We are planning to implement HTTP traffic inspection using Suricata-compatible rules within AWS Network Firewall. We have drafted the following two Suricata rules and would like to seek your expert opinion on whether they will function as intended and accurately detect traffic using AWS Network Firewall’s stateful inspection capabilities.
Specifically:
- # Rule 1: Detect HTTP access from a server within an AWS VPC to example.com
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP traffic to example.com"; flow:to_server, established; http.host; content:"example.com"; nocase; sid:100001; rev:1;)
```
This rule aims to detect HTTP access attempts from a server within our VPC to the external domain `example.com`. We intend `$HOME_NET` to represent our VPC CIDR, and `$EXTERNAL_NET` to represent the internet or external networks.
2. **# Rule 2: Detect HTTP access from external networks to DomainA, which serves as an entry point to AWS**
alert http $EXTERNAL_NET any -> any any (msg:"HTTP access to DomainA"; flow:to_server, established; http.host; content:"DomainA"; nocase; sid:100002; rev:1;)
```
This rule aims to detect HTTP access from external networks to a specific domain (`DomainA`) that acts as an entry point to our AWS environment. For this rule, the `any` destination IP is expected to resolve to the IP address(es) of `DomainA`.
Could you please advise if the usage of $HOME_NET and $EXTERNAL_NET, the any destination, and the domain-name-based detection via the http.host keyword will be correctly evaluated by AWS Network Firewall’s stateful rule engine for these rules? We would particularly appreciate any insights into potential configuration caveats or limitations.
Thank you for your time and assistance.
Sincerely,