How can I modify a suricata rule for complete URL not just the domain name

tenacious1 · July 25, 2022, 2:43pm

Hi,
I have a suricata rule
alert tls $HOME_NET any → $EXTERNAL_NET 443 (msg:"Outgoing URL https://github.com/navsty091/opencsv "; tls_sni; content:“github.com”; tag:session,600,seconds; classtype:trojan-activity; sid:15000003; rev: 1; priority:3; reference:url,/events/view/3;)

this rule get hit and I get alert whenever I access → github.com, but I don’t want this to be like this.
I want alert to get generated only then, when I will access the complete URL.
this one → https://github.com/navsty091/opencsv
and the rule can be something like this

alert tls $HOME_NET any → $EXTERNAL_NET 443 (msg:"Outgoing URL https://github.com/navsty091/opencsv "; tls_sni; content:"https://github.com/navsty091/opencsv "; tag:session,600,seconds; classtype:trojan-activity; sid:15000003; rev: 1; priority:3; reference:url,/events/view/3;)

if you have any suggestions , please let me know. Thanks.

IDSTower · July 25, 2022, 3:09pm

This is not possible since the path section of the url (after github.com) is encrypted and can’t be read by suricata.

Topic		Replies	Views
Editing Suricata rule to exclude specific string Help rules	3	373	October 25, 2023
Suricata rule to alert on older versions of TLS Rules aws , rules	3	540	March 17, 2023
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	581	February 19, 2021
Suricata allow domain URI Help rules	1	725	September 12, 2023
Modify.conf possibly not working, probably a newbie error?	7	683	January 26, 2023

How can I modify a suricata rule for complete URL not just the domain name

Related Topics