Alert for non-TLS traffic on TLS ports Rule with variables Domain filtering

Examples of Suricata compatible rules for Network Firewall

This section lists examples of Suricata compatible rules for use with AWS Network Firewall.

Alert for non-TLS traffic on TLS ports

The following rule generates an alert when non-TLS traffic is detected on TCP ports 443 or 465.


alert tcp any any -> any [443,465] (msg:"Detected non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 90, count 1; sid:210003; rev:1;)

To create a rule group JSON file containing the above rule, you specify the following.


{ 
"RulesSource": { 
    "RulesString": "alert tcp any any -> any [443,465] (msg:\"Detected non-TLS on TLS port\"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 90, count 1; sid:210003; rev:1;)"
}
}

Rule with variables

The following JSON defines a Suricata compatible rule group that uses the variables HTTP_SERVERS and HTTP_PORTS, with the variable definitions provided in the rule group declaration.


{ 
"RuleVariables": {
    "IPSets": {
        "HTTP_SERVERS": {
            "Definition": [
                "10.0.2.0/24",
                "10.0.1.19"
            ]
        }                       
    },
    "PortSets": {
        "HTTP_PORTS": {
            "Definition": ["80", "8080"]
        }
    }
},
"RulesSource": { 
    "RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)"
}
}

The variable EXTERNAL_NET is a Suricata standard variable that represents the traffic destination. For more information, see https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#ports-source-and-destination.

Domain filtering

The following shows an example stateful rule that blocks HTTP/S egress traffic to the specified domains. The . before the domain name in .example.com is the wildcard indicator in Suricata.


{
"RulesSource": {
    "RulesSourceList": {
        "TargetTypes": ["TLS_SNI", "HTTP_HOST"],
        "Targets": [
            "www.example.test",
            ".example.com"
        ],
        "GeneratedRulesType": "DENYLIST"
    }
}
}

To use this rule, we save the JSON to a local file domainblock.example.json, and then create the rule group in the following CLI command:


aws network-firewall create-rule-group --rule-group-name "RuleGroupName" --type STATEFUL --rule-group file://domainblock.example.json --capacity 1000

The console also provides an entry form for domain filtering in the Domain list stateful rule group. For information, see Creating a stateful rule group.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best practices

Rule group capacity