For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Does Network Firewall logging tell me the policy rule that was enforced?
I have alert logging enabled on my network firewall. Is there a way I can tell which stateful rule has caused the alert? I don't see anything obvious in the log json.
Reading the docs:
The event is controlled by Suricata, the open source intrusion prevention system (IPS) that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format.
Does Suricata know which rule in my policy was triggered?
{ "firewall_name": "firewall", "availability_zone": "ap-southeast-2a", "event_timestamp": "1656600550", "event": { "timestamp": "2022-06-30T14:49:10.144362+0000", "flow_id": 1056350291768298, "event_type": "alert", "src_ip": "..snip..", "src_port": 20133, "dest_ip": ".snip..", "dest_port": 1604, "proto": "UDP", "alert": { "action": "blocked", "signature_id": 2804670, "rev": 3, "signature": "VMware vCenter Chargeback Manager Information Disclosure", "category": "Attempted Information Leak", "severity": 2, "metadata": { "created_at": [ "2012_03_13" ], "updated_at": [ "2012_03_13" ] } }, "app_proto": "failed" } }
- Language
- English
- Newest
- Most votes
- Most comments
One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.
Resources:
https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html
Relevant content
- asked 3 years ago
- asked a year ago
