I am writing a rule for suricata for blocking urls in https. I started studying the documentation, also watch various questions on this forum.
I set up a proxy, wrote a domain blocking rule using tls.sni. Everything worked together. I went on to write a blocking rule for http by url using http.post and http.url. It also worked.
That is, I can’t write for https by url. Can you help and suggest, please? (I hope this is a solvable task).
To match inside https you’ll have to work with a tls decrypt solution and let Suricata inspect the decrypted traffic. Suricata can’t look into the encrypted traffic itself.
1 Like
Yes, I was able to set up a proxy server. I managed to block the rules with the tls protocol by domain, but there are problems with the url