AWS network-firewall documentation change
Summary
Added examples for URL/Domain Category filtering rules using aws_url_category and aws_domain_category keywords
Security assessment
The change provides implementation examples for security features (blocking malicious/gambling sites) but doesn't fix any specific vulnerability. It enhances documentation for existing security capabilities.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-examples.md b/network-firewall/latest/developerguide/suricata-examples.md index 215bc5a36..d080988bb 100644 --- a//network-firewall/latest/developerguide/suricata-examples.md +++ b//network-firewall/latest/developerguide/suricata-examples.md @@ -5 +5 @@ -Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterManage rule evaluation orderDomain list rulesStandard stateful rule groupsAllow traffic to a domain using its SNIFilter domains on http2 +Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterURL/Domain Category filterManage rule evaluation orderDomain list rulesStandard stateful rule groupsAllow traffic to a domain using its SNIFilter domains on http2 @@ -289,0 +290,101 @@ The following shows an example standard stateful rule group that drops traffic u +## Stateful rules examples: URL/Domain Category filter + +###### Note + +Before using any example rule, test and adapt it to your needs. + +For information about URL and Domain Category filtering in Network Firewall, see [URL and Domain Category Filtering in Suricata compatible AWS Network Firewall rule groups ](./rule-groups-url-filtering.html). + +aws_url_category evaluates complete URLs (with TLS inspection) and domains, while aws_domain_category evaluates only domain information from TLS SNI or HTTP host headers. + +The following shows an example Suricata rule string that generates an alert for traffic categorized as malicious: + + + alert http any any -> any any (msg:"URL Category is Malicious"; aws_url_category:Malicious; sid:55555555; rev:1;) + +The following shows an example that blocks traffic categorized under gambling and social networking categories: + + + drop http any any -> any any (msg:"Block gambling and social sites"; aws_url_category:Gambling,Social Networking; sid:55555556; rev:1;) + +The following shows an example standard stateful rule group that drops traffic to malware and phishing sites using `aws_url_category`: + + + { + "RulesSource": { + "StatefulRules": [ + { + "Action": "DROP", + "Header": { + "DestinationPort": "ANY", + "Direction": "FORWARD", + "Destination": "ANY", + "Source": "ANY", + "SourcePort": "ANY", + "Protocol": "HTTP" + }, + "RuleOptions": [ + { + "Settings": [ + "1" + ], + "Keyword": "sid" + }, + { + "Settings": [ + "Malware,Phishing" + ], + "Keyword": "aws_url_category" + } + ] + } + ] + }, + "StatefulRuleOptions": { + "RuleOrder": "STRICT_ORDER" + } + } + +The following shows an example using domain-level filtering that generates an alert for traffic categorized as cryptocurrency: + + + alert tls any any -> any any (msg:"Domain Category is Cryptocurrency"; aws_domain_category:Cryptocurrency; sid:55555557; rev:1;) + +The following shows an example standard stateful rule group that drops traffic to malware and phishing sites using `aws_domain_category`: + + + { + "RulesSource": { + "StatefulRules": [ + { + "Action": "DROP", + "Header": { + "DestinationPort": "ANY", + "Direction": "FORWARD", + "Destination": "ANY", + "Source": "ANY", + "SourcePort": "ANY", + "Protocol": "HTTP" + }, + "RuleOptions": [ + { + "Settings": [ + "1" + ], + "Keyword": "sid" + }, + { + "Settings": [ + "Malware,Phishing" + ], + "Keyword": "aws_domain_category" + } + ] + } + ] + }, + "StatefulRuleOptions": { + "RuleOrder": "STRICT_ORDER" + } + } +