We are using aws network firewall, which provide a place to write suricata rules.
What I want to do is to allow TLS or HTTPs on port 443, and block all other protocol.
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".google.com"; ssl_state:client_hello; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;)
drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1;)
For example, when we visit www.google.com, this connection can be considered as HTTPS, then suricata enging check it’s SNI, then decide to pass this connection. (work as expected)
when we visit www.microsoft.com, this connection can be considered as HTTPS, then suricata enging check it’s SNI, then decide to drop this connection. (work as expected)
However, if we just nc 1.2.3.4 443, and sent messages, firewall will not drop it because suricata do not know what protocol it use.
In previous situation, I only want to allow access to google.com, but block access to 1.2.3.4 . Here 1.2.3.4 is some random IP address that not in our domain list
Our original motivation is to make sure our server can only access website in our doamin list.
Is that possible in suricata?