AWS Network Firewall - Strict order and suricata emerging rules

0

I'm trying to create a firewall rule group in AWS Network firewall of type strict order, when I paste in the suricata rules e.g emerging threats rules: https://rules.emergingthreats.net/open/suricata-5.0/rules/ it complains with "RulesString is invalid". If I pick the default rule order, I can save it.

Any idea why I can't save emerging rules with strict order processing? How can I get this to work with strict order?

Thanks! cd

1回答
1
承認された回答

Strict Order does not support priority keyword as following. The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

But the symptom you're facing is that you cannot create suricata rule even without priority keyword. I did some test and realized that "classtype" in your rule caused "RuleString is invalid" error.

I couldn't find AWS Public doc which is indicating Strict Order does not support "classtype" keyword. But if you look at the definition of "classtype" keyword, it includes priority.

6.2.5. classtype The classtype keyword gives information about the classification of rules and alerts. It consists of a short name, a long name and a priority. It can tell for example whether a rule is just informational or is about a hack etcetera. For each classtype, the classification.config has a priority which will be used in the rule.

https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html

Can you try again without classtype keyword?

Thanks

profile pictureAWS
回答済み 3年前
profile picture
エキスパート
レビュー済み 1年前
  • Hi Eunsun_Shin,

    You are 100% correct.

    Before:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

    After:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ