Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work

akira008 (akira008) December 8, 2022, 2:15am 1

Hi, All
I wanna to allow only “https://sts.amazonaws.com or .amazonaws.com” only otherwise traffic as tcp/http i will be dropped them all.
I’ve written suricata rules set as following

pass tls [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET 443 (tls.sni; dotprefix; content:“.amazonaws.com”; nocase; endswith; msg:“TLS Allowlisted access to sts.amazonaws.com”; flow:to_server, established; sid:1; rev:1;)

drop tcp [10.122.xxx.64/27,10.122.xxx.128/27] any → $EXTERNAL_NET any (msg:“Not matching any TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)

Pls, recommended me with Thanks.

Philippe_Antoine (Philippe Antoine) December 11, 2022, 8:52pm 2

With dotprefix you may not need the leading dot in the content, right ?

Another point : I am not sure this logic works because you may drop the tcp syn packet to 443 before you know the tls sni

Topic		Replies	Views	Activity
AWS Network Firewall Stateful (Suricata) rules not working - Pass TLS only Help rules	5	817	August 16, 2023
Intermittent SSL connection drop for whitelisted Pass TLS endpoint in AWS NFW with suricatarules Rules aws	3	2811	December 9, 2021
Understanding tls.sni rules Rules	4	2618	December 20, 2022
Suricata allow domain URI Help rules	1	708	September 12, 2023
How to allow speedtest.net or any other speedtest link on Suricata Help	3	113	December 15, 2023