Working with stateful rule groups in AWS Network Firewall
A stateful rule group is a rule group that uses Suricata compatible intrusion prevention system (IPS) specifications. Suricata is an open source network IPS that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall supports Suricata version 7.0.3.
Stateful rule groups have a configurable top-level setting called
StatefulRuleOptions
, which contains the
RuleOrder
attribute. You can set this in the console
when you create a rule group, or in the API under
StatefulRuleOptions
. You can't change the
RuleOrder
after the rule group is created.
You can enter any stateful rule in Suricata compatible strings. For standard Suricata rules specifications and for domain list inspection, you can alternately provide specifications to Network Firewall and have Network Firewall create the Suricata compatible strings for you.
As needed, depending on the rules that you provide, the stateful engine performs deep packet inspection (DPI) of your traffic flows. DPI inspects and processes the payload data within your packets, rather than just the header information.
The rest of this section provides requirements and additional information for
using Suricata compatible rules with Network Firewall. For full information
about Suricata, see the Suricata website at Suricata
Suricata version upgrade to 7.0.3
AWS Network Firewall supports Suricata version 7.0.3. Network Firewall upgraded from Suricata version 6.0.9 to 7.0.3 in November of 2024.
Note
For full information about the upgrade from version 6.0.9, see
Upgrading 6.0 to 7.0
The following are examples of the changes in this upgrade:
PCRE 1 rule format is no longer supported, and has been replaced with PCRE2.
When you specify a sticky buffer in a rule, it needs to be immediately followed by the payload keywords. For example, keywords such as
dns.query
andtls.sni
must be followed by a content modifier.Keywords that use ranges, such as
itype
now require the range to be specified with the format
.min
:max
Topics
- Limitations and caveats for stateful rules in AWS Network Firewall
- Best practices for writing Suricata compatible rules for AWS Network Firewall
- Managing evaluation order for Suricata compatible rules in AWS Network Firewall
- IP set references in Suricata compatible AWS Network Firewall rule groups
- Geographic IP filtering in Suricata compatible AWS Network Firewall rule groups
- Options for providing stateful rules to AWS Network Firewall
- Creating a stateful rule group
- Updating a stateful rule group
- Deleting a stateful rule group
- Examples of stateful rules for Network Firewall