Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS Network Firewall - Strict order and suricata emerging rules

0

I'm trying to create a firewall rule group in AWS Network firewall of type strict order, when I paste in the suricata rules e.g emerging threats rules: https://rules.emergingthreats.net/open/suricata-5.0/rules/ it complains with "RulesString is invalid". If I pick the default rule order, I can save it.

Any idea why I can't save emerging rules with strict order processing? How can I get this to work with strict order?

Thanks! cd

Temas
Seguridad, identidad y cumplimientoRedes y entrega de contenido
Etiquetas
AWS Network FirewallAWS Firewall ManagerRedes y entrega de contenido
Idioma
English
codelkirby
preguntada hace 2 años2016 visualizaciones
1 Respuesta
1
Respuesta aceptada

Strict Order does not support priority keyword as following. The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

But the symptom you're facing is that you cannot create suricata rule even without priority keyword. I did some test and realized that "classtype" in your rule caused "RuleString is invalid" error.

I couldn't find AWS Public doc which is indicating Strict Order does not support "classtype" keyword. But if you look at the definition of "classtype" keyword, it includes priority.

6.2.5. classtype The classtype keyword gives information about the classification of rules and alerts. It consists of a short name, a long name and a priority. It can tell for example whether a rule is just informational or is about a hack etcetera. For each classtype, the classification.config has a priority which will be used in the rule.

https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html

Can you try again without classtype keyword?

Thanks

profile pictureAWS
Eunsu_Shin
respondido hace 2 años
profile picture
EXPERTO
Sedat Salman
revisado hace 6 meses
  • codelkirby
    hace 2 años

    Hi Eunsun_Shin,

    You are 100% correct.

    Before:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

    After:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante