We are using AWS Network Firewall and writing Suricata pass rules to allow traffic to domains in our allowlist. We will be blocking all traffic not in our allowlist soon. This process has been working fine so far - we are just writing a Suricata pass rule that matches on the SNI field for all of the domains in our allowlist. However, we still have a big chunk of connections that are missing an SNI field. We need a good way to write Suricata pass rules for these connections that are missing an SNI field. Doing it by IP is not feasible, because it would take thousands of rules to accomplish our task. After doing reverse domain lookups on the destination IP’s though, it looks like our traffic with missing SNI fields is only going to 10 or so domains. Is there a way we can write pass rules to allow traffic to these 10 or so domains even though the connections are missing the SNI field? Thank you in advance.
I’m not sure, but could datasets help you achieve this?
Talks about it:
Documentation: 6.41. Datasets — Suricata 7.0.0-rc2-dev documentation