Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort/Suricata Rules Syntax to match on outbound traffic firewall Tag?

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfBasic Banned
      last edited by

      Can I write a custom rule that will only look for a signature on traffic that has been tagged by a firewall rule?

      i.e.,

      drop http 192.168.1.100 any -> $EXTERNAL_NET $PASS_PORTS (msg:"Unintended usage in passed traffic"; content-tag:"WHITELIST_FILTER"; classtype:policy-violation; sid:9013; rev:1;)

      I just made content-tag:"WHITELIST_FILTER" up because I don't know the proper syntax for it?

      But the idea is once the Source & Destination IP & Port have been matched, that the rule search for a tag (i.e., "WHITELIST_FILTER") placed on the traffic by a Firewall Rule in addition to other parameters and if everything matches the traffic is dropped.

      My understanding of this is that this could work on outbound traffic only as the traffic would go from CLIENT > FIREWALL (gets tagged) > IPS (gets inspected) > (if no match) GATEWAY.

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        @pfBasic:

        Can I write a custom rule that will only look for a signature on traffic that has been tagged by a firewall rule?

        i.e.,

        drop http 192.168.1.100 any -> $EXTERNAL_NET $PASS_PORTS (msg:"Unintended usage in passed traffic"; content-tag:"WHITELIST_FILTER"; classtype:policy-violation; sid:9013; rev:1;)

        I just made content-tag:"WHITELIST_FILTER" up because I don't know the proper syntax for it?

        But the idea is once the Source & Destination IP & Port have been matched, that the rule search for a tag (i.e., "WHITELIST_FILTER") placed on the traffic by a Firewall Rule in addition to other parameters and if everything matches the traffic is dropped.

        My understanding of this is that this could work on outbound traffic only as the traffic would go from CLIENT > FIREWALL (gets tagged) > IPS (gets inspected) > (if no match) GATEWAY.

        It might work.  You correctly showed the path of outbound traffic (the IDS/IPS sees it last on the way out of the NIC).  So the tagging could only work on outbound traffic.  Never tested it myself.  As for the syntax, you will have to research that.  I am not a rule writing expert.  I do know there are a number of option keywords for inspecting traffic.  Give it a whirl and post back the results for others' benefit.

        Bill

        1 Reply Last reply Reply Quote 0
        • P Offline
          pfBasic Banned
          last edited by

          Thanks Bill, I found some documentation and am looking through it.

          I'll probably screw it up but I'll report what I find.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.