- Newest
- Most votes
- Most comments
Here AWS guides to Write separate rules.
**Suricata rule **that simultaneously matches both the IP address and the SNI (Server Name Indication) within a single rule presents a complex challenge due to Suricata's inherent packet-based inspection nature. Suricata is inherently designed for analyzing individual packets and lacks native support for correlating data across multiple packets to effectively validate both IP addresses and SNI values in unison.
While Suricata isn't inherently tailored for combined IP address and SNI matching, a robust security approach can still be achieved by employing a multipart rule strategy, each rule concentrating on specific part of the traffic.
Here's how to address the concern through distinct rules for IP address and SNI checks:
**
- IP Address Match Rule:** Generate a rule that Matches traffic based on IP addresses, ensuring traffic is routed to designated IP destinations, Where you can Specify the IP Address of the Allowed domains
alert ip any any -> 172.217.31.131 any (msg:"Outbound traffic to AWS IP"; sid:100002; rev:1;)
** 2.SNI Match Rule:** Develop a rule that examines the SNI field within the TLS handshake. This rule aids in detecting traffic where the SNI deviates from the anticipated domain.
alert tls any any -> any any (msg:"Possible SNI Mismatch"; tls_sni; content:"aws.amazon.com"; nocase; sid:100001; rev:1;)
While these rules function independently, collectively, they contribute to an encompassing inspection strategy by addressing distinct IP address and SNI aspects. This approach adheres to the established practice of employing layered defense mechanisms in network security.
By utilizing multiple rules that target specific components of network traffic, you can attain a heightened level of security and acquire insights into potential threats like IP address spoofing or SNI manipulation. Although these rules do not explicitly link IP addresses and SNI values, they enhance overall network monitoring capabilities, thus contributing to a more resilient security landscape.
It's worth noting that the functionalities of Suricata may evolve over time, so it remains prudent to stay informed about the latest enhancements and best practices through official documentation and community resources.
Relevant content
- asked 9 months ago
- asked 3 years ago
- asked 3 years ago
- asked 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago