Create rule to allow ntp from specific URL

Please include the following information with your help request:

  • Suricata version AWS network firewall
  • Operating system and/or Linux distribution - AWS network firewall
  • How you installed Suricata (from source, packages, something else). - AWS network firewall

Hello Suricata experts,
Is there a way to allow only port UDP 123(NTP) from certain domain eg ? Currently I am using this rule - pass ntp $HOME_NET any → $EXTERNAL_NET 123 (sid:4001; rev:1;) but wanted to tie it down to specific URL

The only way I could think of is creating a dedicated variable that you fill with the IPs of the domains, since there is no ntp keyword to match on domain names. This would be something you could do with HTTP, TLS etc.