Working with stateful rule groups in AWS Network Firewall
A stateful rule group is a rule group that uses Suricata compatible intrusion prevention system (IPS) specifications. Suricata is an open source network IPS that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall supports Suricata version 6.0.9.
Stateful rule groups have a configurable top-level setting called
StatefulRuleOptions, which contains the
RuleOrder attribute. You can set this in the console
when you create a rule group, or in the API under
StatefulRuleOptions. You can't change the
RuleOrder after the rule group is created.
You can enter any stateful rule in Suricata compatible strings. For standard Suricata rules specifications and for domain list inspection, you can alternately provide specifications to Network Firewall and have Network Firewall create the Suricata compatible strings for you.
As needed, depending on the rules that you provide, the stateful engine performs deep packet inspection (DPI) of your traffic flows. DPI inspects and processes the payload data within your packets, rather than just the header information.
The rest of this section provides requirements and additional information for
using Suricata compatible rules with Network Firewall. For full information
about Suricata, see the Suricata website at Suricata
Topics
- Limitations and caveats for stateful rules in AWS Network Firewall
- Best practices for writing Suricata compatible rules for AWS Network Firewall
- Managing evaluation order for Suricata compatible rules in AWS Network Firewall
- IP set references in Suricata compatible AWS Network Firewall rule groups
- Geographic IP filtering in Suricata compatible AWS Network Firewall rule groups
- Options for providing stateful rules to AWS Network Firewall
- Creating a stateful rule group
- Updating a stateful rule group
- Deleting a stateful rule group
- Examples of stateful rules for Network Firewall
