Customize Amazon CloudWatch alerts for AWS Network Firewall

Created by Jason Owens (AWS)

Environment: PoC or pilot	Technologies: Networking; Security, identity, compliance	Workload: Open-source
AWS services: Amazon CloudWatch Logs; AWS Network Firewall; AWS CLI

Summary

The pattern helps you customize the Amazon CloudWatch alerts that are generated by Amazon Web Services (AWS) Network Firewall. You can use predefined rules or create custom rules that determine the message, metadata, and severity of the alerts. You can then act upon these alerts or automate responses by other Amazon services, such as Amazon EventBridge.

In this pattern, you generate Suricata-compatible firewall rules. Suricata is an open-source threat detection engine. You first create simple rules and then test them to confirm that the CloudWatch alerts are generated and logged. Once you have successfully tested the rules, you modify them to define custom messages, metadata, and severities, and you then test once more to confirm the updates.

Prerequisites and limitations

Prerequisites 

• An active AWS account.

• AWS Command Line Interface (AWS CLI) installed and configured on your Linux, macOS, or Windows workstation. For more information, see Installing or updating the latest version of the AWS CLI.

• AWS Network Firewall installed and configured to use CloudWatch Logs. For more information, see Logging network traffic from AWS Network Firewall.

• An Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet of a virtual private cloud (VPC) that is protected by Network Firewall.

Product versions

• For version 1 of AWS CLI, use 1.18.180 or later. For version 2 of AWS CLI, use 2.1.2 or later.

• The classification.config file from Suricata version 5.0.2. For a copy of this configuration file, see the Additional information section.

Architecture

Target technology stack

• Network Firewall

• Amazon CloudWatch Logs

Target architecture

The architecture diagram shows the following workflow:

1. An EC2 instance in a private subnet makes a request by using either curl or Wget.

2. Network Firewall processes the traffic and generates an alert.

3. Network Firewall sends the logged alerts to CloudWatch Logs.

Tools

AWS services

• Amazon CloudWatch helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.

• Amazon CloudWatch Logs helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.

• AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.

• AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for virtual private clouds (VPCs) in the AWS Cloud. 

Other tools and services

• curl – curl is an open-source command line tool and library.

• Wget – GNU Wget is a free command line tool.

Epics

Create the firewall rules and rule group

Task	Description	Skills required
Create rules.	In a text editor, create a list of rules that you want to add to the firewall. Each rule must be on a separate line. The value in the classtype parameter is from the default Suricata classification configuration file. For the full configuration file contents, see the Additional information section. The following are two examples of rules. alert http any any -> any any (content:"badstuff"; classtype:misc-activity; sid:3; rev:1;) alert http any any -> any any (content:"morebadstuff"; classtype:bad-unknown; sid:4; rev:1;) Save the rules in a file named custom.rules.	AWS systems administrator, Network administrator
Create the rule group.	In the AWS CLI, enter the following command. This creates the rule group. ❯ aws network-firewall create-rule-group \         --rule-group-name custom --type STATEFUL \         --capacity 10 --rules file://custom.rules \         --tags Key=environment,Value=development The following is an example output. Make note of the RuleGroupArn, which you need in a later step. {     "UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",     "RuleGroupResponse": {         "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",         "RuleGroupName": "custom",         "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",         "Type": "STATEFUL",         "Capacity": 10,         "RuleGroupStatus": "ACTIVE",         "Tags": [             {                 "Key": "environment",                 "Value": "development"             }         ]     }	AWS systems administrator

Update the firewall policy

Task	Description	Skills required
Get the ARN of the firewall policy.	In the AWS CLI, enter the following command. This returns the Amazon Resource Name (ARN) of the firewall policy. Record the ARN for use later in this pattern. ❯ aws network-firewall describe-firewall \     --firewall-name aws-network-firewall-anfw \     --query 'Firewall.FirewallPolicyArn' The following is an example ARN that is returned by this command. "arn:aws:network-firewall:us-east-2:1234567890:firewall-policy/firewall-policy-anfw"	AWS systems administrator
Update the firewall policy.	In a text editor, copy the paste the following code. Replace <RuleGroupArn> with the value you recorded in the previous epic. Save the file as firewall-policy-anfw.json. {     "StatelessDefaultActions": [         "aws:forward_to_sfe"     ],     "StatelessFragmentDefaultActions": [         "aws:forward_to_sfe"     ],     "StatefulRuleGroupReferences": [         {             "ResourceArn": "<RuleGroupArn>"         }     ] } Enter the following command in the AWS CLI. This command requires an update token to add the new rules. The token is used to confirm that the policy hasn't changed since you last retrieved it. UPDATETOKEN=(`aws network-firewall describe-firewall-policy \               --firewall-policy-name firewall-policy-anfw \               --output text --query UpdateToken`)    aws network-firewall update-firewall-policy \  --update-token $UPDATETOKEN \  --firewall-policy-name firewall-policy-anfw \  --firewall-policy file://firewall-policy-anfw.json	AWS systems administrator
Confirm the policy updates.	(Optional) If you would like to confirm the rules were added and view the policy format, enter the following command in the AWS CLI. ❯ aws network-firewall describe-firewall-policy \   --firewall-policy-name firewall-policy-anfw \   --query FirewallPolicy The following is an example output. {     "StatelessDefaultActions": [         "aws:forward_to_sfe"     ],     "StatelessFragmentDefaultActions": [         "aws:forward_to_sfe"     ],     "StatefulRuleGroupReferences": [         {             "ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"         }     ] }	AWS systems administrator

Test alert functionality

Task	Description	Skills required
Generate alerts for testing.	Log in to a test workstation within the firewall subnet. Enter commands that should generate alerts. For example, you can use wget or curl. wget -U "badstuff" http://www.amazon.com -o /dev/null curl -A "morebadstuff" http://www.amazon.com -o /dev/null	AWS systems administrator
Validate that the alerts are logged.	Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ Navigate to the correct log group and stream. For more information, see View log data sent to CloudWatch Logs (CloudWatch Logs documentation). Confirm the logged events are similar to the following examples. The examples show only the relevant portion of the alert. Example 1         "alert": {             "action": "allowed",             "signature_id": 3,             "rev": 1,             "signature": "",             "category": "Misc activity",             "severity": 3         } Example 2         "alert": {             "action": "allowed",             "signature_id": 4,             "rev": 1,             "signature": "",             "category": "Potentially Bad Traffic",             "severity": 2         }	AWS systems administrator

Update the firewall rules and rule group

Task	Description	Skills required
Update the firewall rules.	In a text editor, open the custom.rules file. Change the first rule to be similar to the following. This rule must be entered on a single line in the file. alert http any any -> any any (msg:"Watch out - Bad Stuff!!"; content:"badstuff"; classtype:misc-activity; priority:2; sid:3; rev:2; metadata:custom-field-2 Danger!, custom-field More Info;) This makes the following changes to the rule: Adds a msg (Suricata website) string that provides text information about the signature or alert. In the generated alert, this maps to the signature.  Adjusts the default priority (Suricata website) of misc-activity from 3 to 2. For the default values of the various classtypes, see the Additional information section. Adds custom metadata (Suricata website) to the alert. This is additional information that that is added to the signature. It is recommended that you use key-value pairs. Changes the rev (Suricata website) from 1 to 2. This represents the version of the signature.	AWS systems administrator
Update the rule group.	In the AWS CLI, run the following commands. Use the ARN of your firewall policy. These commands get an update token and update the rule group with the rule changes. ❯ UPDATETOKEN=(`aws network-firewall \                 describe-rule-group \ --rule-group-arn arn:aws:network-firewall:us-east-2:123457890:stateful-rulegroup/custom \ --output text --query UpdateToken`)  ❯ aws network-firewall update-rule-group \   --rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \ --rules file://custom.rules \ --update-token $UPDATETOKEN The following is an example output. {     "UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",     "RuleGroupResponse": {         "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",         "RuleGroupName": "custom",         "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",         "Type": "STATEFUL",         "Capacity": 10,         "RuleGroupStatus": "ACTIVE",         "Tags": [             {                 "Key": "environment",                 "Value": "development"             }         ]     } }	AWS systems administrator

Test the updated alert functionality

Task	Description	Skills required
Generate an alert for testing.	Log in to a test workstation within the firewall subnet. Enter a command that should generate an alert. For example, you can use curl. curl -A "badstuff" http://www.amazon.com -o /dev/null	AWS systems administrator
Validate the alert changed.	Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ Navigate to the correct log group and stream. Confirm the logged event is similar to the following example. The example shows only the relevant portion of the alert. "alert": {     "action": "allowed",     "signature_id": 3,     "rev": 2,     "signature": "Watch out - Bad Stuff!!",     "category": "Misc activity",     "severity": 2,     "metadata": {         "custom-field": [             "More Info"         ],         "custom-field-2": [             "Danger!"         ]     } }	AWS systems administrator

Related resources

References

• Send alerts from AWS Network Firewall to a Slack channel (AWS Prescriptive Guidance)

• Scaling threat prevention on AWS with Suricata (AWS blog post)

• Deployment models for AWS Network Firewall (AWS blog post)

• Suricata meta keyworks (Suricata documentation)

Tutorials and videos

• AWS Network Firewall workshop

Additional information

The following is the classification configuration file from Suricata 5.0.2. These classifications are used when creating the firewall rules.

# config classification:shortname,short description,priority
 
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
 
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
 
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1