I am so confused - where are all the rules!

Hi there,

I am really very confused right now. I’ve been on a 4 week DevOps Marathon to solve a UDP DDOS Problem. AWS only offers DDOS protection for UDP traffic via their AWS Sheild Advanced solution, which is $3000 monthly (which is a bit out of our budget range).

So, currently, I have arrived at the AWS Network Firewall that basically works off Suricata rules. However, I found 100 guides on writing rules, yet no database of rules. What I was expecting to find (and happily pay for) was a nice clean list of DDOS protection rules that I can simply copy and paste into AWS Firewall. Unfortunately, this has not been the case… So what am I doing wrong?

Where can I find the rules? Are these closely kept secrets of Big SecOps? I found a handful in the Suricata installation files, but what about DDOS rules? Isn’t there some centralized collection of rules that one can search/browse?

Any guidance would be much appreciated!

aws1593×893 62.3 KB

Take a look here: https://rules.emergingthreats.net/open/suricata-6.0/rules/emerging-dos.rules

I personally would use an iptables rule set as a line of defense before an IPS defense. But there are DOS rules in the core suricata installation. I build my suricata instances from source and then pick the additional rule collections using suricata-update.

This is more of a AWS specific question. But there are several rule sources and several of those are included in the index of the suricata-update tool, see suricata-update - A Suricata Rule Update Tool — suricata-update 1.3.0dev0 documentation