AWS product page: https://aws.amazon.com/network-firewall/
This service is use to secure customer Virtual Private Clouds (VPCs). It operates as a standard firewall, filtering inbound and outbound traffic.
- Uses suricata data to create blocklists
- Pricing based on
- NFW instances
- Throughput (per GB)
- Number of endpoints protected
Example of suricata data from ThreatSTOP threatlist server
alert ip [ 160.16 . 200.77 / 32 ] any -> any (msg: "[OFAC Sanctioned Entities - IPs geo]" ); priority: 2 ; sid: 21776 ;) alert ip [ 77.222 . 63.120 / 32 ] any -> any (msg: "[OFAC Sanctioned Entities - IPs geo]" ); priority: 2 ; sid: 21777 ;) alert ip [ 203.8 . 127.0 / 24 ] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]" ); priority: 2 ; sid: 21778 ;) alert ip [ 188.225 . 11.103 / 32 ] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]" ); priority: 2 ; sid: 21779 ;) alert ip [ 88.208 . 29.77 / 32 ] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]" ); priority: 2 ; sid: 21780 ;) alert ip [ 161.35 . 197.150 / 32 ] any -> any (msg: "[OFAC Sanctioned Entity Subsidiaries - IPs geo]" ); priority: 2 ; sid: 21781 ;) alert ip [ 89.187 . 178.179 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21782 ;) alert ip [ 185.40 . 4.95 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21783 ;) alert ip [ 208.105 . 190.170 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21784 ;) alert ip [ 64.176 . 49.160 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21785 ;) alert ip [ 185.40 . 4.38 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21786 ;) alert ip [ 142.11 . 217.3 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21787 ;) alert ip [ 107.173 . 89.16 / 32 ] any -> any (msg: "[CISA DHS AIS White TLP with Consent for Everyone and Non-Proprietary - IPs general]" ); priority: 2 ; sid: 21788 ;) |
To create a suricata policy, you must do the following in the ThreatSTOP Admin portal:
- SKUs for IP device and SIEM integration (If you need SKUs, contact us at Support@Threatstop.com)
- Create an IP policy in the policy editor
- While editing the policy, check the "Enable" box on the first tab of the policy editor. Save and exit the policy editor.
- Open the "SIEM Integration" tab
- Create and upload a public ssh key (e.g. https://www.ssh.com/academy/ssh/keygen#creating-an-ssh-key-pair-for-user-authentication). The private key will be used, along with the username, to download the threatlist / suricata files.
- Select the suricata format (at least cut and paste the default from https://docs.threatstop.com/threatlist.html#data-formats)
- Save
It takes 2 - 4 hours for the threatlist (suricata) to be generated and distributed to the threatlist server. You can test the sftp download using the username/private ssh key. The sftp host is threatlist.threatstop.com. The latest file will be linked to the newest file.
Although the files are .csv, if you specify suricata format it will be a plain text file containing suricata lines. See https://docs.threatstop.com/threatlist.html#accessing-the-threatlist-files
Comments