My team and I are using AWS Network Firewall and trying to gather a list of ALL internet-bound traffic (every single domain our AWS accounts reach out to) using Suricata alert rules. These are the rules we are using to capture all network traffic:
alert ip $HOME any -> any 53 (msg:"DNS LOOKUP logged"; flow:to_server, established; sid:1000001; rev:1; metadata:updated_at 2022_05_20;)
alert tls $HOME any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid:1000002; rev:1; metadata:updated_at 2022_05_20;)
alert http $HOME any -> any any ( msg:"INITIAL http egress to collect all outgoing traffic"; flow:to_server, established; sid:1000003; rev:1; metadata:updated_at 2022_05_20;)
Will this capture all possible internet-bound traffic we could have in AWS? Or are we missing anything? Thank you in advance.