AWS Network Firewall - Suricata rules not working as expected

0

I have configured Suricata IPS rules (from emerging threats) and during testing observed that rules are not working as expected. For example, the below generic rule is working as expected - drop tcp $DB_NET any -> $TEST_NET 80 (msg:"Test Block"; sid:102344; rev:1;)

However the below rules taken from emerging threats are not working - drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established; http.user_agent; content:"easyhttp client"; bsize:15; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04; sid:102340; rev:1;)

drop tcp $DB_NET any -> $TEST_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).

gefragt vor 2 Jahren500 Aufrufe
2 Antworten
0

Just a guess from my own tests... Check your NACLs. Ephemerals Ports needs to be allowed for the response, otherwise network firewall can't identify "HTTP" (L7) protocol.

bacatta
beantwortet vor 2 Jahren
0

Hi,

Could you please expand upon what you mean by the rules do not work? And how this is being tested?

If you have a premium support subscription I would advise that you open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create as we require details that are non-public information

I have identified an AWS doc that touches on emerging threats rules and testing them: https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/ Also the limitations and caveats for stateful rules in AWS Network Firewall: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

AWS
SUPPORT-TECHNIKER
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen