Using IP set references in Suricata compatible rule groups - AWS Network Firewall

Using IP set references in Suricata compatible rule groups

An IP set reference is a rule group variable that references a set of IP addresses or CIDR blocks contained in an AWS resource, such as an Amazon Virtual Private Cloud prefix list. IP set references enable you to dynamically use IP addresses or CIDRs from another AWS service in your Suricata compatible rules. When you create, update, or delete the IP sets that you reference in your rules, Network Firewall automatically updates the rules with the changes. For example, if you add five CIDRs to an IP set resource that you're referencing in a rule, then the rule will automatically include the five CIDRs that you added to the resource.

Network Firewall currently supports the following AWS resources as IP set references:

  • Amazon VPC prefix lists. For information about referencing Amazon VPC prefix lists in your rule groups, see the following section Referencing Amazon VPC prefix lists.

For an example of a rule that uses an IP set reference, see Rule with IP set reference.

For more information about adding IP sets to your Suricata compatible rule groups via the console, see the Creating a stateful rule group procedure.

Limits for IP set references

The following limits apply to IP set references:

  • Maximum of five IP set references per rule group. You can use IP set references in addition to IP set variables or port variables in a rule group. Only IP set references count against this limit.

  • Maximum of 1,000,000 CIDRs - You can use a maximum of 1,000,000 CIDRs in all of the IP set references used in a single firewall. Network Firewall calculates the CIDRs by taking an aggregated account of the CIDRs in each referenced IP set. If you exceed this limit, then Network Firewall includes only the first 1,000,000 CIDRs from your referenced IP set resources.

Referencing Amazon VPC prefix lists


Network Firewall currently supports only references to IPv4 prefix lists.

A prefix list is a set of one or more CIDR block entries that you can use to configure security groups, routing tables, and transit gateways in Amazon VPC. A reference to a prefix list helps you to simplify the management of the CIDR blocks in your rules. If you frequently use the same CIDRs across multiple rules, you can manage those CIDRs in a single prefix list, instead of repeatedly referencing the same CIDRs in each rule. If you need to remove a CIDR block, you can remove its entry from the prefix list instead of removing the CIDR from every affected rule.

For more information about Amazon VPC prefix lists, see Group CIDR blocks using managed prefix lists in the Amazon VPC User Guide.