Hi,
I have a suricata rule
alert tls $HOME_NET any → $EXTERNAL_NET 443 (msg:"Outgoing URL https://github.com/navsty091/opencsv "; tls_sni; content:“github.com”; tag:session,600,seconds; classtype:trojan-activity; sid:15000003; rev: 1; priority:3; reference:url,/events/view/3;)
this rule get hit and I get alert whenever I access → github.com, but I don’t want this to be like this.
I want alert to get generated only then, when I will access the complete URL.
this one → https://github.com/navsty091/opencsv
and the rule can be something like this
alert tls $HOME_NET any → $EXTERNAL_NET 443 (msg:"Outgoing URL https://github.com/navsty091/opencsv "; tls_sni; content:"https://github.com/navsty091/opencsv "; tag:session,600,seconds; classtype:trojan-activity; sid:15000003; rev: 1; priority:3; reference:url,/events/view/3;)
if you have any suggestions , please let me know. Thanks.