Amazon Network Firewall · Schema

StatefulRule

A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata Rules format, see Rules Format.

FirewallIntrusion DetectionNetwork SecurityVPC

Properties

Name Type Description
Action object
Header object
RuleOptions object
View JSON Schema on GitHub

JSON Schema

openapi-stateful-rule-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/amazon-network-firewall/refs/heads/main/json-schema/openapi-stateful-rule-schema.json",
  "title": "StatefulRule",
  "description": "A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata <code>Rules</code> format, see <a href=\"https://suricata.readthedocs.iorules/intro.html#\">Rules Format</a>. ",
  "type": "object",
  "properties": {
    "Action": {
      "allOf": [
        {
          "$ref": "#/components/schemas/StatefulAction"
        },
        {
          "description": "<p>Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. </p> <p>The actions for a stateful rule are defined as follows: </p> <ul> <li> <p> <b>PASS</b> - Permits the packets to go to the intended destination.</p> </li> <li> <p> <b>DROP</b> - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>. </p> </li> <li> <p> <b>ALERT</b> - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>. </p> <p>You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with <code>ALERT</code> action, verify in the logs that the rule is filtering as you want, then change the action to <code>DROP</code>.</p> </li> <li> <p> <b>REJECT</b> - Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a <code>RST</code> bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>.</p> <p> <code>REJECT</code> isn't currently available for use with IMAP and FTP protocols.</p> </li> </ul>"
        }
      ]
    },
    "Header": {
      "allOf": [
        {
          "$ref": "#/components/schemas/Header"
        },
        {
          "description": "The stateful inspection criteria for this rule, used to inspect traffic flows. "
        }
      ]
    },
    "RuleOptions": {
      "allOf": [
        {
          "$ref": "#/components/schemas/RuleOptions"
        },
        {
          "description": "Additional options for the rule. These are the Suricata <code>RuleOptions</code> settings."
        }
      ]
    }
  },
  "required": [
    "Action",
    "Header",
    "RuleOptions"
  ]
}