AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2025-05-10 · Documentation medium

File: network-firewall/latest/developerguide/suricata-examples.md

Summary

Added SNI-based domain filtering example and testing recommendations

Security assessment

Provides security-focused rule examples for domain filtering using SNI and emphasizes testing, improving guidance for secure rule configuration without addressing specific vulnerabilities.

Diff

diff --git a/network-firewall/latest/developerguide/suricata-examples.md b/network-firewall/latest/developerguide/suricata-examples.md
index 60b4181b0..422d97cb1 100644
--- a//network-firewall/latest/developerguide/suricata-examples.md
+++ b//network-firewall/latest/developerguide/suricata-examples.md
@@ -5 +5 @@
-Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterManage rule evaluation orderDomain list rulesStandard stateful rule groups
+Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterManage rule evaluation orderDomain list rulesStandard stateful rule groupsAllow traffic to a domain using its SNI
@@ -448,0 +449,4 @@ These rules block all unsolicited traffic from `$EXTERNAL_NET` to `$HOME_NET` wh
+###### Note
+
+Before using any example rule, test and adapt it to your needs.
+
@@ -485,0 +490,19 @@ The following Suricata rules listing shows the rules that Network Firewall gener
+## Stateful rules example: allow traffic to a domain using its SNI
+
+###### Note
+
+Before using any example rule, test and adapt it to your needs.
+
+The following set of rules will allow traffic to a domain using its SNI, while blocking traffic to all other domains in a strict order action policy.
+    
+    
+    # Drop all established to_server traffic (even TLS) from $HOME_NET to $EXTERNAL_NET 
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (flow: to_server, established; sid:1;)
+    
+    # This rule does not allow the traffic because it is already dropped by sid:1, but it does keep the dropped traffic from touching any other rules in the ruleset
+    pass tcp $HOME_NET any -> $EXTERNAL_NET any (flow: to_server, established; sid:11;)
+    
+    # Allow all TLS from anywhere to anywhere if it's SNI is example.com
+    pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"example.com"; dotprefix; nocase; flow: to_server, established; sid:2;)
+    			
+