feat: SNI inspection using Suricata

inspired by https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf

README.md

@@ -16,6 +16,7 @@
   - [Snort2](#snort2)
   - [Snort3](#snort3)
   - [Suricata](#suricata)
+    - [Suricata (SNI)](#suricata-sni)
   - [Splunk](#splunk)
   - [Tracking Protection List (IE)](#tracking-protection-list-ie)
 - [Compressed version](#compressed-version)
@@ -42,6 +43,7 @@ A blocklist of phishing websites, curated from [OpenPhish](https://openphish.com
 | [Snort2](#snort2) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-snort2.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-snort2.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort2.rules) | [br](https://malware-filter.pages.dev/phishing-filter-snort2.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-snort2.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-snort2.rules) |
 | [Snort3](#snort3) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-snort3.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-snort3.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort3.rules) | [br](https://malware-filter.pages.dev/phishing-filter-snort3.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-snort3.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-snort3.rules) |
 | [Suricata](#suricata) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-suricata.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-suricata.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-suricata.rules) | [br](https://malware-filter.pages.dev/phishing-filter-suricata.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-suricata.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-suricata.rules) |
+| [Suricata (SNI)](#suricata-sni)| [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata-sni.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-suricata-sni.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-suricata-sni.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-suricata-sni.rules) | [br](https://malware-filter.pages.dev/phishing-filter-suricata-sni.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-suricata-sni.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-suricata-sni.rules) |
 | [Splunk](#splunk) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv) | [link](https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv) | [link](https://malware-filter.pages.dev/phishing-filter-splunk.csv) | [link](https://phishing-filter.pages.dev/phishing-filter-splunk.csv) |
 | [Internet Explorer](#tracking-protection-list-ie) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter.tpl) | [link](https://curbengh.github.io/malware-filter/phishing-filter.tpl) | [link](https://curbengh.github.io/phishing-filter/phishing-filter.tpl) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter.tpl) | [link](https://malware-filter.pages.dev/phishing-filter.tpl) | [link](https://phishing-filter.pages.dev/phishing-filter.tpl) |
 
@@ -196,6 +198,11 @@ rule-files:
 +  - phishing-filter-suricata.rules
 ```
 
+### Suricata (SNI)
+
+This ruleset includes online domains only. It enables Suricata to detect malicious HTTPS-enabled domains by inspecting the SNI in the [unencrypted ClientHello](https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications) message. There is increasing support for encrypted Client Hello which defeats SNI inspection.
+
+
 ## Splunk
 
 A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions).

src/ids.js

@@ -18,6 +18,10 @@ const suricata = createWriteStream('../public/phishing-filter-suricata.rules', {
   encoding: 'utf8',
   flags: 'a'
 })
+const suricataSni = createWriteStream('../public/phishing-filter-suricata-sni.rules', {
+  encoding: 'utf8',
+  flags: 'a'
+})
 const splunk = createWriteStream('../public/phishing-filter-splunk.csv', {
   encoding: 'utf8',
   flags: 'a'
@@ -29,6 +33,7 @@ for await (const domain of domains.readLines()) {
   snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"phishing-filter phishing website detected"; flow:established,from_client; content:"GET"; http_method; content:"${domain}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
   snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; http_header:field host; content:"${domain}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
   suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; http.method; content:"GET"; http.host; content:"${domain}"; classtype:attempted-recon; sid:${sid} rev:1;)\n`)
+  suricataSni.write(`alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; tls.sni; bsize:32; content:"${domain}"; fast_pattern; classtype:attempted-recon; sid:${sid} rev:1;)\n`)
   splunk.write(`"${domain}","","phishing-filter phishing website detected","${process.env.CURRENT_TIME}"\n`)
 
   sid++

src/script.sh

@@ -393,6 +393,7 @@ sed "1s/Domains/Wildcard Asterisk/" > "../public/phishing-filter-wildcard.txt"
 rm "../public/phishing-filter-snort2.rules" \
   "../public/phishing-filter-snort3.rules" \
   "../public/phishing-filter-suricata.rules" \
+  "../public/phishing-filter-suricata-sni.rules" \
   "../public/phishing-filter-splunk.csv"
 
 export CURRENT_TIME
@@ -407,6 +408,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/phishing-filter-sno
 sed -i "1i $COMMENT" "../public/phishing-filter-suricata.rules"
 sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/phishing-filter-suricata.rules"
 
+sed -i "1i $COMMENT" "../public/phishing-filter-suricata-sni.rules"
+sed -i "1s/Domains Blocklist/Domain Suricata Ruleset (SNI)/" "../public/phishing-filter-suricata-sni.rules"
+
 sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/phishing-filter-splunk.csv"
 sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/phishing-filter-splunk.csv"