AWS Network Firewall - Suricata rules not working as expected

0

I have configured Suricata IPS rules (from emerging threats) and during testing observed that rules are not working as expected. For example, the below generic rule is working as expected - drop tcp $DB_NET any -> $TEST_NET 80 (msg:"Test Block"; sid:102344; rev:1;)

However the below rules taken from emerging threats are not working - drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established; http.user_agent; content:"easyhttp client"; bsize:15; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04; sid:102340; rev:1;)

drop tcp $DB_NET any -> $TEST_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).

feita há 2 anos503 visualizações
2 Respostas
0

Just a guess from my own tests... Check your NACLs. Ephemerals Ports needs to be allowed for the response, otherwise network firewall can't identify "HTTP" (L7) protocol.

bacatta
respondido há 2 anos
0

Hi,

Could you please expand upon what you mean by the rules do not work? And how this is being tested?

If you have a premium support subscription I would advise that you open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create as we require details that are non-public information

I have identified an AWS doc that touches on emerging threats rules and testing them: https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/ Also the limitations and caveats for stateful rules in AWS Network Firewall: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

AWS
ENGENHEIRO DE SUPORTE
respondido há 2 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas