AWS Network Firewall - Suricata rules not working as expected

0

I have configured Suricata IPS rules (from emerging threats) and during testing observed that rules are not working as expected. For example, the below generic rule is working as expected - drop tcp $DB_NET any -> $TEST_NET 80 (msg:"Test Block"; sid:102344; rev:1;)

However the below rules taken from emerging threats are not working - drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established; http.user_agent; content:"easyhttp client"; bsize:15; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04; sid:102340; rev:1;)

drop tcp $DB_NET any -> $TEST_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).

2回答
0

Just a guess from my own tests... Check your NACLs. Ephemerals Ports needs to be allowed for the response, otherwise network firewall can't identify "HTTP" (L7) protocol.

bacatta
回答済み 2年前
0

Hi,

Could you please expand upon what you mean by the rules do not work? And how this is being tested?

If you have a premium support subscription I would advise that you open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create as we require details that are non-public information

I have identified an AWS doc that touches on emerging threats rules and testing them: https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/ Also the limitations and caveats for stateful rules in AWS Network Firewall: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

AWS
サポートエンジニア
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ