Hi, All
I wanna to allow only “https://sts.amazonaws.com or .amazonaws.com” only otherwise traffic as tcp/http i will be dropped them all.
I’ve written suricata rules set as following
pass tls [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET 443 (tls.sni; dotprefix; content:“.amazonaws.com”; nocase; endswith; msg:“TLS Allowlisted access to sts.amazonaws.com”; flow:to_server, established; sid:1; rev:1;)
drop tcp [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET any (msg:“Not matching any TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)
Pls, recommended me with Thanks.