I have suricata running in inline mode :
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 --pidfile /run/suricata.pid
Iptables configuration chain 'forward', 'input' and 'output' are configured as below:
iptables -L | grep NFQUEUE
NFQUEUE all -- anywhere anywhere NFQUEUE num 0
Internet access is working properly and so suricata logging. The problem is to drop connection to specific www site using http.host. My rule looks as shown below :
drop http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"www.wp.pl"; msg:"matching HTTP denylisted FQDNs";)
Don't know what is wrong with my rule or what other suricata setting should be enabled but this rule is not working. Other test rule's that drop's connection are working well:
drop icmp any any -> 1.1.1.1 any (msg:"ICMP detected and blocked";SID:123456;rev:1;)
07/20/2023-16:29:10.706271 [Drop] [**] [1:123456:1] ICMP detected and blocked [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.4.12:8 -> 1.1.1.1:0
07/20/2023-16:31:26.426087 [Drop] [**] [1:123456:1] ICMP detected and blocked [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.4.12:8 -> 1.1.1.1:0
Does any1 has any idea what an I doing wrong ?
Thank you in advance
AD
I have tried to visit the website you mentioned in the rule (www.wp.pl) and got redirected to https://www.wp.pl (notice the https).
This means that the protocol that the website works on is tls and not http, so to effectively block this website, add another rule for the tls protocol that targets the tls.sni keyword.