ubuntusuricataips

Suricata inline mode (netfilterqueue) problem with droping by http.host


I have suricata running in inline mode :

 /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 --pidfile /run/suricata.pid

Iptables configuration chain 'forward', 'input' and 'output' are configured as below:

iptables -L | grep NFQUEUE
NFQUEUE    all  --  anywhere             anywhere             NFQUEUE num 0

Internet access is working properly and so suricata logging. The problem is to drop connection to specific www site using http.host. My rule looks as shown below :

drop http $HOME_NET  any -> $EXTERNAL_NET  any (http.host; content:"www.wp.pl"; msg:"matching HTTP denylisted FQDNs";)

Don't know what is wrong with my rule or what other suricata setting should be enabled but this rule is not working. Other test rule's that drop's connection are working well:

drop icmp any any -> 1.1.1.1 any (msg:"ICMP detected and blocked";SID:123456;rev:1;)

07/20/2023-16:29:10.706271  [Drop] [**] [1:123456:1] ICMP detected and blocked [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.4.12:8 -> 1.1.1.1:0
07/20/2023-16:31:26.426087  [Drop] [**] [1:123456:1] ICMP detected and blocked [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.4.12:8 -> 1.1.1.1:0

Does any1 has any idea what an I doing wrong ?

Thank you in advance

AD


Solution

  • I have tried to visit the website you mentioned in the rule (www.wp.pl) and got redirected to https://www.wp.pl (notice the https).

    This means that the protocol that the website works on is tls and not http, so to effectively block this website, add another rule for the tls protocol that targets the tls.sni keyword.