AWS Network Firewall stateful rule groups

0

Hi there,

I'm currently investigating the use of the "suricata-like" rules in AWS NF. When the default order is used everything works more or less as expected. However when the strict order is used, I fail to understand what is going on. For example with two rules such as

drop http any any -> $WWW_AWS_NET 80 (msg:"HTTP GET"; flow:established, to_server; http.method; content:"GET"; sid:403; rev:1;)
pass tcp any any -> $WWW_AWS_NET 80 (msg:"HTTP"; sid:404; rev:1;)

I would expect TCP HTTP traffic to flow through the FW except if being an HTTP GET. However the actual behavior is that everything goes through as if pass rules were evaluated before drop rules (just like in the default order). So my question: Am I missing something with these two rules or does "the rules in each rule group are processed in the order in which they're defined" really mean "as long as they belong to the same "pass", "drop", "alert" group" ?

Thanks !

Paul

asked 2 years ago1063 views
2 Answers
0

Hi Paul, your understanding of the strict rule order is correct. " With strict ordering, the rule groups are evaluated by order of priority, starting from the lowest number, and the rules in each rule group are processed in the order in which they're defined."

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order

You might want to check other rule variable such as IP sets (HOME_NET) and make sure the rule is applied to the correct flow.

profile pictureAWS
EXPERT
answered 2 years ago
0

Thanks for your answer. The problem was actually coming from my testing tool that was generating traffic not recognized as HTTP. Paul

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions