feat: SNI inspection using Suricata

inspired by https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf

README.md

@@ -18,6 +18,7 @@
   - [Snort2](#snort2)
   - [Snort3](#snort3)
   - [Suricata](#suricata)
+    - [Suricata (SNI)](#suricata-sni)
   - [Splunk](#splunk)
   - [Tracking Protection List (IE)](#tracking-protection-list-ie)
 - [Compressed version](#compressed-version)
@@ -46,6 +47,7 @@ A blocklist of malicious websites that are being used for malware distribution,
 | [Snort2](#snort2) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter-snort2-online.rules) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter-snort2-online.rules) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-snort2-online.rules) | [link](https://malware-filter.pages.dev/urlhaus-filter-snort2-online.rules) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter-snort2-online.rules) |
 | [Snort3](#snort3) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter-snort3-online.rules) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter-snort3-online.rules) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-snort3-online.rules) | [link](https://malware-filter.pages.dev/urlhaus-filter-snort3-online.rules) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter-snort3-online.rules) |
 | [Suricata](#suricata) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter-suricata-online.rules) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter-suricata-online.rules) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-suricata-online.rules) | [link](https://malware-filter.pages.dev/urlhaus-filter-suricata-online.rules) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter-suricata-online.rules) |
+| [Suricata (SNI)](#suricata-sni) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-suricata-sni-online.rules) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter-suricata-sni-online.rules) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter-suricata-sni-online.rules) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-suricata-sni-online.rules) | [link](https://malware-filter.pages.dev/urlhaus-filter-suricata-sni-online.rules) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter-suricata-sni-online.rules) |
 | [Splunk](#splunk) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-splunk-online.csv) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter-splunk-online.csv) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter-splunk-online.csv) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-splunk-online.csv) | [link](https://malware-filter.pages.dev/urlhaus-filter-splunk-online.csv) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter-splunk-online.csv) |
 | [Internet Explorer](#tracking-protection-list-ie) | [link](https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.tpl) | [link](https://curbengh.github.io/malware-filter/urlhaus-filter.tpl) | [link](https://curbengh.github.io/urlhaus-filter/urlhaus-filter.tpl) | [link](https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter.tpl) | [link](https://malware-filter.pages.dev/urlhaus-filter.tpl) | [link](https://urlhaus-filter.pages.dev/urlhaus-filter.tpl) |
 
@@ -230,6 +232,10 @@ rule-files:
 +  - urlhaus-filter-suricata-online.rules
 ```
 
+### Suricata (SNI)
+
+This ruleset includes online domains only. It enables Suricata to detect malicious HTTPS-enabled domains by inspecting the SNI in the [unencrypted ClientHello](https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications) message. However, there is increasing support for encrypted Client Hello which defeats SNI inspection.
+
 ## Splunk
 
 A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions). This ruleset includes online URLs only.

src/ids.js

@@ -16,6 +16,10 @@ const suricata = createWriteStream('../public/urlhaus-filter-suricata-online.rul
   encoding: 'utf8',
   flags: 'a'
 })
+const suricataSni = createWriteStream('../public/urlhaus-filter-suricata-sni-online.rules', {
+  encoding: 'utf8',
+  flags: 'a'
+})
 const splunk = createWriteStream('../public/urlhaus-filter-splunk-online.csv', {
   encoding: 'utf8',
   flags: 'a'
@@ -27,11 +31,14 @@ for await (const domain of domains.readLines()) {
   snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"urlhaus-filter malicious website detected"; flow:established,from_client; content:"GET"; http_method; content:"${domain}"; content:"Host"; http_header; classtype:trojan-activity; sid:${sid}; rev:1;)\n`)
   snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"urlhaus-filter malicious website detected"; http_header:field host; content:"${domain}",nocase; classtype:trojan-activity; sid:${sid}; rev:1;)\n`)
   suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"urlhaus-filter malicious website detected"; flow:established,from_client; http.method; content:"GET"; http.host; content:"${domain}"; classtype:trojan-activity; sid:${sid} rev:1;)\n`)
+  suricataSni.write(`alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"urlhaus-filter malicious website detected"; flow:established,from_client; tls.sni; bsize:32; content:"${domain}"; fast_pattern; classtype:trojan-activity; sid:${sid} rev:1;)\n`)
   splunk.write(`"${domain}","","urlhaus-filter malicious website detected","${process.env.CURRENT_TIME}"\n`)
 
   sid++
 }
 
+suricataSni.close()
+
 for await (const line of urls.readLines()) {
   if (!URL.canParse(`http://${line}`)) {
     console.error(`Invalid URL: ${line}`)

src/script.sh

@@ -434,6 +434,7 @@ sed "1s/Blocklist/Wildcard Asterisk Blocklist/" > "../public/urlhaus-filter-wild
 rm "../public/urlhaus-filter-snort2-online.rules" \
   "../public/urlhaus-filter-snort3-online.rules" \
   "../public/urlhaus-filter-suricata-online.rules" \
+  "../public/urlhaus-filter-suricata-sni-online.rules" \
   "../public/urlhaus-filter-splunk-online.csv"
 
 export CURRENT_TIME
@@ -448,6 +449,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/urlhaus-filter-snor
 sed -i "1i $COMMENT_ONLINE" "../public/urlhaus-filter-suricata-online.rules"
 sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/urlhaus-filter-suricata-online.rules"
 
+sed -i "1i $COMMENT_ONLINE" "../public/urlhaus-filter-suricata-sni-online.rules"
+sed -i "1s/Domains Blocklist/Domains Suricata Ruleset (SNI)/" "../public/urlhaus-filter-suricata-sni-online.rules"
+
 sed -i -e "1i $COMMENT_ONLINE" -e '1i "host","path","message","updated"' "../public/urlhaus-filter-splunk-online.csv"
 sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/urlhaus-filter-splunk-online.csv"