Custom suricata rules in AWS Network Firewall for AWS services and NTP traffic

Hello!

For the first rule it would look like this:

pass tls any any -> any any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; flow:to_server, established; sid:123456)

The "dotprefix" option will let you pass all traffic going to subdomains of .amazonaws.com

The sid is just a random number, we recommend at least 6 unique digits for every rule to make it easier when you're searching logs.

For the second rule you would want something like this:

drop udp any any -> any 123 (flow:established; app-layer-protocol:!ntp; sid:123456;)