AWS Network Firewall - Strict order and suricata emerging rules

0

I'm trying to create a firewall rule group in AWS Network firewall of type strict order, when I paste in the suricata rules e.g emerging threats rules: https://rules.emergingthreats.net/open/suricata-5.0/rules/ it complains with "RulesString is invalid". If I pick the default rule order, I can save it.

Any idea why I can't save emerging rules with strict order processing? How can I get this to work with strict order?

Thanks! cd

1 Answer
1
Accepted Answer

Strict Order does not support priority keyword as following. The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

But the symptom you're facing is that you cannot create suricata rule even without priority keyword. I did some test and realized that "classtype" in your rule caused "RuleString is invalid" error.

I couldn't find AWS Public doc which is indicating Strict Order does not support "classtype" keyword. But if you look at the definition of "classtype" keyword, it includes priority.

6.2.5. classtype The classtype keyword gives information about the classification of rules and alerts. It consists of a short name, a long name and a priority. It can tell for example whether a rule is just informational or is about a hack etcetera. For each classtype, the classification.config has a priority which will be used in the rule.

https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html

Can you try again without classtype keyword?

Thanks

profile picture
answered a year ago
  • Hi Eunsun_Shin,

    You are 100% correct.

    Before:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

    After:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions