Threat signature rule groups

AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats. Currently, Network Firewall supports only Suricata-compatible stateful managed rule groups.

Each rule name in the table below is appended by either StrictOrder or ActionOrder. A firewall policy's rule evaluation order determines whether you can add StrictOrder or ActionOrder managed rule groups to the policy. For example, you can only add a rule group appended with StrictOrder if the policy uses strict order for its rule evaluation order. In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see Evaluation order for stateful rule groups.

Category	Rule name	Description and label
Botnet	`ThreatSignaturesBotnetStrictOrder`, `ThreatSignaturesBotnetActionOrder`	Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.
Botnet Web	`ThreatSignaturesBotnetWebStrictOrder`, `ThreatSignaturesBotnetWebActionOrder`	Signatures that detects HTTP botnets.
Botnet Windows	`ThreatSignaturesBotnetWindowsStrictOrder`, `ThreatSignaturesBotnetWindowsActionOrder`	Detects Windows botnets.
Compromised	`ThreatSignaturesIOCStrictOrder`, `ThreatSignaturesIOCActionOrder`	Attack Response - Signatures to identify responses indicative of intrusion—examples included but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened. Exploit Kit - Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery.
DoS	`ThreatSignaturesDoSStrictOrder`, `ThreatSignaturesDoSActionOrder`	Signatures that detect Denial of Service (DoS) attempts. These rules are intended to catch inbound DoS activity, and provide indication of outbound DoS activity.
Emerging Threats	`ThreatSignaturesEmergingEventsStrictOrder`, `ThreatSignaturesEmergingEventsActionOrder`	Current Events - Signatures with rules developed in response to active and short-lived campaigns and high-profile items that are expected to be temporary. The rules in this category are ones that are not intended to be kept in the ruleset for long, or that need to be further tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID’s of newly found vulnerable apps where we don’t have any detail on the exploit.
Exploits	`ThreatSignaturesExploitsStrictOrder`, `ThreatSignaturesExploitsActionOrder`	Exploits - Signatures that protect against direct exploits not otherwise covered in a specific service category. This is the category where you'll find specific attacks against vulnerabilities such as against Microsoft Windows. Attacks with their own category such as SQL injection have their own category. ActiveX - Signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls. FTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). This category also includes rules that detect non-malicious FTP activity such as logins for logging purposes. ICMP - Signatures that protect against attacks and vulnerabilities regarding Internet Control Message Protocol (ICMP). NetBIOS - Signatures that protect against attacks, exploits, and vulnerabilities regarding NetBIOS. This category also includes rules that detect non-malicious NetBIOS activity for logging purposes. RPC - Signatures that protect against attacks, exploits, and vulnerabilities regarding Remote Procedure Call (RPC). This category also includes rules that detect non-malicious RPC activity for logging purposes. ShellCode - For remote shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. SNMP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP). This category also includes rules that detect non-malicious SNMP activity for logging purposes. Telnet - Signatures that protect against attacks, exploits, and vulnerabilities regarding TELNET. This category also includes rules that detect non-malicious TELNET activity for logging purposes. TFTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Trivial File Transport Protocol (TFTP). This category also includes rules that detect non-malicious TFTP activity for logging purposes. VOIP - Signatures that protect against attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others. SQL - Signatures that protect against attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL). This category also includes rules that detect non-malicious SQL activity for logging purposes.
FUP	`ThreatSignaturesFUPStrictOrder`, `ThreatSignaturesFUPActionOrder`	Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate violations to an organization's policy.
Malware	`ThreatSignaturesMalwareStrictOrder`, `ThreatSignaturesMalwareActionOrder`	Signatures that detect malware (TCP, UDP, SMTP, ICMP, SMB, IP) and WORM. Malware - Detects malicious software. Rules in this category detect activity related to malicious software that is detected on the network including malware in transit, active malware, malware infections, malware attacks, and updating of malware. Worm - Detects malicious activity that automatically attempts to spread across the internet or within a network by exploiting a vulnerability. While the exploit itself is typically identified in the exploit or given protocol category, an additional entry in this category might be made if the actual malware engaging in worm-like propagation can be identified.
Malware Coin Mining	`ThreatSignaturesMalwareCoinminingStrictOrder`, `ThreatSignaturesMalwareCoinminingActionOrder`	Signatures with rules that detect malware that performs coin mining. These signatures can also detect some legitimate (though often undesirable) coin mining software.
Malware Mobile	`ThreatSignaturesMalwareMobileStrictOrder`, `ThreatSignaturesMalwareMobileActionOrder`	Signatures that indicate malware that's associated with mobile and tablet operating systems such as Google Android, Apple iOS, and others. Malware that's detected and is associated with mobile operating systems is generally placed in this category rather than the standard categories such as Malware.
Malware Web	`ThreatSignaturesMalwareWebStrictOrder`, `ThreatSignaturesMalwareWebActionOrder`	Signatures that detect malicious code in HTTP and TLS protocols.
Phishing	`ThreatSignaturesPhishingStrictOrder`, `ThreatSignaturesPhishingActionOrder`	Signatures that detect credential phishing activity. This includes landing pages exhibiting credential phishing as well as successful submission of credentials into credential phishing sites.
Scanners	`ThreatSignaturesScannersStrictOrder`, `ThreatSignaturesScannersActionOrder`	Signatures that detect reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools. This category can be useful for detecting early breach activity and post-infection lateral movement within an organization.
Suspect	`ThreatSignaturesSuspectStrictOrder`, `ThreatSignaturesSuspectActionOrder`	JA3 - Fingerprints malicious SSL certificates using JA3 hashes. These rules are based on parameters that are in the SSL handshake negotiation by both clients and servers. These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation environments. Chat - Signatures that identify traffic related to numerous chat clients such as Internet Relay Chat (IRC). Chat traffic can be indicative of possible check-in activity by threat actors. User Agents - Signatures that detect suspicious and anomalous user agents. Known malicious user agents are generally placed in the Malware category.
Web Attacks	`ThreatSignaturesWebAttacksStrictOrder`, `ThreatSignaturesWebAttacksActionOrder`	Web Client - Signatures that detect attacks and vulnerabilities regarding web clients such as web browsers as well as client-side applications like CURL, WGET and others. Web Server - Signatures that detect attacks against web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software. Web Specific Apps - Signatures that detect attacks and vulnerabilities in specific web applications.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Domain and IP rule groups

Managed rule groups disclaimer