26.2. 防火墙规则集示例¶

Note

在Suricata 8中，防火墙模式属于实验性功能，后续可能发生变更。

26.2.1. HTTP规则¶

本示例展示一个简单的HTTP规则集。该规则集在满足以下条件时允许HTTP流量通过：

请求方法为GET或POST
User-Agent为"curl"
状态码为200

首先允许TCP 80端口的流量：

accept:hook tcp:all any any <> any 80 (sid:10;)

流追踪功能与默认的异常策略处理相结合，将强制执行完整的TCP握手等流程。

HTTP规则需要为每个状态设置``accept``规则：:

# 允许请求行未完成时的流量 accept:hook http1:request_started any any -> any any (sid:100;) # 允许GET方法 accept:hook http1:request_line any any -> any any (

http.method; content:"GET"; sid:101;)

# 或允许POST方法 accept:hook http1:request_line any any -> any any (

http.method; content:"POST"; sid:102;)

# 允许User-Agent为curl accept:hook http1:request_headers any any -> any any (

http.user_agent; content:"curl"; sid:103;)

# 允许请求体（如果存在） accept:hook http1:request_body any any -> any any (sid:104;) # 允许尾部信息（如果存在） accept:hook http1:request_trailer any any -> any any (sid:105;) # 允许请求完成 accept:hook http1:request_complete any any -> any any (sid:106;)

# 允许响应行未完成时的流量 accept:hook http1:response_started any any -> any any (sid:200;) # 允许200状态码 accept:hook http1:response_line any any -> any any (

http.stat_code; content:"200"; sid:201;)

# 允许其他所有状态 accept:hook http1:response_headers any any -> any any (sid:202;) accept:hook http1:response_body any any -> any any (sid:203;) accept:hook http1:response_trailer any any -> any any (sid:204;) accept:hook http1:response_complete any any -> any any (sid:205;)

每个状态都需要对应的``accept``规则。每个状态至少会被评估一次。

26.2.2. TLS SNI与复杂TCP规则¶

本示例中，``packet_filter``规则将对流量施加更多限制：:

# 允许三次握手 accept:hook tcp:all $HOME_NET any -> $EXTERNAL_NET 443 (flags:S;

flow:not_established; flowbits:set,syn; sid:1;)

accept:hook tcp:all $EXTERNAL_NET 443 -> $HOME_NET any (flags:SA;
flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;)

accept:hook tcp:all $HOME_NET any -> $EXTERNAL_NET 443 (flags:A;
flow:not_established; flowbits:isset,synack; flowbits:unset,syn; flowbits:unset,synack; sid:3;)

# 允许已建立的连接 accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:4;)

然后在TLS层面实现TLS SNI防火墙功能。

同样需要接受所有状态。仅在``client_hello_done``状态会附加额外限制条件：:

accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:100;) # 允许访问指定站点 accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni;

pcre:"/^(suricata.io|oisf.net)$/; sid:101;)

accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:102;) accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:103;) accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:104;)

accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:200;) accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:201;) accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:202;) accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:203;) accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:204;) accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:205;)