Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work

akira008 (akira008) December 8, 2022, 2:15am #1

Hi, All
I wanna to allow only “https://sts.amazonaws.com or .amazonaws.com” only otherwise traffic as tcp/http i will be dropped them all.
I’ve written suricata rules set as following

pass tls [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET 443 (tls.sni; dotprefix; content:“.amazonaws.com”; nocase; endswith; msg:“TLS Allowlisted access to sts.amazonaws.com”; flow:to_server, established; sid:1; rev:1;)

drop tcp [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET any (msg:“Not matching any TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)

Pls, recommended me with Thanks.

Philippe_Antoine (Philippe Antoine) December 11, 2022, 8:52pm #2

With dotprefix you may not need the leading dot in the content, right ?

Another point : I am not sure this logic works because you may drop the tcp syn packet to 443 before you know the tls sni