By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Always log Suricata signature id in Network Firewall flow logs

0

Hello,

Are there any way to log Suricata signature id in Network Firewall netflow logs, not only alert logs?

I've a use case that to review the existing firewall rules and find the outdated rules. This could be easier to findout.

Regards, Worapoj

Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
Jiu Worapoj
asked 21 days ago670 views
1 Answer
0

A single flow id or network traffic conversation can indeed match several Suricata FW rules (signature id), so based on that, I think this is why no information about signature id is included in the flow log.

To help identifying unused signature ids, I suggest leveraging alert rules and perhaps use statistics to find unused ones. For instance, in cloudwatch logs you can obtain statistics on alert/drop rules as follows:

stats count(*) by event.alert.signature_id
| sort by event.alert.signature_id asc

This assumes that pass rules under study are prepended with equivalent alert rules.

profile pictureAWS
ftresfre
answered 19 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 13 days ago
  • Jiu Worapoj
    13 days ago

    Thank you. That's an interesting idea because the default behavior of my network firewall stateful is strict evaluation order (drop all --> alert all).

    So, most of the custom rules are whitelist. This can help to identify the in-use rules.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content