Limitations and caveats for stateful rules in AWS Network Firewall
AWS Network Firewall stateful rules are Suricata compatible. Most Suricata rules work out of the box with Network Firewall. Your use of Suricata rules with Network Firewall has the restrictions and caveats listed in this section.
Not supported
The following Suricata features are not supported by Network Firewall:
-
Datasets. The keywords
dataset
anddatarep
aren't allowed. -
ENIP/CIP keywords.
-
File extraction. File keywords aren't allowed.
-
FTP-data protocol detection.
-
GeoIP.
-
IP reputation. The
iprep
keyword is not allowed. -
Lua scripting.
-
Rules actions except for pass, drop, and alert. Pass, drop, and alert are supported. For additional information about stateful rule actions, see Stateful actions.
-
Thresholding.
Supported with caveats
The following Suricata features have caveats for use with Network Firewall:
-
The AWS Network Firewall stateful inspection engine supports inspecting inner packets for tunneling protocols such as Generic Routing Encapsulation (GRE). If you want to block the tunneled traffic, you can write rules against the tunnel layer itself or against the inner packet. Due to the service inspecting the different layers, you might see flows and alerts for the packets within the tunnel.
-
To create a rule that requires a variable, you must specify the variable in the rule group. Without the required variables, the rule group isn't valid. For an example of a rule group that's configured with variables, see Rule with variables.
-
In payload keywords, the
pcre
keyword is only allowed with thecontent
keyword. The
priority
keyword is not supported for rule groups that evaluate rules using strict evaluation order.