Is it possible to log 'allowed' TLS and/or HTTP domain names with Network Firewall?


AWS Network Firewall seems to easily log the domain names (via HTTP or SNI headers) of sites that are blocked.

However, what if I wanted to also log domain names that are allowed? I have tried adding an IPv4 rule with protocol 'HTTP' as well as 'TLS' with an 'alert' action; as well as a Suricata rule, such as:

alert tls any any -> any any (flow:established,to_server; msg:"Log TLS domains, after establishment and protocol identification"; sid: 1000001; rev:1;)

But neither causes allowed domains to get logged. Is it possible?

asked a year ago789 views
1 Answer

It could be that you already allowed the connection in your domain while-list and therefore above rule is never triggered? By default pass'es are evaluated first, and alerts are processed last. This explains the options for rule evaluation

You didn't say why you want to log all the domains, but if the goal is to monitor outbound traffic, then this might be helpful

profile picture
answered a year ago
  • Thanks for responding. Indeed, the 'action order' is the reason the Suricata rule doesn't get hit, because by that point the traffic was already allowed.

    We want to log Internet traffic from the environment in question, mainly for potential troubleshooting purposes -- it would be much easier to find a certain HTTP(S) session in a sea of logs when you can just search for the FQDN, rather than trying to hunt it down by IP address, especially if the IP resolved at the time of attempt isn't the same as what it resolves to in the moment.

    The doc you shared is helpful but I think will only be effective if you are allowing all outbound HTTP(S) traffic, because you would be falling off the bottom of the policy and Suricata's default action is to 'pass' if no rule matches. (As I understand it, at least.) So if we wanted to only allow connections to certain domains (using a domain list rule), and block everything else, I think I would still run into the first problem of the policy scan never reaching an 'alert' rule where the Host/SNI would be written to the logs. If you could both pass and alert in the same rule, like with a typical firewall, that would work -- but does not seem possible here.

    Please let me know if you can think of any other permutation that might solve this; thanks!

  • According to docs you should be able to both alert and pass, but in 2 different rules.

    After all rules have been evaluated, handle the packet according to the the action setting in the first rule that matched the packet. If the first rule has a drop action, block the packet. If it has an alert action, continue evaluation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions