2 Answers
- Newest
- Most votes
- Most comments
0
In order to block those connections that are directly using an IP address, you need to add a rule that inspects the SNI for IP addresses. There is one included in the examples page that you have linked:
reject tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; ssl_state:client_hello; content:"."; pcre:"/^(?:[0-9]{1,3}.){3}[0-9]{1,3}$/"; msg:"IP in TLS SNI (direct to IP, likely no DNS resolution first)"; flow:to_server; sid:1239848;)
answered 2 months ago
-1
Hi,
I think that your rule should start with rejec
t instead of drop
See examples on this page: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html
Best,
Didier
Relevant content
- Accepted Answerasked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago