Threat signature rule groups - AWS Network Firewall

Threat signature rule groups

AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats. Currently, Network Firewall supports only Suricata-compatible stateful managed rule groups.

Category Rule name Description and label
Malware ThreatSignaturesMalware

Signatures that detect malware (TCP, UDP, SMTP, ICMP, SMB, IP) and WORM.

Malware - Detects malicious software. Rules in this category detect activity related to malicious software that is detected on the network including malware in transit, active malware, malware infections, malware attacks, and updating of malware.

Worm - Detects malicious activity that automatically attempts to spread across the internet or within a network by exploiting a vulnerability. While the exploit itself is typically identified in the exploit or given protocol category, an additional entry in this category might be made if the actual malware engaging in worm-like propagation can be identified.

Malware Web ThreatSignaturesMalwareWeb

Signatures that detect malicious code in HTTP and TLS protocols.

Malware Mobile ThreatSignaturesMalwareMobile

Signatures that indicate malware that's associated with mobile and tablet operating systems such as Google Android, Apple iOS, and others. Malware that's detected and is associated with mobile operating systems is generally placed in this category rather than the standard categories such as Malware.

DoS ThreatSignaturesDoS

Signatures that detect Denial of Service (DoS) attempts. These rules are intended to catch inbound DoS activity, and provide indication of outbound DoS activity.

Botnet ThreatSignaturesBotnet

Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.

Botnet Web ThreatSignaturesBotnetWeb

Signatures that detects HTTP botnets.

Botnet Windows ThreatSignaturesBotnetWindows

Detects Windows botnets.

Exploits ThreatSignaturesExploits

Exploits - Signatures that protect against direct exploits not otherwise covered in a specific service category. This is the category where you'll find specific attacks against vulnerabilities such as against Microsoft Windows. Attacks with their own category such as SQL injection have their own category.

ActiveX - Signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls.

FTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). This category also includes rules that detect non-malicious FTP activity such as logins for logging purposes.

ICMP - Signatures that protect against attacks and vulnerabilities regarding Internet Control Message Protocol (ICMP).

NetBIOS - Signatures that protect against attacks, exploits, and vulnerabilities regarding NetBIOS. This category also includes rules that detect non-malicious NetBIOS activity for logging purposes.

RPC - Signatures that protect against attacks, exploits, and vulnerabilities regarding Remote Procedure Call (RPC). This category also includes rules that detect non-malicious RPC activity for logging purposes.

ShellCode - For remote shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine.

SNMP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP). This category also includes rules that detect non-malicious SNMP activity for logging purposes.

Telnet - Signatures that protect against attacks, exploits, and vulnerabilities regarding TELNET. This category also includes rules that detect non-malicious TELNET activity for logging purposes.

TFTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Trivial File Transport Protocol (TFTP). This category also includes rules that detect non-malicious TFTP activity for logging purposes.

VOIP - Signatures that protect against attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others.

SQL - Signatures that protect against attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL). This category also includes rules that detect non-malicious SQL activity for logging purposes.

Web Attacks ThreatSignaturesWeb

Web Client - Signatures that detect attacks and vulnerabilities regarding web clients such as web browsers as well as client-side applications like CURL, WGET and others.

Web Server - Signatures that detect attacks against web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.

Web Specific Apps - Signatures that detect attacks and vulnerabilities in specific web applications.

Scanners ThreatSignaturesScanners

Signatures that detect reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools. This category can be useful for detecting early breach activity and post-infection lateral movement within an organization.

Suspect ThreatSignaturesSuspect

JA3 - Fingerprints malicious SSL certificates using JA3 hashes. These rules are based on parameters that are in the SSL handshake negotiation by both clients and servers. These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation environments.

Chat - Signatures that identify traffic related to numerous chat clients such as Internet Relay Chat (IRC). Chat traffic can be indicative of possible check-in activity by threat actors.

User Agents - Signatures that detect suspicious and anomalous user agents. Known malicious user agents are generally placed in the Malware category.

Fair Use Policy ThreatSignaturesFUP

Games - Signatures that identify gaming traffic and attacks against those games. These rules cover games such as World of Warcraft, Starcraft, and other popular online games. While these games and their traffic are not malicious, they are often unwanted and prohibited by policy on corporate networks.

Inappropriate - Signatures that identify potential activity related to sites that are pornographic or otherwise no appropriate for a work environment. Warning: This category can have a significant performance impact and high rate of false positives.

P2P - Signatures that identify peer-to-peer (P2P) traffic and attacks against it. Identified P2P traffic includes torrents, edonkey, Bittorrent, Gnutella and Limewire, among others.

Policy - Signatures that might indicate violations to an organization’s policy. This can include protocols prone to abuse, and other application-level transactions which might be of interest.

Compromised ThreatSignaturesIOC

Attack Response - Signatures to identify responses indicative of intrusion—examples included but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened.

Exploit Kit - Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery.

Emerging Threats ThreatSignaturesEmergingEvents

Current Events - Signatures with rules developed in response to active and short-lived campaigns and high-profile items that are expected to be temporary. The rules in this category are ones that are not intended to be kept in the ruleset for long, or that need to be further tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID’s of newly found vulnerable apps where we don’t have any detail on the exploit.

Mail ThreatSignaturesMail

IMAP - Signatures related to attacks, exploits, and vulnerabilities regarding Internet Message Access Protocol (IMAP). This category also includes rules that detect non-malicious IMAP activity for logging purposes.

POP3 - Signatures related to attacks, exploits, and vulnerabilities regarding Post Office Protocol 3.0 (POP3). This category also includes rules that detect non-malicious POP3 activity for logging purposes.

SMTP - Signatures related to attacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP). This category also includes rules that detect non-malicious SMTP activity for logging purposes.