFC
zUJZ8y?ulS3vg4Lk3bJHCzH&%4q2^5qam<LyF&jwTE+}t_gFOK7CT-Nr%~s~K*zmZu
zvS8-(4qImaJ}r{x)SUMv9$BrOW-0h5^qtfGj<%29E~sy8JaTRB&iU)p7o~!jF}rxe
zKEf*cUowE*kb>Q`RG2X+BPv{|RAeA3h#ZN%&|ds%u)f-%5@3|LcO=Z@SJa%g%A29<
z1N<A?dl^bHyz-l`;|h{sChqsBS!G5tah)m?yCAk|D65J6Jj=8COPLXbK;sZvSl*H>
z2$l~`EFwO!5o+ODt(DI?(*xH=^>TGsFm{DDp6BDNmeb>VEcPo&RKrD2k?fOwf`Yrr
zStm`2p=0E8(`;yo^0Dvlay}f^I#647lCs$mInx|qLF=z7h<|ZZ{#8S2vY{**^!|?O
zD1`NqgAJ_{s?s_W{D(#4Fj#X20JcxOrutsV9-}{HOISqtiN0S1Jh?szs2sI5FS7S3
z*irjUsP6W;W@p9Ex1v*q0@$Q`!ZyOpg(hsvt6-&{W|FLkpGT<t%!b&<AU}6j9|FLY
ziGRzT?u4wW{O+DU3;yRZ;xgGe3TZ*Vbk={qw<_O#{*z}5%w+D*hF0}zNR0YaF^)lO
z(Avf!^bgdnj%_1&3hnzkn<C!cePQ^@)v4K{TJb}Z35JrRYOg2W=N}j|4%uM!GBH5n
z?!cJN&>+_+lgn4dA={^X6{q(bm72jS-iEQEbt`pRrvzOYL<NyUDE|ro?YrHNEN1QI
zQ8u)?#v|Tcq4Eye1L!J1bxr6iTV4UJC2VM`2pfVGLKBOKCqz{MU~4|23{)@zyN|z`
zk7e%k+YmSXsj`X?iyz-hkBMzMD#%}Gl&D}89-=?Iwlbp%?{)EnE6gnV7Bw##h$FgG
zjwnFv-=Q<us0MTzIeyD7K&R(1>vm7;nmc3SBiP6KU1|+=Gx_*bJ8>m%3vqKRx@Sp&
z*QZ|*B5ohVPKXt*Q4k=0h#fkY9Jxa+u^v`&<^vnrSAI=Ig*TN7e?$e5ee_%cbgD9l
zB4rBhk%*C19PjCIe8OF1vmZwOIf<GjcEs6IDrdh#=<y^1>+Qaf<ym?n#*Q{yI1sEv
znpi~E+dE^SGv-&!$-Z<K&F4EV2y?}3ic~V+7?wv-Z=aa$B2)Nv;&{vS)L|wm6Lz$Y
zpoRFcjmnRBvWFZI@}r3j>VrGo^g73d9p_y`_%Obc;B;-O=(mP@E|xYs@q9P#<0*S_
zKHFEDvfm?jL`T2>5WcT!s@DZ!4nU2OfW(-vGDbNf#13^>*2Kf{0N7vlZF$(+mbeQ<
zSeNo-i<jot+VfcHsoZcM3DdlM?U~(Or39EsKAIh^<~b3jU@9ifC8iRH$-sRw{MXhQ
zd{s`H1U{?HS$x-UG2KNOEy=Dl^{E>F2gBml0le#uTBdT=*XM`eiiEP{?O^5;1?*_O
zTbpJVfcmW*1*&;U&+p!y24NLNV$d?BLu(iI9~P0F@(S8(UTyftxP3<R^WKOaov>@+
z4Hl==h!eu{;S-sfQmVw>TnfuovDLiqw+&y>J>BzdANNl+?z=E^$7LK^Wpg3^U83@j
z0<n)lmA&)b{8AJrAuMtT7A=Y`NEF6YQH(7`Q3gff5z$H{F^6<u;xKb5t>xdp=j?qd
zw$FH?ZNk8~C5=T(`BlE9jE>o<JrAy1S&Fos$f;+Kf|;Xov1nDW3W*}{&nWbSp(+p>
zlLX*I+7rd?Z!IeD!<W7$lG+N3e9tRv4T?zrNPaXJvHo0D=(y<t_s-s)Jhy-I;sY<u
zVb>;qhMC7pQJJ|B<^U?@f+gmiegN!kt?8nW;>i2+-z;1|$96ke#v{FnvbT)2LBFqM
zZtVK5wcd8gOnK~9T@!C&JRca8HHkchnTPIS(dti^)_F=#7-H{)>W``W_sWqDVa1iB
zW=;>mGNg$`WM_JQ7J#}e3vI6*CBq_pPuf_sCiuOw76e4TKlzG%T~Ns@8rYY@QRQ*_
z)TQy<J6<P^a_a7FR83TbndM)j`nMYK&!5V_PKX`aVY7^$J_kVc&%p`@sXk+T&QwB*
z(*(bHk?))+{(f`swlrV+^1NFv*>{N7&gzyOye`LQKQTY4cOX~-W={Qx%FKf>A6UsO
zk6&Ug=m(&pL+C9B7yr$yOT@u@^{sPFx&nB5D-VgLAYl9Se9XJslh3roFRSP@o01df
zRjv02ndQa6%nm<LGpCQZeVEE^Xzwn+1v)vN>;Ao(WI|X~{d8!VGeEEmXkroB&I$Gb
zaA4?C2Yscr#`||JFFG|6oJM^xee84U1-YlU)IT>We>|Zd_b)Fd@>HWHvqRrTiNW>x
zlO`}TW`PdPKVHN?3YC9bAogU)zsihp0B*eII#~5wTmVbyE9P96a>MqJ$}C?CQPP5*
z`G$syGRE>9C{GPkJBw>><19|#z8$w?k1Nca+Cq=Ee<#v9mB|M#F*8GF1$ku(_T6WP
z_F^F$Vq&4-TTIfzI=w)(p9+<!9A)0K?~k(XC0UKjxyAXM`8T)5=AmpRL3r}HmGDj<
z%7d|7Nzs2==Xqfz)}8cd>l`1VB%De~<&qNps{lMq;rexL&4%+W^CP#;Hyl<@IdOIL
z<f}?1Jt9-q!COD%(~>ltVJ5#`dbFC^isbnqRi2Y!HmGLAyA7AujNM06)oT#dVN|NS
zmQ-hUKx<~Ym7#*rATzeK>fz*I*cX{EUBhbx?<A2dcG;Df=;)fu<n4i(tY%QZk?<o-
z=T<T)0ECH;rLvd2T(#v4sso0I1Hpefpa7tq^1GD|9A{!c!!km!f@ol25Uj1svHY!3
nv5XO{K$=*55SHe0EFo9aQ?3BwS1y%b7zi(gM1cJAUc&kx0{r@(

literal 0
Hc-jL100001

diff --git a/tests/bypass-ssh-enabled/test.yaml b/tests/bypass-ssh-enabled/test.yaml
new file mode 100644
index 000000000..29a4a715a
--- /dev/null
+++ b/tests/bypass-ssh-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=bypass
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 45
+      flow_bypassed.local_bytes: 3972
diff --git a/tests/bypass-tls-disabled/README.md b/tests/bypass-tls-disabled/README.md
new file mode 100644
index 000000000..7dfb0901f
--- /dev/null
+++ b/tests/bypass-tls-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed with disabled bypass settings
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-disabled/test.yaml b/tests/bypass-tls-disabled/test.yaml
new file mode 100644
index 000000000..09236fa18
--- /dev/null
+++ b/tests/bypass-tls-disabled/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../bypass-depth-disabled/input.pcap
+
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-tls-enabled/README.md b/tests/bypass-tls-enabled/README.md
new file mode 100644
index 000000000..79f3461c5
--- /dev/null
+++ b/tests/bypass-tls-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-enabled/test.yaml b/tests/bypass-tls-enabled/test.yaml
new file mode 100644
index 000000000..bcfbbe06c
--- /dev/null
+++ b/tests/bypass-tls-enabled/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../bypass-depth-disabled/input.pcap
+
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=bypass
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 4
+      flow_bypassed.local_bytes: 275
-- 
2.47.2