I have the following rules in place in AWS Network Firewall:
pass tls any any -> any any (tls.sni; content: "collector-009.newrelic.com"; startswith; nocase; endswith; msg: "matching TLS allowlisted FQDNs"; priority: 1; sid: 10; rev: 1;) alert tls any any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; )
I was under the impression that any traffic to “collector-009.newrelic.com” would trigger the “pass” rule and therefore skip the “alert” rule. However, I am still seeing logs (alerts) showing “collector-009.newrelic.com” with the message from the alert rule. Why might this be? Am I missing something here?