I am trying to understand how aws based Suricata rules work. With the rule below, I expected that the traffic from the proxy server IP address should be passed through, other than that should be dropped. But the result I got is that all packages sent from the proxy server get dropped (disabling this rule makes all packages able to go out again).
NOTE - default order isn't in use, no stateless rules, forwarding frag and no frag packets is configured, I have checked the routing config on the proxy server, aws network firewall endpoints, and NAT subnets and all is correctly configured, the traffic from the proxy server be routed to the network firewall endpoint, traffic from the network firewall endpoint be routed to NAT, the traffic return from NAT to the proxy server be routed to network firewall endpoint.
IP set variables
PROXY_IPS = 10.xx.xx.xx
Suricata rules
drop ip !$PROXY_IPS any <> any any (msg:"Drop All If Not From PROXY "; sid:28199751; rev: 45;)
I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).
Hi, for some reason, we can't utilize the default order, because our firewall policy also associates with AWS-managed rule groups and we want to let aws managed rule group inspect the packages before hitting our custom firewall rule above. If we utilize the default order and create allow list design then it will by pass all aws managed rule groups cause pass rule will be evaluated first.
So testing your rule and looking into documentation, it seems the problem becomes obvious with this one Warning within the Suricata documentation: https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html#direction
"There is no ‘reverse’ style direction, i.e. there is no <-."
Your rule, utilizing <>, means that traffic from Proxy would match the rule. We can think about it as such: drop ip !$PROXY_IPS any -> any any drop ip any any -> !$PROXY_IPS any (This is blocking your traffic)
Changing <> into -> should solve your problem.