Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Does Network Firewall logging tell me the policy rule that was enforced?

0

I have alert logging enabled on my network firewall. Is there a way I can tell which stateful rule has caused the alert? I don't see anything obvious in the log json.

Reading the docs:

The event is controlled by Suricata, the open source intrusion prevention system (IPS) that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format.

Does Suricata know which rule in my policy was triggered?

{
    "firewall_name": "firewall",
    "availability_zone": "ap-southeast-2a",
    "event_timestamp": "1656600550",
    "event": {
        "timestamp": "2022-06-30T14:49:10.144362+0000",
        "flow_id": 1056350291768298,
        "event_type": "alert",
        "src_ip": "..snip..",
        "src_port": 20133,
        "dest_ip": ".snip..",
        "dest_port": 1604,
        "proto": "UDP",
        "alert": {
            "action": "blocked",
            "signature_id": 2804670,
            "rev": 3,
            "signature": "VMware vCenter Chargeback Manager Information Disclosure",
            "category": "Attempted Information Leak",
            "severity": 2,
            "metadata": {
                "created_at": [
                    "2012_03_13"
                ],
                "updated_at": [
                    "2012_03_13"
                ]
            }
        },
        "app_proto": "failed"
    }
}
Argomenti
Sicurezza, identità e conformità
Tag
Firewall di rete AWS
Lingua
English
AWS
RussSayers
posta 2 anni fa879 visualizzazioni
2 Risposte
0

Hello,

It appears that you are trying to find the rule that was triggered by your Network Firewall which prompted the event in your logs. This is possible by looking at the signature_id or sid value in the JSON event output, in the text provided it would be "signature_id": 2804670. Each Suricata rule has a unique signature id which is used to determine the order in which the rules are enforced. This id is chosen when the rule is imported into the rule group. You can use the signature id to find the rule with the matching id which caused the alert.

Resources:

https://suricata.readthedocs.io/en/suricata-6.0.0/rules/meta.html#sid-signature-id

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

Jacob_R
con risposta 2 anni fa
0

One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.

Resources:

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-rule-ordering

https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html

https://doc.emergingthreats.net/bin/view/Main/SidAllocation

AWS
Brian_AWS
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente