Hey Respected Members,
I want to block all the traffic belongs to http stream i.e port 80 traffic. But just wanted to allow some websites using http. So i created 2 signature rules for my requirement. But they are not fulfil my requirement, i am not able to understand what i am missing.
Thankyou in advance.
The sites i want to allow having .gov.in in there url and also having .nic.in
pass tcp any any → any 80 (msg:“Website Traffic “; flow:established,to_server; pcre:”/.(.gov.in|.nic.in)./”; http_header; sid:9050000; rev:1;)
drop tcp any any → any 80 (msg:“Block Port 80 traffic”; threshold: type limit, track by_dst,count 1, seconds 60000; flow:established,to_server; sid:9050001; rev:1;)