Outbound traffic

Jim_Frank · October 28, 2021, 3:46am

alert tcp any any → any any (content:!“User-Agent”; http_header; sid:1000198;)

How do I make my rule match on outbound only?

jufajardini · October 28, 2021, 9:43am

Hello JF, welcome to Suricata forum! ^^

If I understood your question correctly, you want to make sure that your rule is matching on outbound traffic. If that is the case, I believe something along these lines should work:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[your rule signature message]"; flow:established,to_server; [rest of the rule]

The key elements here are the flow:established,to_server and the rule direction $HOME_NET any -> $EXTERNAL_NET any. Depending on your objectives the established portion is optional, you have better elements to judge that part.

Hope that helps answering your question!

Topic		Replies	Views
Rule(s) to monitor HTTP traffic Help	1	53	November 20, 2024
Help with custom rule Rules suricata	1	326	March 29, 2024
Chaining of Alerts (rule dependency) Rules	1	910	September 25, 2020
Some match bypass? Rules rules	27	1972	September 17, 2021
Excluding Strings from Rule Rules	1	509	October 29, 2021

Outbound traffic

Related topics