[Oisf-users] Two Suricata Rule Questions

Andreas Herz andi at geekosphere.org
Sat Jan 2 19:12:43 UTC 2016

On 24/12/15 at 17:12, Nasir Bilal wrote:
> I have a couple of questions about Suricata/Snort rules:
> 1) Is there a way to reference a list of strings in a suricata rule,
> similar to the ipreputation engine, and the way it references external text
> files full of IP's? We're looking at using Suricata for URL filtering.

Could you describe this a little more?
But i guess if you want to have the same way iprep works, that's a
feature request.

> 2) Similar to the first question, is there a way to read specifically from
> the SSL Server Certificate fields in the SSL/TLS handshake during HTTPS
> session initiation? We'd like to perform URL filtering on HTTPS traffic
> without SSL decrypt, and I know that many vendors do this by reading the
> fields of the SSL server certificates.

AFAIK that also depends on how the SSL/TLS is configured, with SNI you
could already check the SNI for the URL.

There are also TLS keywords:


Andreas Herz

More information about the Oisf-users mailing list