Apologies for what I have little doubt is a Suricata-newbie issue, but I’m trying to understand how I can control https traffic to specific domains. So to test, I have a single rule: -
drop tls $HOME_NET any → $EXTERNAL_NET any (msg:“drop google”; tls.sni; dotprefix; content:".google.com"; nocase; endswith; sid:1; rev:1;)
…which should allow everything through, except a TLS handshake to *.google.com, correct? Except this doesn’t seem to work and all traffic is allowed through, including curls to www.google.com. In fact if I try dropping all tls (i.e. with a drop tls rule without tls.sni keyword) it doesn’t block either.
I’m running Suricata 5.0.6 on Centos 8, running in inline IPS mode. I have confidence that traffic is directed correctly to the engine, because I can successfully control traffic through Suricata at the TCP or UDP level.
Any help, gratefully received.