Create rule to allow ntp from specific URL

axjoshi · November 27, 2023, 8:55pm

Please include the following information with your help request:

Suricata version AWS network firewall

Operating system and/or Linux distribution - AWS network firewall

How you installed Suricata (from source, packages, something else). - AWS network firewall

Hello Suricata experts,
Is there a way to allow only port UDP 123(NTP) from certain domain eg time.aws.com ? Currently I am using this rule - pass ntp $HOME_NET any → $EXTERNAL_NET 123 (sid:4001; rev:1;) but wanted to tie it down to specific URL

Andreas_Herz · December 12, 2023, 8:46pm

The only way I could think of is creating a dedicated variable that you fill with the IPs of the domains, since there is no ntp keyword to match on domain names. This would be something you could do with HTTP, TLS etc.

Topic		Replies	Views
AWS Network Firewall Stateful (Suricata) rules not working - Pass TLS only Help rules	5	1418	August 16, 2023
How to allow HTTPs but block all other protocol Help rules , suricata	2	249	August 2, 2024
Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work	1	573	December 11, 2022
Suricata allow domain URI Help rules	1	1310	September 12, 2023
Pass tcp traffic based on dns instead of ip address Rules	4	2720	April 4, 2022

Create rule to allow ntp from specific URL

Related Topics