I am writing a rule for suricata for blocking urls
in https
. I started studying the documentation, also watch various questions on this forum.
I set up a proxy, wrote a domain blocking rule using tls.sni
. Everything worked together. I went on to write a blocking rule for http
by url
using http.post
and http.url
. It also worked.
That is, I can’t write for https
by url
. Can you help and suggest, please? (I hope this is a solvable task).
To match inside https you’ll have to work with a tls decrypt solution and let Suricata inspect the decrypted traffic. Suricata can’t look into the encrypted traffic itself.
1 Like
Yes, I was able to set up a proxy server. I managed to block the rules with the tls protocol by domain, but there are problems with the url
Does anyone know how to implement this?