AWS Network Firewall stateful rule groups

0

Hi there,

I'm currently investigating the use of the "suricata-like" rules in AWS NF. When the default order is used everything works more or less as expected. However when the strict order is used, I fail to understand what is going on. For example with two rules such as

drop http any any -> $WWW_AWS_NET 80 (msg:"HTTP GET"; flow:established, to_server; http.method; content:"GET"; sid:403; rev:1;)
pass tcp any any -> $WWW_AWS_NET 80 (msg:"HTTP"; sid:404; rev:1;)

I would expect TCP HTTP traffic to flow through the FW except if being an HTTP GET. However the actual behavior is that everything goes through as if pass rules were evaluated before drop rules (just like in the default order). So my question: Am I missing something with these two rules or does "the rules in each rule group are processed in the order in which they're defined" really mean "as long as they belong to the same "pass", "drop", "alert" group" ?

Thanks !

Paul

질문됨 2년 전933회 조회
2개 답변
0

Hi Paul, your understanding of the strict rule order is correct. " With strict ordering, the rule groups are evaluated by order of priority, starting from the lowest number, and the rules in each rule group are processed in the order in which they're defined."

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order

You might want to check other rule variable such as IP sets (HOME_NET) and make sure the rule is applied to the correct flow.

profile pictureAWS
전문가
답변함 2년 전
0

Thanks for your answer. The problem was actually coming from my testing tool that was generating traffic not recognized as HTTP. Paul

답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠