AWS Network Firewall exception/negation Suricata compatible IPS rules not working as expected

0

I am trying to understand how aws based Suricata rules work. With the rule below, I expected that the traffic from the proxy server IP address should be passed through, other than that should be dropped. But the result I got is that all packages sent from the proxy server get dropped (disabling this rule makes all packages able to go out again).

NOTE - default order isn't in use, no stateless rules, forwarding frag and no frag packets is configured, I have checked the routing config on the proxy server, aws network firewall endpoints, and NAT subnets and all is correctly configured, the traffic from the proxy server be routed to the network firewall endpoint, traffic from the network firewall endpoint be routed to NAT, the traffic return from NAT to the proxy server be routed to network firewall endpoint.

IP set variables PROXY_IPS = 10.xx.xx.xx

Suricata rules drop ip !$PROXY_IPS any <> any any (msg:"Drop All If Not From PROXY "; sid:28199751; rev: 45;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).

1 Answer
1

While I would need to test and debug as to why your current rule isn't functional, what you can do for the time being is using an ALLOW list design.

If you decide to use default order, the stateful rule engine will evaluate pass rules before it does so drop rules. You can create an implicit drop of everything and then create a pass for any to and from the proxy.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html

For the time being this would accomplish the same as what you're attempting to accomplish with your rule.

AWS
Cesar U
answered a year ago
  • Hi, for some reason, we can't utilize the default order, because our firewall policy also associates with AWS-managed rule groups and we want to let aws managed rule group inspect the packages before hitting our custom firewall rule above. If we utilize the default order and create allow list design then it will by pass all aws managed rule groups cause pass rule will be evaluated first.

  • So testing your rule and looking into documentation, it seems the problem becomes obvious with this one Warning within the Suricata documentation: https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html#direction

    "There is no ‘reverse’ style direction, i.e. there is no <-."

    Your rule, utilizing <>, means that traffic from Proxy would match the rule. We can think about it as such: drop ip !$PROXY_IPS any -> any any drop ip any any -> !$PROXY_IPS any (This is blocking your traffic)

    Changing <> into -> should solve your problem.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions