<div dir="ltr">Andreas,<div><br></div><div>Thanks, I actually found a good way to perform similar functionality to the iprepuation using LUA scripting and http-headers:</div><div><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a><br></div><div><br></div><div>As for the HTTPS, I was able to use "tls.subject" keyword. Still struggling to get that to work with LUA scripting, but it works when the tls.subject is referenced within the suricata rule itself.</div><div><br></div><div>Thanks again for your reply!</div><div><br></div><div>Regards,</div><div>Nasir</div><div><br><br><div class="gmail_quote"><div dir="ltr">On Sun, Jan 3, 2016 at 12:00 PM <<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org">oisf-users-request@lists.openinfosecfoundation.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Oisf-users mailing list submissions to<br>
        <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:oisf-users-owner@lists.openinfosecfoundation.org" target="_blank">oisf-users-owner@lists.openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Re: Two Suricata Rule Questions (Andreas Herz)<br>
   2. SonicWall Global VPN Client Incompatible with Suricata<br>
      Follow-up (Leonard Jacobs)<br>
   3. Re: Rule Processing Order Issue (Özkan KIRIK)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 2 Jan 2016 20:12:43 +0100<br>
From: Andreas Herz <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Two Suricata Rule Questions<br>
Message-ID: <20160102191243.GC29003@kvmbude><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 24/12/15 at 17:12, Nasir Bilal wrote:<br>
> I have a couple of questions about Suricata/Snort rules:<br>
> 1) Is there a way to reference a list of strings in a suricata rule,<br>
> similar to the ipreputation engine, and the way it references external text<br>
> files full of IP's? We're looking at using Suricata for URL filtering.<br>
<br>
Could you describe this a little more?<br>
But i guess if you want to have the same way iprep works, that's a<br>
feature request.<br>
<br>
> 2) Similar to the first question, is there a way to read specifically from<br>
> the SSL Server Certificate fields in the SSL/TLS handshake during HTTPS<br>
> session initiation? We'd like to perform URL filtering on HTTPS traffic<br>
> without SSL decrypt, and I know that many vendors do this by reading the<br>
> fields of the SSL server certificates.<br>
<br>
AFAIK that also depends on how the SSL/TLS is configured, with SNI you<br>
could already check the SNI for the URL.<br>
<br>
There are also TLS keywords:<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords</a><br>
<br>
--<br>
Andreas Herz<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 2 Jan 2016 14:16:26 -0600<br>
From: Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>><br>
To: Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>,<br>
        <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Subject: [Oisf-users] SonicWall Global VPN Client Incompatible with<br>
        Suricata        Follow-up<br>
Message-ID: <<a href="mailto:66620115-11604@mail1.netsecuris.com" target="_blank">66620115-11604@mail1.netsecuris.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
We tried running the latest version of SonicWALL's Global VPN Client with no signature rules running on Suricata and get the same results.  VPN Phase 1 ISAKMP requests do not complete.<br>
<br>
<br>
Any other ideas?  SonicWALL refuses to help.  It works fine with an way older version of VPN Client.<br>
<br>
<br>
<br>
Thanks.<br>
<br>
Leonard<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8292ae66/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8292ae66/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Sun, 3 Jan 2016 00:01:31 +0200<br>
From: Özkan KIRIK <<a href="mailto:ozkan.kirik@gmail.com" target="_blank">ozkan.kirik@gmail.com</a>><br>
To: Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>><br>
Cc: "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>"<br>
        <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br>
Subject: Re: [Oisf-users] Rule Processing Order Issue<br>
Message-ID:<br>
        <<a href="mailto:CAAcX-AGmQGODS%2BT5Poqmj1PNxeUNnnMVgNCtp4wUbUrE3CS6kA@mail.gmail.com" target="_blank">CAAcX-AGmQGODS+T5Poqmj1PNxeUNnnMVgNCtp4wUbUrE3CS6kA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Thank you Peter,<br>
<br>
But this configuration doesnt disable ordering. If drop action processed<br>
first, all packets to userGroup-25 will be dropped. If pass action<br>
processed first, drop rule for Others will not be processed. So i need to<br>
disable rule ordering.<br>
Is there a way for disabling rule ordering ?<br>
<br>
Thanks again.<br>
<br>
On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br>
<br>
> On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <<a href="mailto:ozkan.kirik@gmail.com" target="_blank">ozkan.kirik@gmail.com</a>> wrote:<br>
> > Hi,<br>
> ><br>
> > Happy new year to everbody,<br>
> ><br>
> > I have a trouble with suricata rule processing order. I'm trying to apply<br>
> > different policies to different users. My rules are as below. But<br>
> suriacata<br>
> > processes pass first, drop second. So that, the last rule "pass any.."<br>
> > allows to every body.<br>
> ><br>
> > Can suricata run my rules as I wrote without reordering ?<br>
><br>
> You also have some default ordering that can be further configured in<br>
> suricata.yaml -<br>
><br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032</a><br>
><br>
><br>
> ><br>
> > Thanks<br>
> ><br>
> > # Ruleset for userGroup-25<br>
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>
> > tls.subject:"<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>"; sid:3230002; rev:1;)<br>
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>
> > tls.subject:"<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a>"; sid:3230004; rev:1;)<br>
> > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For<br>
> userGroup-25";<br>
> > sid:3230010; rev:1;)<br>
> ><br>
> > ...<br>
> > #Rules for other userGroups<br>
> > ...<br>
> ><br>
> > # Ruleset for Others<br>
> > drop tls any any -> any any (msg:"SSL Cert Denied";<br>
> > tls.subject:"<a href="http://example1.com" rel="noreferrer" target="_blank">example1.com</a>"; sid:3230007; rev:1;)<br>
> > pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)<br>
> ><br>
> > _______________________________________________<br>
> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
> <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> > List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > Suricata User Conference November 4 & 5 in Barcelona:<br>
> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@lists.openinfosecfoundation.org" target="_blank">Oisf-users@lists.openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Oisf-users Digest, Vol 74, Issue 2<br>
*****************************************<br>
</blockquote></div></div></div>