Hi,
We’re currently investigating using Suricata (actually AWS Network Firewall, which uses Suricata under the hood) to block our users from pushing data to random Github repos.
Since everything on github is unfortunately under their main domain - github.com - we need to do TLS inspection and work with the http.uri and http.method to filter this traffic.
I had come up with the necessary rules to block this, but due to http session reuse, the traffic is not re-inspected when there’s a change from http method.
Git first does a HTTP GET to get the current status of the remote repo, and then HTTP POST to push the data out.
We have established default drop on all traffic, so we only have pass rules.
pass http 192.168.0.0/24 any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content: "POST"; http.host; content: "github.com"; http.uri; content: "/myorg/"; nocase; startswith; alert; msg:"AllowedOrgPOST"; sid:1; rev:1;)
pass http 192.168.0.0/24 any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content: "POST"; http.host; content: "github.com"; http.uri; content: "_myorg/"; http.uri; pcre:"/[0-9a-z\-]+_myorg/iR"; alert; msg:"AllowedPersonalOrgPOST"; sid:3; rev:1;)
pass http 192.168.0.0/24 any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content: "GET"; http.host; content: "github.com"; alert; msg:"AllowedGitHubGET"; sid:5; rev:1;)
When testing with curl, things behave as I would expect (no session reuse) - POST’ing only works to the allowed uris. Unfortunately with session reuse this is thwarted.
Is there some flag / something that I could do to enable filtering?