本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 自定义 Amazon CloudWatch 提醒 AWS Network Firewall
*Jason Owens,Amazon Web Services*
## Summary
该模式可帮助您自定义由生成的Amazon CloudWatch 提醒 AWS Network Firewall。您可以使用预定义的规则或创建自定义规则来确定警报的消息、元数据和严重性。然后,您可以根据这些提醒采取行动,或者由其他亚马逊服务(例如亚马逊)自动回复 EventBridge。
在此模式中,您将生成与 Suricata 兼容的防火墙规则。[Suricata](https://suricata.io/) 是一个开源威胁检测引擎。您首先创建简单的规则,然后对其进行测试以确认 CloudWatch 警报已生成并记录在案。成功测试规则后,您可以修改它们以定义自定义消息、元数据和严重性,然后再次测试以确认更新。
## 先决条件和限制
**先决条件**
+ 活跃 AWS 账户的.
+ AWS Command Line Interface (AWS CLI) 已在你的 Linux、macOS 或 Windows 工作站上安装和配置。有关更多信息,请参阅[安装或更新 AWS CLI的最新版本](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)。
+ AWS Network Firewall 已安装并配置为使用 CloudWatch 日志。有关更多信息,请参阅[记录来自的网络流量 AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html)。
+ 位于受网络防火墙保护的虚拟私有云 (VPC EC2) 私有子网中的亚马逊弹性计算云 (Amazon) 实例。
**产品版本**
+ 对于的版本 1 AWS CLI,请使用 1.18.180 或更高版本。对于的版本 2 AWS CLI,请使用 2.1.2 或更高版本。
+ Suricata 版本 5.0.2 中的 classification.config 文件。有关此配置文件的副本,请参阅[其他信息](#customize-amazon-cloudwatch-alerts-for-aws-network-firewall-additional)部分。
## 架构
![\[EC2 实例请求会在 Network Firewall 中生成警报,网络防火墙会将警报转发到 CloudWatch\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/images/pattern-img/da6087a9-e942-4cfe-85e3-3b08de6f3ba5/images/778d85cd-bc87-4ed0-a161-d35eb5daa694.png)
架构图显示了以下工作流程:
1. 私有子网中的 Amazon EC2 实例使用 c [url](https://curl.se/) 或 [W](https://www.gnu.org/software/wget/) get 发出请求。
1. Network Firewall 处理流量并生成警报。
1. Network Firewall 将记录的警报发送到 CloudWatch 日志。
## 工具
**AWS 服务**
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) 可帮助您实时监控您的 AWS 资源和运行的应用程序 AWS 的指标。
+ [Amazon CloudWatch Lo](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) gs 可帮助您集中所有系统和应用程序的日志, AWS 服务 这样您就可以监控它们并安全地将其存档。
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) 是一个开源工具,可帮助您 AWS 服务 通过命令行外壳中的命令进行交互。
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html)是针对虚拟私有云 (VPCs) 中的状态托管网络防火墙以及入侵检测和防御服务 ()。 AWS 云
**其他工具**
+ [curl](https://curl.se/) 是一个开源命令行工具和库。
+ [GNU Wget](https://www.gnu.org/software/wget/) 是一个免费的命令行工具。
## 操作说明
### 创建防火墙规则和规则组
| Task | 说明 | 所需技能 |
| --- | --- | --- |
| 创建规则。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员、网络管理员 |
| 创建规则组。 | 在中 AWS CLI,输入以下命令。这将创建规则组。❯ aws network-firewall create-rule-group \
--rule-group-name custom --type STATEFUL \
--capacity 10 --rules file://custom.rules \
--tags Key=environment,Value=development
下面是一个示例输出。记下 `RuleGroupArn`,在后面的步骤中需要用到它。{
"UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
} | AWS 系统管理员 |
### 更新防火墙策略
| Task | 说明 | 所需技能 |
| --- | --- | --- |
| 获取防火墙策略的 ARN。 | 在中 AWS CLI,输入以下命令。这将返回防火墙策略的 Amazon 资源名称(ARN)。记录 ARN 以供稍后在此模式中使用。❯ aws network-firewall describe-firewall \
--firewall-name aws-network-firewall-anfw \
--query 'Firewall.FirewallPolicyArn'
以下是此命令返回的示例 ARN。"arn:aws:network-firewall:us-east-2:1234567890:firewall-policy/firewall-policy-anfw"
| AWS 系统管理员 |
| 更新防火墙策略。 | 在文本编辑器中,复制并粘贴以下代码。将 `` 替换为在上一个长篇故事中记录的值。将该文件保存为 `firewall-policy-anfw.json`。{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": ""
}
]
}在 AWS CLI中,输入以下命令。此命令需要[更新令牌](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/update-firewall-policy.html)才能添加新规则。该令牌用于确认自您上次检索策略以来该策略未发生更改。UPDATETOKEN=(`aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--output text --query UpdateToken`)
aws network-firewall update-firewall-policy \
--update-token $UPDATETOKEN \
--firewall-policy-name firewall-policy-anfw \
--firewall-policy file://firewall-policy-anfw.json
| AWS 系统管理员 |
| 确认策略更新。 | (可选)如果要确认已添加规则并查看策略格式,请在 AWS CLI中输入以下命令。❯ aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--query FirewallPolicy
下面是一个示例输出。{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
}
]
} | AWS 系统管理员 |
### 测试警报功能
| Task | 说明 | 所需技能 |
| --- | --- | --- |
| 生成用于测试的警报。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员 |
| 验证警报是否已记录。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员 |
### 更新防火墙规则和规则组
| Task | 说明 | 所需技能 |
| --- | --- | --- |
| 更新防火墙规则。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员 |
| 更新规则组。 | 在中 AWS CLI,运行以下命令。使用防火墙策略的 ARN。这些命令获取更新令牌,并使用规则更改更新规则组。❯ UPDATETOKEN=(`aws network-firewall \
describe-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:123457890:stateful-rulegroup/custom \
--output text --query UpdateToken`)
❯ aws network-firewall update-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
--rules file://custom.rules \
--update-token $UPDATETOKEN
下面是一个示例输出。{
"UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
}
} | AWS 系统管理员 |
### 测试更新的警报功能
| Task | 说明 | 所需技能 |
| --- | --- | --- |
| 生成用于测试的警报。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员 |
| 验证警报是否已更改。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系统管理员 |
## 相关资源
**参考**
+ [从 AWS Network Firewall Slack 频道发送提醒](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html)(AWS 规范性指导)
+ [AWS 使用 Suricata 扩展威胁防御能力](https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/)(AWS 博客文章)
+ AWS Network Firewall(AWS 博客文章)[的部署模型](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/)
+ [Suricata 元密钥](https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html)(Suricata 文档)
**教程和视频**
+ [AWS Network Firewall 工作坊](https://networkfirewall.workshop.aws/)
## 附加信息
以下是 Suricata 5.0.2 中的分类配置文件。创建防火墙规则时将使用这些分类。
```
# config classification:shortname,short description,priority
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1
```