Hello all, I’m new to Suricata rules and wanted a little feedback on if this is a crazy approach for my use case.
I’m working on a highly regulated environment on AWS and all Ingress and Egress traffic is running through the AWS Network Firewall.
All traffic coming into the boundary will go through an Application Load Balancer and be inspected by a Web Application Firewall. My focus here will be the Egress traffic.
My current configuration is
Using the domain list rule: All HTTP traffic is dropped
Using the domain list rule: All HTTPS traffic is dropped unless it’s to an allowed domain
Using the Geo rule: All traffic destined for an endpoint outside of the United States is dropped
Using a Suricata rule: All HTTP(s) or TLS traffic to an IP is dropped
Using a Suricata rule: All TCP to 443 is dropped
Using a Suricata rule: All TLS not to 443 is dropped
The end state I’m considering is a complete default deny for all ports and protocols. I would then have allow rules that define what external endpoints are allowed for HTTPS, TCP, UDP, TLS, DNS, SMTP, and NTP.
What would be the considerations to not take this approach?
Thanks