TechQA.

Suricata rule to allow ntp from specific URL

75 views Asked by At

Is there a way to allow only port UDP 123(NTP) from certain domain eg time.aws.com ? Currently I am using this rule - pass ntp $HOME_NET any → $EXTERNAL_NET 123 (sid:4001; rev:1;) but wanted to tie it down to specific URL

I want to use time.aws.com on NTP as allowed domain

suricata
Original Q&A
1

There are 1 answers

0
SovietShepherd On

This should work:

drop ntp $HOME_NET any → $EXTERNAL_NET 123 (msg:"Message"; content:!"time.aws.com";sid:4001; rev:1;)

According to suricata documentation, you can negate that content, meaning any content that is not the one specified will be dropped.

Related Questions in SURICATA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions