nProbe IPS: block traffic by FQDN

Question

nProbe IPS: block traffic by FQDN

dimalev01 opened this issue 9 months ago · comments

Hello ,

Is it possible to block traffic for specific fqdn's with nprobe in traffic policies?
We tried to do it in "Host Rules" but it doesn't work.

Br ,

Dima Lev.

Alfredo Cardigliano · Answer 1 · Fri Nov 17 2023 19:29:13 GMT+0800 (China Standard Time)

ntopng seems to propagate the policy to nProbe as expected:

{"policy":{"id":3,"default_marker":"pass","markers":{"continents":[],"categories":[],"countries":[],"hostnames":{"test.com":"drop"},"protocols":[]},"name":"Pool 2 rules","flow_risk":{"marker":"drop","bitmap":0},"root":0}}

we need to check on the nProbe side if this is honoured

dimalev01 · Answer 2 · Sun Nov 19 2023 16:54:32 GMT+0800 (China Standard Time)

We will wait for your update.

Alfredo Cardigliano · Answer 3 · Mon Nov 20 2023 19:23:33 GMT+0800 (China Standard Time)

@dimalev01 sure this is in queue, I will update you as soon as we complete the tests

Luca Deri · Answer 4 · Sat Nov 25 2023 01:33:58 GMT+0800 (China Standard Time)

Can you please report your netfilter configuration? I would like to check whether the problem is due to netflter or nprobe.

dimalev01 · Answer 5 · Sun Nov 26 2023 16:25:05 GMT+0800 (China Standard Time)

Hello Luca, Netfillter file attached. From: Luca Deri ***@***.***> Date: Friday, 24 November 2023 at 19:34 To: ntop/nProbe ***@***.***> Cc: Dima Lev ***@***.***>, Mention ***@***.***> Subject: Re: [ntop/nProbe] nProbe IPS: block traffic by FQDN (Issue #587) Can you please report your netfilter configuration? I would like to check whether the problem is due to netflter or nprobe. — Reply to this email directly, view it on GitHub<#587 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDX7YAVGG4VWPHMGVDOXVFTYGDLBFAVCNFSM6AAAAAA7JBPN7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRVHE2DQMBZGE>. You are receiving this because you were mentioned.Message ID: ***@***.***> זהירות: מקור הדואל הזה הוא מחוץ למטריקס. חל איסור ללחוץ על קישורים או לפתוח קבצים מצורפים אלא אם כן השולח מוכר והתוכן בטוח Caution: The source of this email is from outside Matrix. it is forbidden to click on links or open attachments unless you recognize the sender and know the content is safe.

Luca Deri · Answer 6 · Tue Nov 28 2023 15:53:59 GMT+0800 (China Standard Time)

Can you please try again as see no netfilter configuration (please also add the ifconfig configuration and explain what interface does what)

dimalev01 · Answer 7 · Wed Nov 29 2023 19:25:40 GMT+0800 (China Standard Time)

Hello Luca, * About netfilter configurations , do you mean this “policy_and_bridge_simple.sh” ? (this is the file I attached last time). ***@***.***:/home/mor# cat policy_and_bridge_simple.sh #!/usr/bin/env bash ################# # CONFIGURATION # ################# # Interfaces LAN="" WAN="" BRIDGE="br1t2" ENABLE_OFFLOAD_MARKED_PACKETS=true MARK_DROP="0x2 while getopts l:w:b:h flag do case "${flag}" in l) LAN=${OPTARG};; w) WAN=${OPTARG};; b) BRIDGE=${OPTARG};; h) ;; esac done if [ -z "$LAN" ] || [ -z "$WAN" ] || [ -z "$BRIDGE" ]; then echo "This is script will create a bridge with the provided lan/wan interfaces." echo "Usage:" echo "$0 -l <lan interface> -w <wan interface> [-b <bridge interface>]" exit fi echo "==================" echo "Configuration:" echo "LAN: $LAN"; echo "WAN: $WAN"; echo "BRIDGE: $BRIDGE"; echo "==================" ########################## # INTERNAL CONFIGURATION # ########################## NFQUEUE_NUM="0" ################ # SYSTEM SETUP # ################ # ENABLE iptables over bridging modprobe br_netfilter # Allow layer-2 bridge to do an upcall to iptables (as well as arptables or ip6tables) and have filtering travel from layer-2 (bridged frames) through layer 3 sysctl -w net.bridge.bridge-nf-call-iptables=1 > /dev/null if [ "${ENABLE_OFFLOAD_MARKED_PACKETS}" = true ] ; then # Enable connection tracking in the kernel modprobe nf_conntrack # Enable accounting of conntrack entries sysctl -w net.netfilter.nf_conntrack_acct=1 > /dev/null # Reset all markers in the kernel connection table conntrack -U --mark 0 > /dev/null 2>&1 fi ########## # BRIDGE # ########## # CREATE THE BRIDGE INTERFACE # Bridge creation ip link delete ${BRIDGE} type bridge 2> /dev/null ip link add name ${BRIDGE} type bridge # Setup the bridge and bridged interfaces ip link set ${BRIDGE} up ip link set ${LAN} up ip link set ${WAN} up # Associate the bridge with its bridged interfaces ip link set ${LAN} master ${BRIDGE} ip link set ${WAN} master ${BRIDGE} ############ # IPTABLES # ############ # CLEANUP ALL IPTABLES RULES # Set the default policies for each of the built-in chains iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Flush all chains and tables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X if [ "${ENABLE_OFFLOAD_MARKED_PACKETS}" = true ] ; then # SAVE THE PACKET MARK INTO THE CONNECTION (SO IT CAN BE RESTORED FOR NEWLY ARRIVING PACKETS) iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark # READ THE MARK PREVIOUSLY SAVED INTO THE CONNECTION AND PUT IT BACK INTO THE PACKET OF THE CONNECTION iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # Marked packets with mark 2 are dropped iptables -t mangle -A PREROUTING -m mark --mark ${MARK_DROP} -j DROP # Marked packets leave the chain iptables -t mangle -A FORWARD -m mark ! --mark 0 -j RETURN \ -m comment --comment "Marked packets leave the chain and don't go to userspace via NFQUEUE" fi iptables -t mangle -A FORWARD -j NFQUEUE --queue-num ${NFQUEUE_NUM} --queue-bypass -m physdev --physdev-in ${LAN} iptables -t mangle -A FORWARD -j NFQUEUE --queue-num ${NFQUEUE_NUM} --queue-bypass -m physdev --physdev-in ${WAN} # Print some info # bridge link show ${BRIDGE} # brctl showstp ${BRIDGE} # Make sure port state is 'forwarding' iptables -nvL -t ***@***.***:/home/mor# * About ifconfig: This is our topology: ***@***.*** We are using vlans as bridge interfaces between the ens ports for each service. Vlan 600 is our internet connectivity. As I mentions last time we tried to add host rules to block fqdn (this should be traffic over vlan 600). This is the ifconfig: TAMARES_600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::4a8:e4ff:fe99:bb5f prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 92595049 bytes 37637278805 (37.6 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 96041 bytes 7786182 (7.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 aws-403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::90a2:1aff:fe71:71cf prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 14163306 bytes 1273023744 (1.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521404 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 azure-back-402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::a4ef:27ff:fe4d:35a4 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13511854 bytes 675501820 (675.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521404 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 azure-prim-401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::acb3:98ff:fe59:5542 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13860555 bytes 917170413 (917.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7443 bytes 521234 (521.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br1t2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::e51c:1d50:e2ef:2873 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 7900164 bytes 387970945 (387.9 MB) RX errors 0 dropped 24 overruns 0 frame 0 TX packets 22 bytes 2244 (2.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eno1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:80 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 eno2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:81 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17 eno3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:82 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 eno4: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:83 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17 ens1f0np0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 1267758117379 bytes 1536660425083037 (1.5 PB) RX errors 0 dropped 27334105 overruns 0 frame 0 TX packets 783085282004 bytes 464679067232196 (464.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 44656828764 bytes 34028535111277 (34.0 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 22815907673 bytes 28693053963595 (28.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13516806 bytes 675884406 (675.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14884 bytes 1042140 (1.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 72940465191 bytes 27186040381428 (27.1 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 145303501264 bytes 176731986950479 (176.7 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.404: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 15087334 bytes 774069834 (774.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14880 bytes 1041892 (1.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.406: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13521243 bytes 676092306 (676.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521384 (521.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.408: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 11398038419 bytes 506271986241 (506.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 27626847039 bytes 41487607488582 (41.4 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f0np0.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 1135932218453 bytes 1448711968099839 (1.4 PB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 586068407863 bytes 213945418671093 (213.9 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens1f1np1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.13 netmask 255.255.252.0 broadcast 192.168.11.255 inet6 fe80::f603:43ff:fed8:7a58 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:58 txqueuelen 1000 (Ethernet) RX packets 353970511 bytes 70137039035 (70.1 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 563968158 bytes 696543352948 (696.5 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 783332135114 bytes 465446516160501 (465.4 TB) RX errors 0 dropped 911132 overruns 0 frame 0 TX packets 1267232627710 bytes 1536097613825717 (1.5 PB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 22816942335 bytes 28377657356299 (28.3 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44655818508 bytes 34642010346556 (34.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13531570 bytes 866148832 (866.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 145304482217 bytes 174722511816391 (174.7 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 72938982162 bytes 28138135521055 (28.1 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.404: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15094659 bytes 985804255 (985.8 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.406: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13528683 bytes 865909647 (865.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.408: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 27626839596 bytes 41100854986955 (41.1 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11398045863 bytes 644629342656 (644.6 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f0np0.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 586312422940 bytes 206474521394432 (206.4 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1135436740879 bytes 1464155818092789 (1.4 PB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens2f1np1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:38 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 5450743151 bytes 6788606328269 (6.7 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5450743151 bytes 6788606328269 (6.7 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 maytronics_408: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::8088:53ff:fe7f:217a prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 39024877585 bytes 41585887487364 (41.5 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7445 bytes 521374 (521.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 zerto_ep_404: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::2831:50ff:fe84:8522 prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 15087311 bytes 774067578 (774.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521444 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 zerto_ep_406: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::1ce1:4cff:feb3:958d prefixlen 64 scopeid 0x20<link> ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13521243 bytes 676091246 (676.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7449 bytes 521654 (521.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Please update if you need more information. Br, Dima Lev. From: Luca Deri ***@***.***> Date: Tuesday, 28 November 2023 at 9:54 To: ntop/nProbe ***@***.***> Cc: Dima Lev ***@***.***>, Mention ***@***.***> Subject: Re: [ntop/nProbe] nProbe IPS: block traffic by FQDN (Issue #587) Can you please try again as see no netfilter configuration (please also add the ifconfig configuration and explain what interface does what) — Reply to this email directly, view it on GitHub<#587 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDX7YASJMIRIP2WLYGSNNK3YGWKCFAVCNFSM6AAAAAA7JBPN7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZGI4DCNBZGM>. You are receiving this because you were mentioned.Message ID: ***@***.***> זהירות: מקור הדואל הזה הוא מחוץ למטריקס. חל איסור ללחוץ על קישורים או לפתוח קבצים מצורפים אלא אם כן השולח מוכר והתוכן בטוח Caution: The source of this email is from outside Matrix. it is forbidden to click on links or open attachments unless you recognize the sender and know the content is safe.

Viacheslav Hletenko · Answer 8 · Mon May 06 2024 16:55:12 GMT+0800 (China Standard Time)

Any updates?

l0crian1 · Answer 9 · Tue May 07 2024 01:33:04 GMT+0800 (China Standard Time)

ntopng seems to propagate the policy to nProbe as expected:

{"policy":{"id":3,"default_marker":"pass","markers":{"continents":[],"categories":[],"countries":[],"hostnames":{"test.com":"drop"},"protocols":[]},"name":"Pool 2 rules","flow_risk":{"marker":"drop","bitmap":0},"root":0}}

we need to check on the nProbe side if this is honoured

@cardigliano I know this is an old issue, so maybe this is already known.

It appears the output you put has improper nesting when compared to the documentation. The "hostnames" is outside of "markers" in the documentation. Maybe ntopng is pushing the policy to nprobe incorrectly. This worked for me once I moved that, though I noticed the matches are explicit (e.g. google.com would only block google.com, and not www.google.com; wildcards didn't work).

Alfredo Cardigliano · Answer 10 · Tue May 07 2024 18:17:01 GMT+0800 (China Standard Time)

@l0crian1 hostnames should be inside markers, we just released an update that fixes this.
As of the wildcards, they are not currently supported for hosts defined under "hostnames" (they are supported when using the protos or categories definitions), however we are working for supporting them, I will update the issue once ready.

l0crian1 · Answer 11 · Tue May 07 2024 21:59:41 GMT+0800 (China Standard Time)

Thanks @cardigliano! Quick question on both methods for host filter (definitions and rules syntax), is it just blocking DNS requests with those (sub)domains, or will it also block on the CN in a certificate?

Alfredo Cardigliano · Answer 12 · Tue May 07 2024 22:10:30 GMT+0800 (China Standard Time)

It detects the hostname from any supported protocol, it includes DNS, HTTP, TLS CN