Suricata rule for user based authentication

Hi All,

I’m new to Suricata, and I previously had a setup with a proxy that authenticated requests using usernames and passwords passed through Squid proxy. Now, we’ve transitioned to using AWS Network Firewall and Suricata rules to manage whitelisting. I’m looking to implement a Suricata rule to authenticate usernames and passwords, but I’m having trouble finding suitable content. Could you please provide some sample rules to address this scenario?

I know AWS Network Firewall (i.e. rebadged Suricata) is not an HTTP Proxy so might not support HTTP layer Basic Authentication or similar methods. can advise a different approach to achieve this?

I would recommend to start with the official documentation and maybe focus at a second step on the rule keywords like 8. Suricata Rules — Suricata 8.0.0-dev documentation but it would mostly depend on how the traffic looks like that you see at that point. Does Suricata see the username and password hash?