Suricata allow domain URI

Jenny · September 11, 2023, 5:51pm

Hello Suricata community, I want to only allow domain url path.
for example:
example.com/something-good-1
example.com/something-good-2
example.com/something-bad

From these I just want to allow traffic from all URLS which are:
example.com/something-good-*

But not from:
example.com/something-bad

pass http $HOME_NET any → $EXTERNAL_NET 443 (msg: “Allowed HTTPS domain”; flow: established,to_server; content: “example.com”; http_uri; pcre: “/something .* /UR” ; sid:1; rev:1;)
pass tls $HOME_NET any → $EXTERNAL_NET any (tls.sni; content:“exampl.com”; msg:“matching TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)

The above rule isnt working as expected.

IDSTower · September 12, 2023, 9:32am

The above two rules won’t work for several reasons:

the first rule matches http protocol over port 443, which normally run tls.
the second rule will allow traffic to the FQDN, but it has no way of allowing/denying a specific URL since the content of a TLS session can’t be inspected (encryption)

And the above rules will be affected by other factors including if you have a default deny rule that won’t allow initial TCP packets to pass (SYN, ACK…etc)

In general, if the website works over TLS there is no way to implement allow/deny URI capabilities unless to decrypt the TLS sessions using a proxy…etc

Topic		Replies	Views
AWS Network Firewall Stateful (Suricata) rules not working - Pass TLS only Help rules	5	1418	August 16, 2023
Understanding tls.sni rules Rules	4	3352	December 20, 2022
How to allow HTTPs but block all other protocol Help rules , suricata	2	248	August 2, 2024
Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work	1	573	December 11, 2022
How to allow speedtest.net or any other speedtest link on Suricata Help	3	172	December 15, 2023

Suricata allow domain URI

Related Topics