Working with stateful rule groups in AWS Network Firewall

A stateful rule group is a rule group that uses Suricata compatible intrusion prevention system (IPS) specifications. Suricata is an open source network IPS that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall supports Suricata version 6.0.9.

Stateful rule groups have a configurable top-level setting called StatefulRuleOptions, which contains the RuleOrder attribute. You can set this in the console when you create a rule group, or in the API under StatefulRuleOptions. You can't change the RuleOrder after the rule group is created.

You can enter any stateful rule in Suricata compatible strings. For standard Suricata rules specifications and for domain list inspection, you can alternately provide specifications to Network Firewall and have Network Firewall create the Suricata compatible strings for you.

As needed, depending on the rules that you provide, the stateful engine performs deep packet inspection (DPI) of your traffic flows. DPI inspects and processes the payload data within your packets, rather than just the header information.

The rest of this section provides requirements and additional information for using Suricata compatible rules with Network Firewall. For full information about Suricata, see the Suricata website at Suricata and the Suricata User Guide. AWS Network Firewall supports Suricata version 6.0.9.

Topics

• Limitations and caveats for stateful rules in AWS Network Firewall
• Creating a stateful rule group
• Updating a stateful rule group
• Deleting a stateful rule group
• Evaluation order for stateful rule groups
• Using IP set references in Suricata compatible rule groups
• How to provide stateful rules to AWS Network Firewall
• Best practices for writing Suricata compatible rules for AWS Network Firewall
• Examples of stateful rules for Network Firewall