How to write Effective Suricata rule to match multiple tls SNI (Whitelisting)?

Hi Folks,

I’m using Suricata IPS Mode on GCP behind Network Load Balancer, This solution is working for me as an Egress filtering solution. I have written below Suricata rules for whitelisting, basically, it will match the SNI and pass, if the SNI rule is not present it will reject the packet.

pass tcp any any -> any any (msg:"Allow Outbound Requests by SNI"; flow:established; app-layer-protocol:tls; tls.sni; content:".amazon.com"; nocase; sid:101; rev:1;)
pass tcp any any -> any any (msg:"Allow Outbound Requests by SNI"; flow:established; app-layer-protocol:tls; tls.sni; content:".youtube.com"; nocase; sid:102; rev:1;)
pass tcp any any -> any any (msg:"Allow Outbound Requests by SNI"; flow:established; app-layer-protocol:tls; tls.sni; content:".example.com"; nocase; sid:103; rev:1;)
reject tcp any any -> any any ( msg:"TCP:Blocked Alert"; flow:established; sid:100009;rev:1;)

The rule is written to match 3 SNI and it is working, It will only allow these 3 FQDN, and the rest of the domain will get rejected, however, I have more than 200 SNI to whitelist. Do I need to write the 200 pass Suricata rule to match the individual SNI or it is an effective way? Or will it create any performance issues if we write like this?

Is there any effective way and work around matching multiple SNI, or we can write one single Suricata rule to match all the allowed SNI?

I might be mistaken but I think this might be a use case for datasets.

https://docs.suricata.io/en/latest/rules/datasets.html

@IDSTower might have some additional insights as well.

Hope that helps,

JT

2 Likes