1 Answer
- Newest
- Most votes
- Most comments
0
A single flow id or network traffic conversation can indeed match several Suricata FW rules (signature id), so based on that, I think this is why no information about signature id is included in the flow log.
To help identifying unused signature ids, I suggest leveraging alert rules and perhaps use statistics to find unused ones. For instance, in cloudwatch logs you can obtain statistics on alert/drop rules as follows:
stats count(*) by event.alert.signature_id
| sort by event.alert.signature_id asc
This assumes that pass rules under study are prepended with equivalent alert rules.
answered 19 days ago
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thank you. That's an interesting idea because the default behavior of my network firewall stateful is strict evaluation order (drop all --> alert all).
So, most of the custom rules are whitelist. This can help to identify the in-use rules.