Snort/Suricata Rules Syntax to match on outbound traffic firewall Tag?
-
Can I write a custom rule that will only look for a signature on traffic that has been tagged by a firewall rule?
i.e.,
drop http 192.168.1.100 any -> $EXTERNAL_NET $PASS_PORTS (msg:"Unintended usage in passed traffic"; content-tag:"WHITELIST_FILTER"; classtype:policy-violation; sid:9013; rev:1;)
I just made content-tag:"WHITELIST_FILTER" up because I don't know the proper syntax for it?
But the idea is once the Source & Destination IP & Port have been matched, that the rule search for a tag (i.e., "WHITELIST_FILTER") placed on the traffic by a Firewall Rule in addition to other parameters and if everything matches the traffic is dropped.
My understanding of this is that this could work on outbound traffic only as the traffic would go from CLIENT > FIREWALL (gets tagged) > IPS (gets inspected) > (if no match) GATEWAY.
-
Can I write a custom rule that will only look for a signature on traffic that has been tagged by a firewall rule?
i.e.,
drop http 192.168.1.100 any -> $EXTERNAL_NET $PASS_PORTS (msg:"Unintended usage in passed traffic"; content-tag:"WHITELIST_FILTER"; classtype:policy-violation; sid:9013; rev:1;)
I just made content-tag:"WHITELIST_FILTER" up because I don't know the proper syntax for it?
But the idea is once the Source & Destination IP & Port have been matched, that the rule search for a tag (i.e., "WHITELIST_FILTER") placed on the traffic by a Firewall Rule in addition to other parameters and if everything matches the traffic is dropped.
My understanding of this is that this could work on outbound traffic only as the traffic would go from CLIENT > FIREWALL (gets tagged) > IPS (gets inspected) > (if no match) GATEWAY.
It might work. You correctly showed the path of outbound traffic (the IDS/IPS sees it last on the way out of the NIC). So the tagging could only work on outbound traffic. Never tested it myself. As for the syntax, you will have to research that. I am not a rule writing expert. I do know there are a number of option keywords for inspecting traffic. Give it a whirl and post back the results for others' benefit.
Bill
-
Thanks Bill, I found some documentation and am looking through it.
I'll probably screw it up but I'll report what I find.