1 Answer
- Newest
- Most votes
- Most comments
0
It could be that you already allowed the connection in your domain while-list and therefore above rule is never triggered? By default pass'es are evaluated first, and alerts are processed last. This explains the options for rule evaluation https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html
You didn't say why you want to log all the domains, but if the goal is to monitor outbound traffic, then this might be helpful https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-network-firewall-to-capture-the-dns-domain-names-from-the-server-name-indication-sni-for-outbound-traffic.html
Relevant content
- asked 2 years ago
- asked 9 months ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks for responding. Indeed, the 'action order' is the reason the Suricata rule doesn't get hit, because by that point the traffic was already allowed.
We want to log Internet traffic from the environment in question, mainly for potential troubleshooting purposes -- it would be much easier to find a certain HTTP(S) session in a sea of logs when you can just search for the FQDN, rather than trying to hunt it down by IP address, especially if the IP resolved at the time of attempt isn't the same as what it resolves to in the moment.
The doc you shared is helpful but I think will only be effective if you are allowing all outbound HTTP(S) traffic, because you would be falling off the bottom of the policy and Suricata's default action is to 'pass' if no rule matches. (As I understand it, at least.) So if we wanted to only allow connections to certain domains (using a domain list rule), and block everything else, I think I would still run into the first problem of the policy scan never reaching an 'alert' rule where the Host/SNI would be written to the logs. If you could both pass and alert in the same rule, like with a typical firewall, that would work -- but does not seem possible here.
Please let me know if you can think of any other permutation that might solve this; thanks!
According to docs you should be able to both alert and pass, but in 2 different rules.