Deep Packet Inspection For Apps

Is it possible to set up a rule that detects Netflix traffic to allow for blocking on a corporate network (for example)?

At https://suricata.readthedocs.io/en/suricata-4.1.4/rule-management/suricata-update.html#using-other-rulesets you will see that you can use the suricata-update tool to enable the oisf/trafficid ruleset.

There are a number of references to netflix in that ruleset and you may be able to do it that way.

Another option is to use the TLS/SSL keywords as at https://suricata.readthedocs.io/en/suricata-5.0.0/rules/tls-keywords.html to write a rule that does a regex wildcard match for netflix in the Common Name of the certificates.

I have had more luck with a controlling access via DNS, rather than via suricata for youtube. Bear in mind that often the actual video content is served by a different DNS name. For example with youtube, www.youtube.com is the “front end” while videos are served by hostnames containing the string googlevideo. In order to block the video content, you need to block that .googlevideo. hostname.

You might find something similar for netflix.

Thanks - that’s really helpful.

For your last point (DNS), do you mean you setup your DNS server/resolver to not resolve the lookup? I’ve tried with pfBlocker but it doesn’t seem to allow wildcards to generate a list of IPs

I wrote a custom DNS forwarder that would only forward DNS requests and responses for traffic NOT matching criteria like “googlevideo” being in the DNS request.