Alert rules still triggering after pass/reject rules

I have the following rules in place in AWS Network Firewall:

pass tls any any -> any any (tls.sni; content: "collector-009.newrelic.com"; startswith; nocase; endswith; msg: "matching TLS allowlisted FQDNs"; priority: 1; sid: 10; rev: 1;)
alert tls any any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; )

I was under the impression that any traffic to “collector-009.newrelic.com” would trigger the “pass” rule and therefore skip the “alert” rule. However, I am still seeing logs (alerts) showing “collector-009.newrelic.com” with the message from the alert rule. Why might this be? Am I missing something here? The same thing is also happening with reject rules… Any help would be greatly appreciated.

Try combining both the pass action and the bypass keyword in the first rule, this should instruct Suricata to bypass the entire flow and further traffic won’t be inspected for that flow.

One thing to consider if that in some circumstances the alert rule is evaluated before the pass rule. This can happen when the TLS client hello is split over multiple packets. The sni rule will then be evaluated when the client hello is complete, while the generic tls rule only needs a few bytes to determine the session is tls and will be evaluated at the first packet.

To avoid this, the alert tls rule needs to be updated to be evaluated when the sni is available. Some ways to do this:

alert tls any any -> any any (flow:established, to_server; tls.sni; bsize:>0; sid:100; rev:1;)
alert tls any any -> any any (flow:established, to_server; tls.sni; isdataat:1; sid:200; rev:1;)
alert tls any any -> any any (flow:established, to_server; ssl_state:client_hello; sid:300; rev:1;)

Thank you for your response, Victor! Your response looks very promising. I am wondering though if changing my alert rules to match only when SNI is available would let some flows through without alerts. I have seen logs of flows that are missing an SNI field. (If you know why that might happen by the way I would love to know why!)

The reason I ask is my main goal is to create a complete list of every single domain my AWS services reach out to, allow traffic to those domains, and then reject all other traffic. My plan to accomplish this is to add ALERT rules on all traffic, write PASS rules until I have no more alerts, and then add REJECT rules to block any traffic that doesn’t match any PASS rule. Please let me know if changing my ALERT rules will cause any flows to get past my rule group without alerting. Thank you in advance.

Not sure, but SNI is an optional field, so it might be that some sessions don’t have it. I suppose session resumption could be at play. Do you have access to the TLS eve record type in AWS?