Does Suricata allow wildcards on tls.sni matches?

Nathan_Riches · July 19, 2023, 5:32pm

Is it possible to write a Suricata rule that matches on SNI certain sections of an SNI header using wildcards (*) in the middle of the url? For example, is the following rule valid?

pass tls 10.0.0.0/8 any -> any any (tls.sni; dotprefix; content:".s3.*.amazonaws.com"; nocase; endswith; msg:"Allowlisted tls.sni - pass"; sid:150; rev:1;)

If there is a section of the Suricata docs that talks about this in more detail I have not been able to find it, but would be happy to read it if someone can link it as well. Thanks so much in advance.

satta · July 22, 2023, 2:45pm

You can use, for example, Perl-compatible regular expressions. For instance:

alert tls any any -> any any (tls.sni; content: "suricata.io"; nocase; endswith; pcre:"/w.*\.suricata\.io$/"; msg:"Match on SNI wildcards"; sid:42; rev:1;)

would produce

{
  "timestamp": "2023-07-22T16:39:55.905808+0200",
  "flow_id": 1271632076972008,
  "in_iface": "wlp61s0",
  "event_type": "alert",
  "src_ip": "192.168.178.25",
  "src_port": 39434,
  "dest_ip": "35.212.0.44",
  "dest_port": 443,
  "proto": "TCP",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 42,
    "rev": 1,
    "signature": "Match on SNI wildcards",
    "category": "",
    "severity": 3
  },
  "tls": {
    "sni": "www.suricata.io",
    "version": "TLS 1.3",
    "ja3": {},
    "ja3s": {}
  },
  "app_proto": "tls",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 789,
    "bytes_toclient": 305,
    "start": "2023-07-22T16:39:55.630760+0200"
  }
}
{
  "timestamp": "2023-07-22T16:39:56.111549+0200",
  "flow_id": 1271632076972008,
  "in_iface": "wlp61s0",
  "event_type": "tls",
  "src_ip": "192.168.178.25",
  "src_port": 39434,
  "dest_ip": "35.212.0.44",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "sni": "www.suricata.io",
    "version": "TLS 1.3",
    "ja3": {},
    "ja3s": {}
  }
}

You can easily adjust that to use your pass strategy and patterns.

What happens here is that you specify to match on the tls.sni sticky buffer. Then, you use the exact-matching content keyword to limit evaluation of further keywords to events in which the SNI already ends in suricata.io. Then, you can use the (more expensive) pcre keyword to specify a regular expression that can match more complex patterns. I think that approach generalizes well to your AWS domain structure.

satta · July 22, 2023, 2:47pm

If there is a section of the Suricata docs that talks about this in more detail I have not been able to find it, but would be happy to read it if someone can link it as well. Thanks so much in advance.

Here’s the part of the documentation that deals with regular expressions:
https://docs.suricata.io/en/7.0.0/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions

Topic		Replies	Views
How to write Effective Suricata rule to match multiple tls SNI (Whitelisting)? Rules aws , community , rules , suricon , suricata	1	1006	July 5, 2023
Understanding tls.sni rules Rules	4	2685	December 20, 2022
How can I modify a suricata rule for complete URL not just the domain name Rules community , rules , suricata	1	1305	July 25, 2022
Editing Suricata rule to exclude specific string Help rules	3	405	October 25, 2023
Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work	1	491	December 11, 2022

Does Suricata allow wildcards on tls.sni matches?

Related Topics