Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata / Drop rule

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 3 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TEP71
      last edited by

      I am trying to block some websites by using a custom rule on my LAN interface. Here is a rule I am using to test with:

      drop ip any any -> any any (msg:"Drop Domain - www.facebook.com"; content:"GET"; http_method; content:"facebook"; http_uri; classtype:policy-violation; sid:4002010; rev:10;)

      Following all the things I have read and looking at some of the rules written by ET or PP, this looks like it should do the trick. It may not be the most efficient method but it should work. Unfortunately, it is not working in the slightest bit. Am I going about this completely wrong? The drop rules I have written based off of IPRep work just fine in my custom rules if that helps to know or not.

      I would appreciate anyone's point of view here so that I can continue learning how to use an IDS effectively or to my needs. Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Facebook traffic is typically HTTPS (encrypted), so when Suricata sees the packets the payload is encrypted and thus your content string of "facebook" will never match.  The packet is only decrypted in the client's browser and not in the firewall where Suricata lives.  Now this all assumes you have not put a MITM setup in place with pfSense getting a look at the un-encrypted traffic.

        Bill

        1 Reply Last reply Reply Quote 0
        • T
          TEP71
          last edited by

          I had a feeling that was the issue. So with https enabled sites, it comes down to blocking by known IP/IP Ranges. Or is there another method to achieve what I am looking that I haven't stumbled upon as of yet? After looking at some packets in WireShark, I am not seeing anything that I could key off of but I am on new territory learning how to use an IDS. Thanks again for your time. It is appreciated.

          –Thom

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            That's the whole idea behind encryption – the data is "invisible" and undecipherable to prying eyes.  So you can't use content matching like you might on the old HTTP sites.

            Snort has the OpenAppID detectors which do some Layer 7 inspection and can have very limited success with HTTPS sites by snooping on the very first part of the initial SSL cert setup.  Suricata currently does not provide an OpenAppID equivalent yet.

            By and large what you are trying to do can't be done well.  Success will be spotty and basically is not worth the effort in my view.  Blocking by IP is also a problem because the large and popular sites have a plethora of IP address pools where content might be served from.  So you wind up having to block pretty much most of the world's IP addresses, so then where are you?

            The only solution is a man-in-the-middle setup, but most of us admin types consider that "evil" as it breaks the whole concept of privacy.  You can research man-in-the-middle (MITM) to see what I am talking about.  It requires custom SSL certs on each client in your network such that the clients trust some proxy.  That proxy makes the HTTPS connection on behalf of your clients, and so while the data is traversing the proxy it is in the clear and can be inspected.

            Bill

            1 Reply Last reply Reply Quote 0
            • F
              fsansfil
              last edited by

              You can use dns and tls keywords, heres some generic examples

              drop dns any any -> any any (msg:"DNS Facebook"; content:"facebook"; classtype:policy-violation; sid:39398144; rev:1;)
              drop tls any any -> any any (msg:"SSL Facebook"; tls.subject:"facebook"; classtype:policy-violation; sid:39398145; rev:1;)

              For more specific keywords, check Suricata Wiki
              https://redmine.openinfosecfoundation.org/projects/suricata/wiki

              F.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @fsansfil:

                You can use dns and tls keywords, heres some generic examples

                drop dns any any -> any any (msg:"DNS Facebook"; content:"facebook"; classtype:policy-violation; sid:39398144; rev:1;)
                drop tls any any -> any any (msg:"SSL Facebook"; tls.subject:"facebook"; classtype:policy-violation; sid:39398145; rev:1;)

                For more specific keywords, check Suricata Wiki
                https://redmine.openinfosecfoundation.org/projects/suricata/wiki

                F.

                Thanks @fsansfil!  I had not thought about those options.  The OP may find this other way will work to some extent.

                Bill

                1 Reply Last reply Reply Quote 0
                • T
                  TEP71
                  last edited by

                  Bill, thank you for the additional information. It is helping my understanding click together. I am not interested in MITM attacks. I just want to shut down certain things not eavesdrop.

                  fsansfil, thank you for showing a way to achieve what I was looking for. There is so much to Suricata to take in. As with anything, time and experience is what is needed along with some outside help.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.