By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does Network Firewall logging tell me the policy rule that was enforced?

0

I have alert logging enabled on my network firewall. Is there a way I can tell which stateful rule has caused the alert? I don't see anything obvious in the log json.

Reading the docs:

The event is controlled by Suricata, the open source intrusion prevention system (IPS) that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format.

Does Suricata know which rule in my policy was triggered?

{
    "firewall_name": "firewall",
    "availability_zone": "ap-southeast-2a",
    "event_timestamp": "1656600550",
    "event": {
        "timestamp": "2022-06-30T14:49:10.144362+0000",
        "flow_id": 1056350291768298,
        "event_type": "alert",
        "src_ip": "..snip..",
        "src_port": 20133,
        "dest_ip": ".snip..",
        "dest_port": 1604,
        "proto": "UDP",
        "alert": {
            "action": "blocked",
            "signature_id": 2804670,
            "rev": 3,
            "signature": "VMware vCenter Chargeback Manager Information Disclosure",
            "category": "Attempted Information Leak",
            "severity": 2,
            "metadata": {
                "created_at": [
                    "2012_03_13"
                ],
                "updated_at": [
                    "2012_03_13"
                ]
            }
        },
        "app_proto": "failed"
    }
}
Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
AWS
RussSayers
asked 2 years ago804 views
2 Answers
0

Hello,

It appears that you are trying to find the rule that was triggered by your Network Firewall which prompted the event in your logs. This is possible by looking at the signature_id or sid value in the JSON event output, in the text provided it would be "signature_id": 2804670. Each Suricata rule has a unique signature id which is used to determine the order in which the rules are enforced. This id is chosen when the rule is imported into the rule group. You can use the signature id to find the rule with the matching id which caused the alert.

Resources:

https://suricata.readthedocs.io/en/suricata-6.0.0/rules/meta.html#sid-signature-id

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

Jacob_R
answered 2 years ago
0

One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.

Resources:

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-rule-ordering

https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

AWS
Brian_AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content