Follow

AWS Network Firewall (Suricata)

AWS product page: https://aws.amazon.com/network-firewall/

 

This service is use to secure customer Virtual Private Clouds (VPCs). It operates as a standard firewall, filtering inbound and outbound traffic.

  • Uses suricata data to create blocklists
  • Pricing based on 
    • NFW instances
    • Throughput (per GB)
    • Number of endpoints protected

Example of suricata data from ThreatSTOP threatlist server

alert ip [160.16.200.77/32] any -> any (msg: "[OFAC Sanctioned Entities - IPs geo]"); priority: 2; sid: 21776;)
alert ip [77.222.63.120/32] any -> any (msg: "[OFAC Sanctioned Entities - IPs geo]"); priority: 2; sid: 21777;)
alert ip [203.8.127.0/24] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]"); priority: 2; sid: 21778;)
alert ip [188.225.11.103/32] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]"); priority: 2; sid: 21779;)
alert ip [88.208.29.77/32] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]"); priority: 2; sid: 21780;)
alert ip [161.35.197.150/32] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]"); priority: 2; sid: 21781;)
alert ip [89.187.178.179/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21782;)
alert ip [185.40.4.95/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21783;)
alert ip [208.105.190.170/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21784;)
alert ip [64.176.49.160/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21785;)
alert ip [185.40.4.38/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21786;)
alert ip [142.11.217.3/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21787;)
alert ip [107.173.89.16/32] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]"); priority: 2; sid: 21788;)

 

To create a suricata policy, you must do the following in the ThreatSTOP Admin portal:

  • SKUs for IP device and SIEM integration (If you need SKUs, contact us at Support@Threatstop.com)
  • Create an IP policy in the policy editor
  • While editing the policy, check the "Enable" box on the first tab of the policy editor. Save and exit the policy editor.

 

 

It takes 2 - 4 hours for the threatlist (suricata) to be generated and distributed to the threatlist server. You can test the sftp download using the username/private ssh key. The sftp host is threatlist.threatstop.com. The latest file will be linked to the newest file.

Although the files are .csv, if you specify suricata format it will be a plain text file containing suricata lines. See https://docs.threatstop.com/threatlist.html#accessing-the-threatlist-files

 

Was this article helpful?
0 out of 0 found this helpful

Comments