I’m using suricata rule on AWS Network firewall which associated with Spoke VPC Endpoints.

Network flow is from Spoke VPC EC2 to VPC Endpoint(Inspection) and finally outbound through Spoke VPC NATGW.

HTTP/HTTPS outbound rule should be applied but app-protocol is unknown and rule doesn’t seem to be applied normally. I checked with cloudwatch that all VPC traffic inspected by firewall but suricata rule not applied normally. Below is the rule and is there anything I can fix?

DNS Allow Rules

pass udp $PRIVATE_IPS any → any 53 (msg:“Allow DNS”; sid:90000001; rev:1;)# NTP Allow Rules
pass udp $PRIVATE_IPS any → any 123 (msg:“Allow NTP”; sid:90000002; rev:1;)# HTTP Allow Rules
pass tcp $PRIVATE_IPS any → any 80 (msg:“Allow HTTP”; sid:90000003; rev:1;)# Allow specific HTTPS domains
pass tls $PRIVATE_IPS any → any 443 (msg:“Allow google.com”; tls.sni; content:“google.com”; nocase; sid:2025100003; rev:1;)# Block all other HTTPS traffic
drop tls $PRIVATE_IPS any → any 443 (msg:“Block other HTTPS”; sid:2025100999; rev:1;)