Create rule to allow ntp from specific URL

axjoshi · November 27, 2023, 8:55pm

Please include the following information with your help request:

Suricata version AWS network firewall

Operating system and/or Linux distribution - AWS network firewall

How you installed Suricata (from source, packages, something else). - AWS network firewall

Hello Suricata experts,
Is there a way to allow only port UDP 123(NTP) from certain domain eg time.aws.com ? Currently I am using this rule - pass ntp $HOME_NET any → $EXTERNAL_NET 123 (sid:4001; rev:1;) but wanted to tie it down to specific URL

Andreas_Herz · December 12, 2023, 8:46pm

The only way I could think of is creating a dedicated variable that you fill with the IPs of the domains, since there is no ntp keyword to match on domain names. This would be something you could do with HTTP, TLS etc.

Topic		Replies	Views
AWS Network Firewall Stateful (Suricata) rules not working - Pass TLS only Help rules	5	856	August 16, 2023
Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work	1	486	December 11, 2022
Suricata allow domain URI Help rules	1	751	September 12, 2023
Pass tcp traffic based on dns instead of ip address Rules	4	2229	April 4, 2022
How to allow speedtest.net or any other speedtest link on Suricata Help	3	123	December 15, 2023

Create rule to allow ntp from specific URL

Related Topics