Outbound traffic

alert tcp any any → any any (content:!“User-Agent”; http_header; sid:1000198;)

How do I make my rule match on outbound only?

Hello JF, welcome to Suricata forum! ^^

If I understood your question correctly, you want to make sure that your rule is matching on outbound traffic. If that is the case, I believe something along these lines should work:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[your rule signature message]"; flow:established,to_server; [rest of the rule]

The key elements here are the flow:established,to_server and the rule direction $HOME_NET any -> $EXTERNAL_NET any. Depending on your objectives the established portion is optional, you have better elements to judge that part.

Hope that helps answering your question!

1 Like