Block websites having ssl cached in browser

suraj · September 14, 2021, 8:54am

Hi there,
I am trying to block youtube.com in my home network.
For that, I am using below rule:

drop tls any any -> any any (msg:"ssl/tls certicate from youtube.com"; flow:established,to_server; tls.sni; content:"youtube.com"; nocase; endswith; tls.store; sid:128280;)

Blocking works if I test it using curl -I https://www.youtube.com
But, in browser, if I already had youtube.com opened before enabling above rule, then I can continue using youtube until I reset my browser to default (clear browser data).
What I want is to block ‘youtube.com’ entirely after enabling suricata rule.
Any pointer regarding same will be really helpful.

Edit:
Version Info:

This is Suricata version 6.0.1 RELEASE

Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster

Thanks,

lex · September 17, 2021, 8:22pm

Have you tried blocking DNS request? Based on your description it’s suitable for your intent.

prateek.s · June 13, 2023, 6:17am

But by using this rule we can just able to block youtube.com website.
If we have to block youtube application completely then what should we can do?
Thanks in advance!!

Topic		Replies	Views
Suricata RuleSet Help suricata	3	225	February 28, 2024
Suricata 5.0.1 and TLS 1.3 issue Rules	1	1105	September 19, 2020
Understanding tls.sni rules Rules	4	2648	December 20, 2022
Deep Packet Inspection For Apps Help	3	1128	July 25, 2020
Suricata rule to block dns query type 64 (svcb) Rules	1	859	December 27, 2022

Block websites having ssl cached in browser

Related Topics