Any idea why rule is not working :)

Hi there,

I have 2 rules which are not working (on aws) that using version 6.X (not 7).

The rules are below and should 1. Drop any inbound (outside world to firewall) UDP packet that is 107 bytes in size. 2. Drop any packet with the mentioned content.

drop udp $EXTERNAL_NET any → $HOME_NET any (stream_size:either, =, 107; sid:001;)

drop udp $EXTERNAL_NET any → $HOME_NET any (content:“74:6f:6b:65:6e:3d:64:66:39:36:61:66:30:33:2d:63:32:66:63:2d:34:63:32:39:2d:39:31:39:61:2d:32:36:30:35:61:61:37:30:62:31:66:38:26:67:75:69:64:3d:37:36:35:36:31:31:39:38:38:30:34:38:30:36:30:31:35”; sid:002;)

The below rule works very well as an example of a working rule running on AWS

drop udp any any → $HOME_NET any (msg:“UDP retransmission verification”; flow:not_established,to_server; flowbits:isnotset,udp_verify; flowbits:set,udp_verify; sid:1;)

Packet inspection image is included as a reference to the packet that should be blocked but is not (this packet should block from either of the 2 rules)

Any guidence would be much appreciated.

Can you share the pcap so we could try to reproduce the issue?