Limitations and caveats for Suricata rules in AWS Network Firewall - Network Firewall

Limitations and caveats for Suricata rules in AWS Network Firewall

AWS Network Firewall stateful rules are Suricata compatible. Most Suricata rules work out of the box with Network Firewall. Your use of Suricata rules with Network Firewall have the restrictions and caveats listed in this section.

Not supported

The following Suricata features are not supported by Network Firewall:

  • IP reputation. The iprep keyword is not allowed.

  • Lua scripting.

  • GeoIP.

  • File extraction. File keywords aren't allowed.

  • JA3 keywords.

  • ENIP/CIP keywords.

  • Datasets. The keywords dataset and datarep aren't allowed.

  • Rules actions except for pass, drop, and alert. Pass, drop, and alert are supported. For additional information about stateful rule actions, see Stateful actions.

Supported with caveats

The following Suricata features have caveats for use with Network Firewall:

  • To create a rule that requires a variable, you must specify the variable in the rule group. Without the required variables, the rule group is not valid. For an example of a rule group that's configured with variables, see Rule with variables.

  • In payload keywords, the pcre keyword is only allowed with the content keyword.