Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Does Network Firewall logging tell me the policy rule that was enforced?

0

I have alert logging enabled on my network firewall. Is there a way I can tell which stateful rule has caused the alert? I don't see anything obvious in the log json.

Reading the docs:

The event is controlled by Suricata, the open source intrusion prevention system (IPS) that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format.

Does Suricata know which rule in my policy was triggered?

{
    "firewall_name": "firewall",
    "availability_zone": "ap-southeast-2a",
    "event_timestamp": "1656600550",
    "event": {
        "timestamp": "2022-06-30T14:49:10.144362+0000",
        "flow_id": 1056350291768298,
        "event_type": "alert",
        "src_ip": "..snip..",
        "src_port": 20133,
        "dest_ip": ".snip..",
        "dest_port": 1604,
        "proto": "UDP",
        "alert": {
            "action": "blocked",
            "signature_id": 2804670,
            "rev": 3,
            "signature": "VMware vCenter Chargeback Manager Information Disclosure",
            "category": "Attempted Information Leak",
            "severity": 2,
            "metadata": {
                "created_at": [
                    "2012_03_13"
                ],
                "updated_at": [
                    "2012_03_13"
                ]
            }
        },
        "app_proto": "failed"
    }
}
Themen
Sicherheit, Identität & Konformität
Tags
AWS Network Firewall
Sprache
English
AWS
RussSayers
gefragt vor 2 Jahren879 Aufrufe
2 Antworten
0

Hello,

It appears that you are trying to find the rule that was triggered by your Network Firewall which prompted the event in your logs. This is possible by looking at the signature_id or sid value in the JSON event output, in the text provided it would be "signature_id": 2804670. Each Suricata rule has a unique signature id which is used to determine the order in which the rules are enforced. This id is chosen when the rule is imported into the rule group. You can use the signature id to find the rule with the matching id which caused the alert.

Resources:

https://suricata.readthedocs.io/en/suricata-6.0.0/rules/meta.html#sid-signature-id

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

Jacob_R
beantwortet vor 2 Jahren
0

One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.

Resources:

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-rule-ordering

https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

AWS
Brian_AWS
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt