Does Suricata allow wildcards on tls.sni matches?

1

Is it possible to write a Suricata rule that matches on SNI certain sections of an SNI header using wildcards (*) in the middle of the url? For example, is the following rule valid?

pass tls 10.0.0.0/8 any -> any any (tls.sni; dotprefix; content:".s3.*.amazonaws.com"; nocase; endswith; msg:"Allowlisted tls.sni - pass"; sid:150; rev:1;)

If there is a section of the Suricata docs that talks about this in more detail I have not been able to find it, but would be happy to read it if someone can link it as well. Thanks so much in advance.

2

You can use, for example, Perl-compatible regular expressions. For instance:

alert tls any any -> any any (tls.sni; content: "suricata.io"; nocase; endswith; pcre:"/w.*\.suricata\.io$/"; msg:"Match on SNI wildcards"; sid:42; rev:1;)

would produce

{
  "timestamp": "2023-07-22T16:39:55.905808+0200",
  "flow_id": 1271632076972008,
  "in_iface": "wlp61s0",
  "event_type": "alert",
  "src_ip": "192.168.178.25",
  "src_port": 39434,
  "dest_ip": "35.212.0.44",
  "dest_port": 443,
  "proto": "TCP",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 42,
    "rev": 1,
    "signature": "Match on SNI wildcards",
    "category": "",
    "severity": 3
  },
  "tls": {
    "sni": "www.suricata.io",
    "version": "TLS 1.3",
    "ja3": {},
    "ja3s": {}
  },
  "app_proto": "tls",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 789,
    "bytes_toclient": 305,
    "start": "2023-07-22T16:39:55.630760+0200"
  }
}
{
  "timestamp": "2023-07-22T16:39:56.111549+0200",
  "flow_id": 1271632076972008,
  "in_iface": "wlp61s0",
  "event_type": "tls",
  "src_ip": "192.168.178.25",
  "src_port": 39434,
  "dest_ip": "35.212.0.44",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "sni": "www.suricata.io",
    "version": "TLS 1.3",
    "ja3": {},
    "ja3s": {}
  }
}

You can easily adjust that to use your pass strategy and patterns.

What happens here is that you specify to match on the tls.sni sticky buffer. Then, you use the exact-matching content keyword to limit evaluation of further keywords to events in which the SNI already ends in suricata.io. Then, you can use the (more expensive) pcre keyword to specify a regular expression that can match more complex patterns. I think that approach generalizes well to your AWS domain structure.

3

If there is a section of the Suricata docs that talks about this in more detail I have not been able to find it, but would be happy to read it if someone can link it as well. Thanks so much in advance.

Here’s the part of the documentation that deals with regular expressions:
https://docs.suricata.io/en/7.0.0/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions