Outbound traffic

Jim_Frank · October 28, 2021, 3:46am

alert tcp any any → any any (content:!“User-Agent”; http_header; sid:1000198;)

How do I make my rule match on outbound only?

jufajardini · October 28, 2021, 9:43am

Hello JF, welcome to Suricata forum! ^^

If I understood your question correctly, you want to make sure that your rule is matching on outbound traffic. If that is the case, I believe something along these lines should work:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[your rule signature message]"; flow:established,to_server; [rest of the rule]

The key elements here are the flow:established,to_server and the rule direction $HOME_NET any -> $EXTERNAL_NET any. Depending on your objectives the established portion is optional, you have better elements to judge that part.

Hope that helps answering your question!

Topic		Replies	Views
Help with custom rule Rules suricata	1	99	March 29, 2024
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	581	February 19, 2021
Excluding Strings from Rule Rules	1	455	October 29, 2021
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	220	December 18, 2023
Rule using http does not matching get request Rules	2	1014	January 18, 2022

Outbound traffic

Related Topics