Lab 3 - Using Open Source rules with AWS Network Firewall

This lab assumes you have deployed AWS Network Firewall using Distributed Deployment Model Setup. Same steps are applicable for Centralized Deployment Model. Resource names may vary depending on the CloudFormation stack name you provided.

Let’s take a look how we can utilize Open Source/Suricata compatible rules in AWS Network Firewall. For this example, we’ll choose Suricata specific rules from the community such as Proofpoint’s OPEN ruleset found here. More details on open-source and commercial rules from Proofpoint are available here. AWS Network Firewall can be setup in various deployment models depending on the requirements. To get more details on the deployment models and how to setup firewalls, go through AWS Network Firewall documentation and Deployment Model for AWS Network Firewall (blog).

To use open-source rules with AWS Network Firewall, you must follow below steps :

1. Download/Clone Rules

For this lab, we’ll choose “User-Agents” category from Proofpoint’s OPEN rules which can be used to detect suspicious user-agents. Rules for this category are available at

Download the rules using ‘wget’ to your local machine using following commands :

wget -O emerging-user-agents.rules

Once downloaded, note down the location where the rules are saved so we can use it in next steps.

2. Create Rule Group with Suricata-compatible rules

To create a Rule Group with above rule set - Navigate to the AWS Console → VPC → Network Firewall rule group and click on “Create Network Firewall rule group”. Select “stateful rule group” from the page as displayed in Figure 2.


Figure 1 : Create Network Firewall rule group

Select “Stateful rule group” from the page as displayed below.


Figure 2 : Create Network Firewall rule group - Stateful rule group

Once selected, define a meaningful name as well as capacity for the rule group (see more on Capacity here) and select the “Suricata compatible IPS rules” option. Once selected, a text input field would be available to input the ruleset.

Copy and paste the rules from Step 1 which contains the Emerging Threats User-Agents rules and press “Create stateful rule group” as displayed in Figure 3.


Figure 3 : Create Network Firewall rule group - Suricata compatible IPS rules

Optional: You can also use following AWS CLI commands to create the Rule Group:

aws network-firewall create-rule-group --rule-group-name emerging-user-agents-rules --type STATEFUL --capacity 250 --rules file://emerging-user-agents.rules

The HOME_NET rule group variable is used to define source IP range eligible for processing in the Stateful Domain list and optionally Suricata compatible IPS Rule Groups. By default, it is set to the VPC CIDR where firewall endpoints are deployed. With centralized deployment model, this variable must be expanded on each rule group to include all CIDR ranges of your VPCs and on-premises networks to make them eligible for processing. See documentation for more details.

3. Modify Firewall Policy to add and forward traffic to Stateful Rule Groups

To add the newly created Stateful Rule in previous step to Firewall Policy - Navigate to AWS Console → VPC → Firewall Policies and click on the policy used by your firewall as shown in Figure 4.


Figure 4 : Click on the in-use Firewall policy

Before we add the new rule group, lets remove rule groups added in previous labs. To remove the rules, click on the rules and select Delete. Now under “Stateful rule groups” section, click “Add rule groups” and select “Add stateful rule group to firewall policy” as shown in Figure 5.


Figure 5 : Add Statefule Rule Group

In next step - select the stateful rule group you’ve created in Step 2 and click “Add stateful rule group” to update the policy.


Figure 6 : Update the policy

To ensure traffic is forwarded to stateful inspection engine, you also must add a custom defined stateless rule group which cover the interesting traffic or you can set a default action for all stateless traffic to be forwarded to stateful rule groups in the firewall policy. In the example below, we have used the stateless default actions to forward traffic towards the stateful rule groups.


Figure 7 : AWS Network Firewall Policy with Stateful default actions.

Optional: You can also complete these steps using the AWS CLI:

Create a file policy.json with ARN of Stateful Rule created in Step 2:

	"StatelessDefaultActions": [
	"StatelessFragmentDefaultActions": [
	"StatefulRuleGroupReferences": [
			"ResourceArn": "arn:aws:network-firewall:us-west-2:XXXXXXXXXX:stateful-rulegroup/emerging-user-agents-rules"

Fetch the latest Update Token and update the policy using policy document you created above (policy.json):

UPDATETOKEN=(`aws network-firewall describe-firewall-policy --firewall-policy-name anfw-demo-firewall-policy --output text --query UpdateToken`)

aws network-firewall update-firewall-policy --firewall-policy-name anfw-demo-firewall-policy --firewall-policy file://policy.json --update-token $UPDATETOKEN

Verify the policy :

aws network-firewall describe-firewall-policy --firewall-policy-arn arn:aws:network-firewall:us-west-2:XXXXXXXXXX:firewall-policy/anfw-demo-firewall-policy --region us-west-2

4. Test & monitor

To generate interesting traffic, you must have compute resources (e.g. an EC2 instance) which are protected by AWS Network Firewall.

In this lab, we’ll use an EC2 instance (mentioned as secure host) to generate request against signature # 2029569 (also displayed below) from the Proofpoint’s OPEN rule set imported earlier in Step 3 which detects the suspicious user-agents .

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established,to_server; http.user_agent; content:"easyhttp client"; bsize:15; classtype:bad-unknown; sid:2029569; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04;)

To test , use following command on secure host :

wget -U "easyhttp client" -o /dev/null

This command will generate a HTTP GET request with a user agent as “easyhttp client”. To check the logs, navigate to AWS Console → CloudWatch → Log groups & select the configured log group for your firewall. You should have received an alert from AWS Network Firewall on above traffic as displayed in Figure 8 below.


Figure 8 : CloudWatch logs for Alert from AWS Network Firewall

And that concludes how to import Suricata rule references into AWS Network Firewall.

Let’s move onto Lab 4 where you can apply this new knowledge and use the Network Firewall with Suricata rules to hunt for suspicious network traffic.