Suricata allow domain URI

Hello Suricata community, I want to only allow domain url path.
for example:

From these I just want to allow traffic from all URLS which are:*

But not from:

pass http $HOME_NET any → $EXTERNAL_NET 443 (msg: “Allowed HTTPS domain”; flow: established,to_server; content: “”; http_uri; pcre: “/something .* /UR” ; sid:1; rev:1;)
pass tls $HOME_NET any → $EXTERNAL_NET any (tls.sni; content:“”; msg:“matching TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)

The above rule isnt working as expected.

The above two rules won’t work for several reasons:

  • the first rule matches http protocol over port 443, which normally run tls.
  • the second rule will allow traffic to the FQDN, but it has no way of allowing/denying a specific URL since the content of a TLS session can’t be inspected (encryption)

And the above rules will be affected by other factors including if you have a default deny rule that won’t allow initial TCP packets to pass (SYN, ACK…etc)

In general, if the website works over TLS there is no way to implement allow/deny URI capabilities unless to decrypt the TLS sessions using a proxy…etc