具有 Suricata 规则的 AWS 网络防火墙
[英]AWS network firewall with Suricata rules
问题描述
I'm looking into implementing AWS Network Firewall with Suricata IPS rules, and find it really hard to find real examples and ideas of what is relevant regarding rules etc. Our customer put emphasis on IPS, IDS and anti-malware .
我正在考虑使用 Suricata IPS 规则实施 AWS 网络防火墙,并且发现很难找到与规则等相关的真实示例和想法。我们的客户强调IPS、IDS 和反恶意软件。
My setup today is Internet Gateway -> Application Load Balancer -> Auto-scaling ECS containers.我今天的设置是 Internet Gateway -> Application Load Balancer -> Auto-scaling ECS 容器。 Correct me if I'm wrong, but the firewall fits in between IG and ALB?如果我错了,请纠正我,但防火墙适合 IG 和 ALB 之间?
I have spent some time staring at the following screen;我花了一些时间盯着下面的屏幕;
and my initial questions are;我最初的问题是;
- How do I determine what rules are applicable to me?我如何确定哪些规则适用于我?
- What is "Capacity" really?什么是真正的“容量”?
Starting with number one, I believe the rules I can choose from are listed here , and initially I thought that I surely wanna use all the 30k (?) rules they supply.从第一个开始,我相信我可以选择的规则列在这里,最初我认为我肯定想使用他们提供的所有 30k (?) 规则。 Thinking about it a bit more I assume that that might affect the responsiveness for our end users.再想一想,我认为这可能会影响我们最终用户的响应能力。 So, if I'm thinking IPS, what rule-sets are necessary for a web solution with port 80 and 443 open to the public?那么,如果我在考虑 IPS,对于向公众开放端口 80 和 443 的 web 解决方案,哪些规则集是必需的? If I look at the file containing all "emerging" rules they list about 30k rules but I hardly think all of them are relevant to me.如果我查看包含所有“新兴”规则的文件,他们列出了大约 30k 条规则,但我几乎不认为它们都与我相关。
Regarding point two, Capacity, Amazon state the following as an explanation;关于第二点,Capacity,Amazon state 以下为说明;
Maximum processing capacity allowed for the rule group.
Initially I thought that "one capacity" refers to one line (one rule in any rule set), but I later understood that one line itself might require up to 450 "capacity" (I've lost the link where I read/interpreted this).最初我认为“一个容量”是指一条线(任何规则集中的一条规则),但后来我明白一条线本身可能需要多达 450 个“容量”(我已经失去了我阅读/解释这个的链接)。
I understand that this subject is huge, and I'm somewhat of a rookie when it comes to firewalls, but can anyone enlighten me how to approach this?我知道这个主题很大,而且我在防火墙方面有点新手,但是谁能告诉我如何解决这个问题? I feel as if I'm not certain what I'm asking about, so please let me know if I need to clarify anything.我觉得好像我不确定我在问什么,所以如果我需要澄清任何事情,请告诉我。
1 个解决方案
解决方案1
0 2022-08-12 06:34:05
I have recently developed an integration between IDSTower (suricata & rules management solution) and AWS Network firewall , so I can relate to the confusion:)我最近开发了IDSTower(suricata 和规则管理解决方案)和 AWS 网络防火墙之间的集成,所以我可以解决这个困惑:)
How do I determine what rules are applicable to me?
The starting point should be the services you are protecting, once you know that things will be easier, ET Open/Suricata rules can be grouped in different ways, they are published in different files (eg: emerging-smtp.rules, emerging-sql.rules...etc) and contains classtype that classify the rules (eg: bad-unknown, misc-attack...etc) as well as metadata like tags, signature_severity...etc起点应该是您要保护的服务,一旦您知道事情会变得更容易,ET Open/Suricata 规则可以以不同的方式分组,它们发布在不同的文件中(例如:emerging-smtp.rules、emerging-sql .rules...etc)并包含对规则进行分类的类类型(例如:bad-unknown、misc-attack...等)以及标签、signature_severity...等元数据
Another important thing to point here is that aws network firewall has a limit of the uploaded rules size (in a single stateful rule group) of 2 MBs, which will force you to pick and choose you rules.这里要指出的另一件重要事情是,aws 网络防火墙将上传的规则大小(在单个有状态规则组中)限制为 2 MB,这将迫使您选择规则。
there are several approaches to decide what rules to enable:有几种方法可以决定启用哪些规则:
Using the grouping of rules explained above, start by enabling a small subset, monitor the output, adjust/tune and enable another subset, till you cover the services, so start small and grow the enabled rules.
使用上面解释的规则分组,首先启用一个小子集,监控 output,调整/调整并启用另一个子集,直到覆盖服务,所以从小处着手并扩大启用的规则。Enable all of the rules (in IDS mode) and asses the alerts, disable/tune noisy/useless ones till you reach a state of confidence.
启用所有规则(在 IDS 模式下)并评估警报,禁用/调整嘈杂/无用的规则,直到您达到 state 的信心。Enable Rules that monitor the protocol you system speaks, if you are protecting HTTP based web services, start by enabling rules that are monitoring http protocol ('alert http.....')
Enable Rules that monitor the protocol you system speaks, if you are protecting HTTP based web services, start by enabling rules that are monitoring http protocol ('alert http.....')
If you are applying the above to a production environment, make sure you start by alerting only and once you remove false positives you can move them to drop.如果您将上述内容应用于生产环境,请确保您只从警报开始,一旦您删除误报,您就可以将它们移至删除。
What is "Capacity" really?
AWS use the capacity settings to make sure your Cloud-Suricata instance can deliver the promised performance which is largely influenced by the number of enabled rules. AWS 使用容量设置来确保您的 Cloud-Suricata 实例能够提供承诺的性能,这在很大程度上受启用的规则数量的影响。
a single stateful rule consumes 1 capacity单个有状态规则消耗 1 个容量
Initially I thought that "one capacity" refers to one line (one rule in any rule set), but I later understood that one line itself might require up to 450 "capacity" (I've lost the link where I read/interpreted this).
Yes, Suricata Rules (which are stateful in AWS Network Firewall world) consumes 1 capacity point per single rule line, however for stateless rules, a single rule can consume more depending on protocols, sources, destinations as mentioned in AWS Docs是的,Suricata 规则(在 AWS 网络防火墙世界中是有状态的)每个规则行消耗 1 个容量点,但是对于无状态规则,单个规则可以消耗更多,具体取决于 AWS Docs 中提到的协议、源和目标
A rule with a protocol that specifies 30 different protocols, a source with 3 settings, a destination with 5 settings, and single or no specifications for the other match settings has a capacity requirement of (30 3 5) = 450.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.