AWS Network Firewall - Strict order and suricata emerging rules

0

I'm trying to create a firewall rule group in AWS Network firewall of type strict order, when I paste in the suricata rules e.g emerging threats rules: https://rules.emergingthreats.net/open/suricata-5.0/rules/ it complains with "RulesString is invalid". If I pick the default rule order, I can save it.

Any idea why I can't save emerging rules with strict order processing? How can I get this to work with strict order?

Thanks! cd

1 回答
1
已接受的回答

Strict Order does not support priority keyword as following. The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html

But the symptom you're facing is that you cannot create suricata rule even without priority keyword. I did some test and realized that "classtype" in your rule caused "RuleString is invalid" error.

I couldn't find AWS Public doc which is indicating Strict Order does not support "classtype" keyword. But if you look at the definition of "classtype" keyword, it includes priority.

6.2.5. classtype The classtype keyword gives information about the classification of rules and alerts. It consists of a short name, a long name and a priority. It can tell for example whether a rule is just informational or is about a hack etcetera. For each classtype, the classification.config has a priority which will be used in the rule.

https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html

Can you try again without classtype keyword?

Thanks

profile pictureAWS
已回答 3 年前
profile picture
专家
已审核 1 年前
  • Hi Eunsun_Shin,

    You are 100% correct.

    Before:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

    After:

    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则