Hello Suricata community, I want to only allow domain url path.
From these I just want to allow traffic from all URLS which are:
But not from:
pass http $HOME_NET any → $EXTERNAL_NET 443 (msg: “Allowed HTTPS domain”; flow: established,to_server; content: “example.com”; http_uri; pcre: “/something .* /UR” ; sid:1; rev:1;)
pass tls $HOME_NET any → $EXTERNAL_NET any (tls.sni; content:“exampl.com”; msg:“matching TLS allowlisted FQDNs”; flow:to_server, established; sid:2; rev:1;)
The above rule isnt working as expected.
The above two rules won’t work for several reasons:
- the first rule matches http protocol over port 443, which normally run tls.
- the second rule will allow traffic to the FQDN, but it has no way of allowing/denying a specific URL since the content of a TLS session can’t be inspected (encryption)
And the above rules will be affected by other factors including if you have a default deny rule that won’t allow initial TCP packets to pass (SYN, ACK…etc)
In general, if the website works over TLS there is no way to implement allow/deny URI capabilities unless to decrypt the TLS sessions using a proxy…etc