Examples of stateful rules for Network Firewall
This section lists examples of Suricata compatible rules that could be used with AWS Network Firewall.
Examples are not intended to be used in your Network Firewall configuration exactly as they are listed.
The examples provide general information and sample rule specifications for common use cases. Before using any rule from these examples or elsewhere, test and adjust it carefully to be sure that it fits your needs. It's your responsibility to ensure that each rule that you use is suited to your specific use case and functioning the way that you want it to.
Rule with variables
Before using any example rule listing, test and adapt it to your needs.
The following JSON defines an example Suricata compatible rule
group that uses the variables HTTP_SERVERS and
HTTP_PORTS, with the variable
definitions provided in the rule group declaration.
{ "RuleVariables": { "IPSets": { "HTTP_SERVERS": { "Definition": [ "10.0.2.0/24", "10.0.1.19" ] } }, "PortSets": { "HTTP_PORTS": { "Definition": ["80", "8080"] } } }, "RulesSource": { "RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)" } }
The variable EXTERNAL_NET is a Suricata standard variable that
represents the traffic destination. For more information, see https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#ports-source-and-destination
Domain filtering
Before using any example rule listing, test and adapt it to your needs.
Deny list example JSON, rule group creation, and generated Suricata rules
The following JSON shows an example rule definition for a Network Firewall domain list rule group that specifies a deny list.
{ "RulesSource": { "RulesSourceList": { "Targets": [ "evil.com" ], "TargetTypes": [ "TLS_SNI", "HTTP_HOST" ], "GeneratedRulesType": "DENYLIST" } } }
To use the Network Firewall rule specification, we save the JSON to a
local file domainblock.example.json, and then
create the rule group in the following CLI command:
aws network-firewall create-rule-group --rule-group-name "RuleGroupName" --type STATEFUL --rule-group file://domainblock.example.json --capacity 1000
The following Suricata rules listing shows the rules that Network Firewall creates for the above deny list specification.
drop tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"evil.com"; startswith; nocase; endswith; msg:"matching TLS denylisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1; gid:255;) drop http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"evil.com"; startswith; endswith; msg:"matching HTTP denylisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1; gid:255;)
HTTP allow list example JSON and generated Suricata rules
The following JSON shows an example rule definition
for a Network Firewall domain list rule group that
specifies an HTTP allow list. The .
before the domain name in .amazon.com
is the wildcard indicator in Suricata.
{ "RulesSource": { "RulesSourceList": { "Targets": [ ".amazon.com", "example.com" ], "TargetTypes": [ "HTTP_HOST" ], "GeneratedRulesType": "ALLOWLIST" } } }
The following Suricata rules listing shows the rules that Network Firewall for the above allow list specification.
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazon.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1; gid:1024;) pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1; gid:1024;) drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1; gid:1024;)
TLS allow list example JSON and generated Suricata rules
The following JSON shows an example rule definition for a Network Firewall domain list rule group that specifies a TLS allow list.
{ "RulesSource": { "RulesSourceList": { "Targets": [ ".amazon.com", "example.com" ], "TargetTypes": [ "TLS_SNI" ], "GeneratedRulesType": "ALLOWLIST" } } }
The following Suricata rules listing shows the rules that Network Firewall for the above allow list specification.
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazon.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1; gid:255;) pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1; gid:255;) drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1; gid:255;)
Standard stateful rule groups
The following JSON shows an example rule definition for a Network Firewall basic stateful rule group.
{ "RulesSource": { "StatefulRules": [ { "Action": "DROP", "Header": { "Protocol": "HTTP", "Source": "$HOME_NET", "SourcePort": "ANY", "Direction": "ANY", "Destination": "$EXTERNAL_NET", "DestinationPort": "ANY" }, "RuleOptions": [ { "Keyword": "msg", "Settings": [ "\"this is a stateful drop rule\"" ] }, { "Keyword": "sid", "Settings": [ "1234" ] } ] } ] } }
The following Suricata rules listing shows the rules that Network Firewall for the above deny list specification.
drop http $HOME_NET ANY <> $EXTERNAL_NET ANY (msg:this is a stateful drop rule; sid:1234; gid:123;)
Managing rule evaluation order
Before using any example rule listing, test and adapt it to your needs.
The examples in this section demonstrate ways to modify evaluation behavior by modifying rule evaluation order in Suricata compatible rules. For information about managing rule evaluation order, see Evaluation order for stateful rules.
Allow HTTP traffic to specific domains only, allow all SSH traffic, and deny all other TCP traffic:
drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Drop established TCP:80"; flow: from_client,established; sid:172190; priority:5; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".example.com"; endswith; msg:"Allowed HTTP domain"; priority:10; sid:172191; rev:1;) pass tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"Allow TCP 22"; sid:172192; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"Drop All non-TCP:80"; sid:172193; priority:2; rev:1;)
Allow HTTP traffic to specific domains only:
pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".example.com"; endswith; msg:"Allowed HTTP domain"; priority:1; sid:102120; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".mydomain.test"; endswith; msg:"Allowed HTTP domain"; priority:1; sid:102121; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Drop HTTP traffic"; priority:1; sid:102122; rev:1;)
Allow HTTP traffic to specific domains only and deny all other IP traffic:
pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".example.com"; endswith; msg:"Allowed HTTP domain"; priority:1; sid:892120; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Drop established non-HTTP to TCP:80"; flow: from_client,established; sid:892191; priority:5; rev:1;) drop ip $HOME_NET any <> $EXTERNAL_NET any (msg: "Drop non-TCP traffic."; ip_proto:!TCP;sid:892192; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"Drop All non-TCP:80"; sid:892193; priority:2; rev:1;)
