AWS Network Firewall - Suricata rules not working as expected

0

I have configured Suricata IPS rules (from emerging threats) and during testing observed that rules are not working as expected. For example, the below generic rule is working as expected - drop tcp $DB_NET any -> $TEST_NET 80 (msg:"Test Block"; sid:102344; rev:1;)

However the below rules taken from emerging threats are not working - drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established; http.user_agent; content:"easyhttp client"; bsize:15; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04; sid:102340; rev:1;)

drop tcp $DB_NET any -> $TEST_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).

질문됨 2년 전500회 조회
2개 답변
0

Just a guess from my own tests... Check your NACLs. Ephemerals Ports needs to be allowed for the response, otherwise network firewall can't identify "HTTP" (L7) protocol.

bacatta
답변함 2년 전
0

Hi,

Could you please expand upon what you mean by the rules do not work? And how this is being tested?

If you have a premium support subscription I would advise that you open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create as we require details that are non-public information

I have identified an AWS doc that touches on emerging threats rules and testing them: https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/ Also the limitations and caveats for stateful rules in AWS Network Firewall: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

AWS
지원 엔지니어
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인