Custom suricata rules in AWS Network Firewall for AWS services and NTP traffic

Question

Hello, how would I write a suricata rule for allowing all traffic going to AWS services?

I'd also like to know how to block all traffic going to port 123 except for NTP.

Thanks!

Accepted Answer

Hello!

For the first rule it would look like this:

pass tls any any -> any any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; flow:to_server, established; sid:123456)

The "dotprefix" option will let you pass all traffic going to subdomains of .amazonaws.com

The sid is just a random number, we recommend at least 6 unique digits for every rule to make it easier when you're searching logs.

For the second rule you would want something like this:

drop udp any any -> any 123 (flow:established; app-layer-protocol:!ntp; sid:123456;)

Relevanter Inhalt