Examples of Suricata compatible rules for Network Firewall - Network Firewall

Examples of Suricata compatible rules for Network Firewall

This section lists examples of Suricata compatible rules for use with AWS Network Firewall.

Alert for non-TLS traffic on TLS ports

The following rule generates an alert when non-TLS traffic is detected on TCP ports 443 or 465.

alert tcp any any -> any [443,465] (msg:"Detected non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 90, count 1; sid:210003; rev:1;)

To create a rule group JSON file containing the above rule, you specify the following.

{ "RulesSource": { "RulesString": "alert tcp any any -> any [443,465] (msg:\"Detected non-TLS on TLS port\"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 90, count 1; sid:210003; rev:1;)" } }

Rule with variables

The following JSON defines a Suricata compatible rule group that uses the variables HTTP_SERVERS and HTTP_PORTS, with the variable definitions provided in the rule group declaration.

{ "RuleVariables": { "IPSets": { "HTTP_SERVERS": { "Definition": [ "10.0.2.0/24", "10.0.1.19" ] } }, "PortSets": { "HTTP_PORTS": { "Definition": ["80", "8080"] } } }, "RulesSource": { "RulesString": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)" } }

The variable EXTERNAL_NET is a Suricata standard variable that represents the traffic destination. For more information, see https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#ports-source-and-destination.

Domain filtering

The following shows an example stateful rule that blocks HTTP/S egress traffic to the specified domains. The . before the domain name in .example.com is the wildcard indicator in Suricata.

{ "RulesSource": { "RulesSourceList": { "TargetTypes": ["TLS_SNI", "HTTP_HOST"], "Targets": [ "www.example.test", ".example.com" ], "GeneratedRulesType": "DENYLIST" } } }

To use this rule, we save the JSON to a local file domainblock.example.json, and then create the rule group in the following CLI command:

aws network-firewall create-rule-group --rule-group-name "RuleGroupName" --type STATEFUL --rule-group file://domainblock.example.json --capacity 1000

The console also provides an entry form for domain filtering in the Domain list stateful rule group. For information, see Creating a stateful rule group.