Slowness through AWS firewall

su9 · March 24, 2023, 2:35pm

We are using suricata rules in AWS firewall , however observed slowness if we forward traffic through AWS firewall.
"pass tls $web_server any → any 443 (tls.sni; dotprefix; content:“xx.yy…com”; nocase; endswith; msg:“http-allow”; sid:500;)

If we configure with tcp and allow “.com” then its working.
“pass tcp $web_server any → any 443 (tls.sni; dotprefix; content:”.com"; nocase; endswith; msg:“http-allow”; sid:500;)

Any idea what could be the issue

Philippe_Antoine · May 16, 2023, 2:04pm

The difference is tls versus tcp in the rule, and the tls.sni content being longer ?

Topic		Replies	Views
AWS Network Firewall Stateful (Suricata) rules not working - Pass TLS only Help rules	5	1442	August 16, 2023
How to allow speedtest.net or any other speedtest link on Suricata Help	3	174	December 15, 2023
How to allow HTTPs but block all other protocol Help rules , suricata	2	283	August 2, 2024
Pls, Suggest me to writting allowlist url domain (https), I try to test but it doesn't work	1	577	December 11, 2022
How to write Effective Suricata rule to match multiple tls SNI (Whitelisting)? Rules aws , community , rules , suricon , suricata	1	1566	July 5, 2023

Slowness through AWS firewall

Related topics