AWS network-firewall documentation change
Summary
Added HTTP/2 overloading to unsupported features, updated TLS inspection logging behavior, and added guidance for matching HTTP/2 application traffic under TLS inspection with example rules.
Security assessment
This change updates documentation about limitations and provides configuration guidance for HTTP/2 traffic inspection. The addition of HTTP/2 rule examples helps users properly configure security rules for modern protocols, but there's no evidence of a specific security issue being addressed.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-limitations-caveats.md b/network-firewall/latest/developerguide/suricata-limitations-caveats.md index 7bb2f40b2..7b40c9c8e 100644 --- a//network-firewall/latest/developerguide/suricata-limitations-caveats.md +++ b//network-firewall/latest/developerguide/suricata-limitations-caveats.md @@ -36,0 +37,2 @@ The following Suricata features are not supported by Network Firewall: + * HTTP/2 overloading. + @@ -62 +64 @@ For example, say you set the rule group's `HOME_NET` to `10.0.0.0`, and the fire - * When matching TLS based rules in a session holding configuration, alert logs will not contain the SNI that was accessed upon rule match. + * When matching TLS based rules in a TLS inspection-enabled configuration, alert logs capture http host information and not the SNI upon rule match @@ -71,0 +74,9 @@ However, if the destination IP contains a `!`, then Suricata treats this as per + * To match HTTP/2 application traffic under a TLS inspection-enabled configuration, add http2 protocol rules to your rule set in addition to your existing HTTP rules. For example, if you used this rule to match HTTP traffic: + + drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.host; content:"example.com"; sid:1; rev:1;) + +You should add an http2 application rule to your ruleset: + + drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.host; content:"example.com"; sid:1; rev:1;) + drop http2 $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.request_header; content:"authority|3a 20|example.com"; sid:2; rev:1;) +