Working with stateful rule groups in AWS Network Firewall - AWS Network Firewall

Working with stateful rule groups in AWS Network Firewall

A stateful rule group is a rule group that uses Suricata compatible intrusion prevention system (IPS) specifications. Suricata is an open source network IPS that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall supports Suricata version 7.0.

Stateful rule groups have a configurable top-level setting called StatefulRuleOptions, which contains the RuleOrder attribute. You can set this in the console when you create a rule group, or in the API under StatefulRuleOptions. You can't change the RuleOrder after the rule group is created.

You can enter any stateful rule in Suricata compatible strings. For standard Suricata rules specifications and for domain list inspection, you can alternately provide specifications to Network Firewall and have Network Firewall create the Suricata compatible strings for you.

As needed, depending on the rules that you provide, the stateful engine performs deep packet inspection (DPI) of your traffic flows. DPI inspects and processes the payload data within your packets, rather than just the header information.

The rest of this section provides requirements and additional information for using Suricata compatible rules with Network Firewall. For full information about Suricata, see the Suricata website at Suricata and the Suricata User Guide. AWS Network Firewall supports Suricata version 7.0.

Suricata version upgrade to 7.0

AWS Network Firewall supports Suricata version 7.0. Network Firewall upgraded from Suricata version 6.0.9 to 7.0 in November of 2024.

Note

For full information about the upgrade from version 6.0.9, see Upgrading 6.0 to 7.0.

The following are examples of the changes in this upgrade:

  • PCRE 1 rule format is no longer supported, and has been replaced with PCRE2.

  • When you specify a sticky buffer in a rule, it needs to be immediately followed by the payload keywords. For example, keywords such as dns.query and tls.sni must be followed by a content modifier.

  • Keywords that use ranges, such as itype now require the range to be specified with the format min:max.