Hi,
I’m newbie in Suricata and have a basic network knowledge.
I’m using AWS Network Firewall and the default action is drop/alert all requests.
Then, I create my suricata rules which allow requests to the whitelist domain names.
The requests are blocked as I expected when I request to the blacklist domains i.e. microsoft.com.
{
“firewall_name”: “inspector”,
“availability_zone”: “ap-southeast-1a”,
“event_timestamp”: “1663859512”,
“event”: {
“timestamp”: “2022-09-22T15:11:52.626940+0000”,
“flow_id”: 319536895860186,
“event_type”: “alert”,
“src_ip”: “10.x.x.x”,
“src_port”: 36476,
“dest_ip”: “184.25.221.172”,
“dest_port”: 80,
“proto”: “TCP”,
“alert”: {
“action”: “blocked”,
“signature_id”: 2,
“rev”: 0,
“signature”: “aws:alert_strict action”,
“category”: “”,
“severity”: 3
},
“http”: {
“hostname”: “www.microsoft.com”,
“url”: “/”,
“http_user_agent”: “curl/7.79.1”,
“http_method”: “GET”,
“protocol”: “HTTP/1.1”,
“length”: 0
},
“app_proto”: “http”
}
}
In the firewall alert logs, I saw the request from microsoft to my HOME_NET.
{
“firewall_name”: “inspector”,
“availability_zone”: “ap-southeast-1a”,
“event_timestamp”: “1663859514”,
“event”: {
“timestamp”: “2022-09-22T15:11:54.419129+0000”,
“flow_id”: 319536895860186,
“event_type”: “alert”,
“src_ip”: “184.25.221.172”,
“src_port”: 80,
“dest_ip”: “10.x.x.x”,
“dest_port”: 36476,
“proto”: “TCP”,
“alert”: {
“action”: “blocked”,
“signature_id”: 2,
“rev”: 0,
“signature”: “aws:alert_strict action”,
“category”: “”,
“severity”: 3
},
“http”: {
“hostname”: “www.microsoft.com”,
“url”: “/”,
“http_user_agent”: “curl/7.79.1”,
“http_method”: “GET”,
“protocol”: “HTTP/1.1”,
“length”: 0
},
“app_proto”: “http”
}
}
This happens everytime when I requested to the blacklist domain names.
Mostly, I follow the setup from this guidelines.
Is this default behavior of the firewall? Or Do I need to update Suricata rules to allow that?