By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Security

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Network Firewall shows "aws:alert_strict action" when it set with Strict Order stateful engine option.

Hello, I'm using AWS Network Firewall. Firstly, I tried to use AWS Managed Rules and Allow Domain List custom rule with default action order. From my understanding, the default action order is Pass -> Drop -> Alert. Then, I tried to test download files from allowed domain list it always pass because the domain is allowed. The **ThreatSignaturesMalwareCoinmining** will not perform any actions. Am I correct? So, I'm trying to change from default action order to strict order. The default actions are drop:all and alert:all. I expected that the network firewall will process my rule groups by priority and rules in each rule group by order. I copied Suricata context from AWS Managed Rule and created new rule group as shown in pictures. ![Enter image description here](/media/postImages/original/IMT6cNSaDhTbGF4Ym0R7I1sQ) ![Enter image description here](/media/postImages/original/IMQKpehfhvQdCQLbXZVvTS4g) My example allowed domain are AWS domains. pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow HTTP traffic to .amazonaws.com"; flow:to_server, established; sid:1000101; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow TLS traffic to .amazonaws.com"; flow:to_server, established; sid:1000102; rev:1;) Then, I added these rules into my firewall policy and I found that it stills block the traffic to .amazonaws.com. ``` { "firewall_name": "inspector", "availability_zone": "ap-southeast-1a", "event_timestamp": "1663828976", "event": { "timestamp": "2022-09-22T06:42:56.727635+0000", "flow_id": 1066945104298575, "event_type": "alert", "src_ip": "10.x.x.x", "src_port": 23602, "dest_ip": "3.0.186.102", "dest_port": 443, "proto": "TCP", "alert": { "action": "blocked", "signature_id": 2, "rev": 0, "signature": "aws:alert_strict action", "category": "", "severity": 3 } } } ``` I checked 3.0.186.102 is own by AWS, ec2-xxx.amazonaws.com. Why the network firewall always block the requests to AWS domain?
4
answers
0
votes
44
views
asked 5 days ago