Suricata is a high-performance, open-source network threat detection tool that encompasses real-time intrusion detection (IDS), an inline intrusion prevention system (IPS), network security monitoring (NSM), and offline packet capture processing. This powerful engine is managed by the community-driven, non-profit organization, the Open Information Security Foundation (OISF).
Implementing Suricata on AWS for Threat Detection and Response
Numerous customers leverage Suricata on Amazon Web Services (AWS) to enhance security and visibility within their environments. A prevalent method involves deploying Suricata alongside Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring, where a duplicate of Amazon VPC traffic is sent to Suricata for potential threat analysis. A common strategy is to install Suricata on an Amazon Elastic Compute Cloud (Amazon EC2) instance, utilizing that instance as a target for VPC traffic mirroring. This configuration allows Suricata to function as an intrusion detection and security monitoring solution within your AWS framework.
Since November 2020, AWS Network Firewall also supports Suricata IPS rules, enabling users to import open-source rulesets or create custom IPS rules using Suricata’s syntax. With AWS Network Firewall, you can define specific rules to inspect and regulate traffic to and from your VPC based on IP, port, protocol, domain names, and general patterns. This service operates on live traffic, allowing you to proactively mitigate threats and block unwanted traffic from unreliable sources.
Utilizing Suricata rules in AWS Network Firewall can be accomplished by entering them individually through the console or uploading them via the API. The benefit of employing open-source rule languages like Suricata is that it fosters collaboration within the broader cybersecurity community to combat and identify potential threats. For further insights, you can explore this another blog post on building an Open Source IDS IPS service for Gateway Load Balancer and also learn about using Amazon EC2 with Suricata on AWS – Quick Start for deploying Suricata on Amazon EC2 for out-of-band inspection with Amazon VPC Traffic Mirroring.
Utilizing Suricata-Compatible Rules in AWS Network Firewall
Let’s examine how to implement Suricata-compatible rules in AWS Network Firewall. For this illustration, we will reference Suricata-specific rules from the community, such as the OPEN ruleset by Proofpoint. Additional information regarding open-source and commercial rules can also be found on Proofpoint’s site, they are an authority on this topic.
AWS Network Firewall can be deployed using various models based on specific requirements. To understand the deployment models and setup procedures, please refer to the AWS Network Firewall documentation. For this scenario, it is assumed that AWS Network Firewall and logging are correctly configured. Sample code is available for provisioning AWS Network Firewall.
To utilize open-source rules with AWS Network Firewall, follow these steps:
1. Download/Clone Rules
For our example, we will select the “User-Agents” category from Proofpoint’s OPEN rules, designed to identify suspicious user agents. Download the rules to your local system using wget with the following command:
wget https://rules.emergingthreats.net/open/suricata-5.0/rules/emerging-user_agents.rules -O emerging-user-agents.rulesAfter the rules have been downloaded, take note of their storage location for use in subsequent steps.
2. Create Rule Group with Suricata-Compatible Rules
To create a rule group with the downloaded ruleset, navigate to the AWS Console, VPC, and select Network Firewall rule group, then click on “Create Network Firewall rule group.” Choose “Stateful rule group” as illustrated in the relevant figures.
After selecting the rule group, assign a meaningful name and capacity, and select the Suricata-compatible IPS rules option. A text input field will appear for entering your ruleset. (Refer to the documentation for more on rule group capacity.) Copy and paste the rules from Step 1 into this field.
You can also utilize the AWS Command Line Interface (AWS CLI) to create the rule group:
aws network-firewall create-rule-group
--rule-group-name emerging-user-agents-rules --type STATEFUL
--capacity 250 --rules file://emerging-user-agents.rulesThe output will confirm the creation of the rule group.
3. Modify Firewall Policy to Integrate and Forward Traffic to Stateful Rule Groups
To incorporate the newly created stateful rule into the firewall policy, access the AWS Console, navigate to VPC, then Firewall policies, and select the policy associated with your firewall.
Under the “Stateful rule groups” section, select “Add rule groups” and choose to add the stateful rule groups.
4. Forward Traffic
To guarantee that traffic is directed to the stateful inspection engine, you must establish a custom-defined stateless rule group or configure a default action for all stateless traffic to channel into the stateful rule groups within the firewall policy. It is important to ensure that your policy is properly configured for optimal security.
For those seeking more resources, this Reddit thread provides excellent insights into the onboarding process for part-time flex associates, which could be beneficial.
In conclusion, by implementing Suricata on AWS, users can significantly bolster their threat detection and prevention capabilities.
Leave a Reply