Suricata rule for matching domains

broland96 · February 18, 2026, 4:13pm

Hey guys!

I’m new in Suricata. But i want to implement into my infra.
I have an nginx reverse proxy and a lot of domain with ssl termination.
I also have a captcha server, if a domain got a little higher traffic, i want to send them to the catpcha server to solve it. This list firstly i want to manage by hand with rules.

I tested some stuffs, and working fine unless i dont want to accept this for specific domains.
So, if i use the following rule:
#alert tcp any any → any 443 (msg:“SURICATA SEES TCP”; nfq_set_mark:0x01/0x01; sid:999999; rev:1;)
Everthing works fine. I open a domain which is redirected on the suricata server with DNS, the suricata marks the packets, and from iptables redirected to the givven port. That’s fine, until i domaint want to use rules for domains.

alert tls any any → any 443 (msg:“Redirecting ``example.org``”; tls.sni; content:“``example.org``”; nocase; flow:established,to_server; nfq_set_mark:0x01/0x01; sid:1000001; rev:1;)
If i’m knowing right, this is because the tls handshakes. The Suricata only mark the 4th packet and the nat table can’t redirect the packet to the givven port.
Here is my all the iptables rules which i use:

#!/bin/bash

# --- 1. Clear previous attempts ---
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

# --- 2. RAW TABLE (The "Force Redirect" Trick) ---
# This tells the kernel: "If a packet has mark 0x1, ignore its old connection state."
# This forces the NAT table to re-evaluate the REDIRECT rule mid-stream.
iptables -t raw -A PREROUTING -p tcp --dport 443 -m mark --mark 0x1 -j CT --notrack

# --- 3. MANGLE TABLE (The Brain) ---
# Restore connection mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# Whitelist bypass
iptables -t mangle -A PREROUTING -m set --match-set ipset_pass src -j RETURN

# Send to Suricata (Only if not already marked)
iptables -t mangle -A PREROUTING -p tcp --dport 443 -m mark ! --mark 0x1 -j NFQUEUE --queue-num 0

# Save the mark to the connection so we don't hit Suricata for every single packet
iptables -t mangle -A PREROUTING -m mark --mark 0x1 -j CONNMARK --save-mark

# --- 4. NAT TABLE (The Action) ---
# Now NAT will finally see the mark on the 'Notracked' packet
iptables -t nat -A PREROUTING -p tcp --dport 443 -m mark --mark 0x1 -j REDIRECT --to-ports 444

Have you any idea how can this work?