StatefulRule - AWS Network Firewall

StatefulRule

A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata Rules format, see Rules Format.

Contents

Action

Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow.

The actions for a stateful rule are defined as follows:

  • PASS - Permits the packets to go to the intended destination.

  • DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.

  • ALERT - Sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.

    You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with ALERT action, verify in the logs that the rule is filtering as you want, then change the action to DROP.

  • REJECT - Drops traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and an RST bit contained in the TCP header flags. REJECT is available only for TCP traffic. This option doesn't support FTP or IMAP protocols.

Type: String

Valid Values: PASS | DROP | ALERT | REJECT

Required: Yes

Header

The stateful inspection criteria for this rule, used to inspect traffic flows.

Type: Header object

Required: Yes

RuleOptions

Additional options for the rule. These are the Suricata RuleOptions settings.

Type: Array of RuleOption objects

Required: Yes

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: