防火墙规则集示例 ========================= .. note:: 在Suricata 8中,防火墙模式属于实验性功能,后续可能发生变更。 HTTP规则 -------- 本示例展示一个简单的HTTP规则集。该规则集在满足以下条件时允许HTTP流量通过: - 请求方法为GET或POST - User-Agent为"curl" - 状态码为200 首先允许TCP 80端口的流量: :: accept:hook tcp:all any any <> any 80 (sid:10;) 流追踪功能与默认的异常策略处理相结合,将强制执行完整的TCP握手等流程。 HTTP规则需要为每个状态设置``accept``规则:: # 允许请求行未完成时的流量 accept:hook http1:request_started any any -> any any (sid:100;) # 允许GET方法 accept:hook http1:request_line any any -> any any ( \ http.method; content:"GET"; sid:101;) # 或允许POST方法 accept:hook http1:request_line any any -> any any ( \ http.method; content:"POST"; sid:102;) # 允许User-Agent为curl accept:hook http1:request_headers any any -> any any ( \ http.user_agent; content:"curl"; sid:103;) # 允许请求体(如果存在) accept:hook http1:request_body any any -> any any (sid:104;) # 允许尾部信息(如果存在) accept:hook http1:request_trailer any any -> any any (sid:105;) # 允许请求完成 accept:hook http1:request_complete any any -> any any (sid:106;) # 允许响应行未完成时的流量 accept:hook http1:response_started any any -> any any (sid:200;) # 允许200状态码 accept:hook http1:response_line any any -> any any ( \ http.stat_code; content:"200"; sid:201;) # 允许其他所有状态 accept:hook http1:response_headers any any -> any any (sid:202;) accept:hook http1:response_body any any -> any any (sid:203;) accept:hook http1:response_trailer any any -> any any (sid:204;) accept:hook http1:response_complete any any -> any any (sid:205;) 每个状态都需要对应的``accept``规则。每个状态至少会被评估一次。 TLS SNI与复杂TCP规则 --------------------- 本示例中,``packet_filter``规则将对流量施加更多限制:: # 允许三次握手 accept:hook tcp:all $HOME_NET any -> $EXTERNAL_NET 443 (flags:S; \ flow:not_established; flowbits:set,syn; sid:1;) accept:hook tcp:all $EXTERNAL_NET 443 -> $HOME_NET any (flags:SA; \ flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;) accept:hook tcp:all $HOME_NET any -> $EXTERNAL_NET 443 (flags:A; \ flow:not_established; flowbits:isset,synack; \ flowbits:unset,syn; flowbits:unset,synack; sid:3;) # 允许已建立的连接 accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:4;) 然后在TLS层面实现TLS SNI防火墙功能。 同样需要接受所有状态。仅在``client_hello_done``状态会附加额外限制条件:: accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:100;) # 允许访问指定站点 accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; \ pcre:"/^(suricata.io|oisf.net)$/; sid:101;) accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:102;) accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:103;) accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:104;) accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:200;) accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:201;) accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:202;) accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:203;) accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:204;) accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:205;)