By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Custom suricata rules in AWS Network Firewall for AWS services and NTP traffic

0

Hello, how would I write a suricata rule for allowing all traffic going to AWS services?

I'd also like to know how to block all traffic going to port 123 except for NTP.

Thanks!

Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
Randall
asked 4 months ago282 views
1 Answer
0
Accepted Answer

Hello!

For the first rule it would look like this:

pass tls any any -> any any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; flow:to_server, established; sid:123456)

The "dotprefix" option will let you pass all traffic going to subdomains of .amazonaws.com

The sid is just a random number, we recommend at least 6 unique digits for every rule to make it easier when you're searching logs.

For the second rule you would want something like this:

drop udp any any -> any 123 (flow:established; app-layer-protocol:!ntp; sid:123456;)

profile pictureAWS
EXPERT
lmessier
answered 4 months ago
profile picture
EXPERT
MaxCloud
reviewed 4 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content