- Newest
- Most votes
- Most comments
Strict Order does not support priority keyword as following. The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.
https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
But the symptom you're facing is that you cannot create suricata rule even without priority keyword. I did some test and realized that "classtype" in your rule caused "RuleString is invalid" error.
I couldn't find AWS Public doc which is indicating Strict Order does not support "classtype" keyword. But if you look at the definition of "classtype" keyword, it includes priority.
6.2.5. classtype The classtype keyword gives information about the classification of rules and alerts. It consists of a short name, a long name and a priority. It can tell for example whether a rule is just informational or is about a hack etcetera. For each classtype, the classification.config has a priority which will be used in the rule.
https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html
Can you try again without classtype keyword?
Thanks
Relevant content
- asked 2 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi Eunsun_Shin,
You are 100% correct.
Before:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)
After:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)