I am trying to block youtube.com in my home network.
For that, I am using below rule:
drop tls any any -> any any (msg:"ssl/tls certicate from youtube.com"; flow:established,to_server; tls.sni; content:"youtube.com"; nocase; endswith; tls.store; sid:128280;)
Blocking works if I test it using
curl -I https://www.youtube.com
But, in browser, if I already had youtube.com opened before enabling above rule, then I can continue using youtube until I reset my browser to default (clear browser data).
What I want is to block ‘youtube.com’ entirely after enabling suricata rule.
Any pointer regarding same will be really helpful.
This is Suricata version 6.0.1 RELEASE Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster