本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 自訂 的 Amazon CloudWatch 提醒 AWS Network Firewall
*Jason Owens,Amazon Web Services*
## 總結
模式可協助您自訂由 產生的 Amazon CloudWatch 警示 AWS Network Firewall。您可以使用預先定義的規則,或建立自訂規則來判斷提醒的訊息、中繼資料和嚴重性。然後,您可以對這些提醒採取行動,或自動回應其他 Amazon 服務,例如 Amazon EventBridge。
在此模式中,您會產生 Suricata 相容防火牆規則。[Suricata](https://suricata.io/) 是一種開放原始碼威脅偵測引擎。您首先建立簡單的規則,然後測試它們以確認產生並記錄 CloudWatch 提醒。成功測試規則後,您可以修改規則以定義自訂訊息、中繼資料和嚴重性,然後再次測試以確認更新。
## 先決條件和限制
**先決條件**
+ 作用中 AWS 帳戶。
+ AWS Command Line Interface (AWS CLI) 在 Linux、macOS 或 Windows 工作站上安裝和設定。如需詳細資訊,請參閱[安裝或更新最新版本的 AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)。
+ AWS Network Firewall 已安裝並設定為使用 CloudWatch Logs。如需詳細資訊,請參閱[從 記錄網路流量 AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html)。
+ 受 Network Firewall 保護之虛擬私有雲端 (VPC) 私有子網路中的 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體。
**產品版本**
+ 對於 第 1 版 AWS CLI,請使用 1.18.180 或更新版本。對於 第 2 版 AWS CLI,請使用 2.1.2 或更新版本。
+ 來自 Suricata 5.0.2 版的 classification.config 檔案。如需此組態檔案的副本,請參閱[其他資訊](#customize-amazon-cloudwatch-alerts-for-aws-network-firewall-additional)一節。
## Architecture
![\[EC2 執行個體請求會在 Network Firewall 中產生警示,將警示轉送至 CloudWatch\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/images/pattern-img/da6087a9-e942-4cfe-85e3-3b08de6f3ba5/images/778d85cd-bc87-4ed0-a161-d35eb5daa694.png)
架構圖顯示下列工作流程:
1. 私有子網路中的 Amazon EC2 執行個體會使用 [curl](https://curl.se/) 或 [Wget](https://www.gnu.org/software/wget/) 提出請求。
1. Network Firewall 會處理流量並產生提醒。
1. Network Firewall 會將記錄的警示傳送至 CloudWatch Logs。
## 工具
**AWS 服務**
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) 可協助您 AWS 即時監控 AWS 資源的指標,以及您在 上執行的應用程式。
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) 可協助您集中所有系統、應用程式的日誌, AWS 服務 以便您可以監控日誌並將其安全地存檔。
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) 是一種開放原始碼工具,可協助您 AWS 服務 透過命令列 shell 中的命令與 互動。
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) 是 AWS 雲端中的虛擬私有雲端 (VPC) 的有狀態、受管網路防火牆以及入侵偵測和預防服務。
**其他工具**
+ [curl](https://curl.se/) 是開放原始碼命令列工具和程式庫。
+ [GNU Wget](https://www.gnu.org/software/wget/) 是免費命令列工具。
## 史詩
### 建立防火牆規則和規則群組
| 任務 | Description | 所需的技能 |
| --- | --- | --- |
| 建立規則。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員、網路管理員 |
| 建立規則群組。 | 在 中 AWS CLI,輸入下列命令。這會建立規則群組。❯ aws network-firewall create-rule-group \
--rule-group-name custom --type STATEFUL \
--capacity 10 --rules file://custom.rules \
--tags Key=environment,Value=development
以下為範例輸出。請記下`RuleGroupArn`您在後續步驟中需要的 。{
"UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
} | AWS 系統管理員 |
### 更新防火牆政策
| 任務 | Description | 所需的技能 |
| --- | --- | --- |
| 取得防火牆政策的 ARN。 | 在 中 AWS CLI,輸入下列命令。這會傳回防火牆政策的 Amazon Resource Name (ARN)。記錄 ARN 以供稍後在此模式中使用。❯ aws network-firewall describe-firewall \
--firewall-name aws-network-firewall-anfw \
--query 'Firewall.FirewallPolicyArn'
以下是此命令傳回的範例 ARN。"arn:aws:network-firewall:us-east-2:1234567890:firewall-policy/firewall-policy-anfw"
| AWS 系統管理員 |
| 更新防火牆政策。 | 在文字編輯器中,複製貼上下列程式碼。`` 將 取代為您在上一個 epic 中記錄的值。儲存檔案為 `firewall-policy-anfw.json`。{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": ""
}
]
}在 中輸入下列命令 AWS CLI。此命令需要[更新字符](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/update-firewall-policy.html)才能新增新規則。字符用於確認自您上次擷取以來,政策尚未變更。UPDATETOKEN=(`aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--output text --query UpdateToken`)
aws network-firewall update-firewall-policy \
--update-token $UPDATETOKEN \
--firewall-policy-name firewall-policy-anfw \
--firewall-policy file://firewall-policy-anfw.json
| AWS 系統管理員 |
| 確認政策更新。 | (選用) 如果您想要確認已新增規則並檢視政策格式,請在 中輸入下列命令 AWS CLI。❯ aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--query FirewallPolicy
以下為範例輸出。{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
}
]
} | AWS 系統管理員 |
### 測試提醒功能
| 任務 | Description | 所需的技能 |
| --- | --- | --- |
| 產生測試提醒。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員 |
| 驗證是否已記錄提醒。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員 |
### 更新防火牆規則和規則群組
| 任務 | Description | 所需的技能 |
| --- | --- | --- |
| 更新防火牆規則。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員 |
| 更新規則群組。 | 在 中 AWS CLI,執行下列命令。使用防火牆政策的 ARN。這些命令會取得更新字符,並使用規則變更來更新規則群組。❯ UPDATETOKEN=(`aws network-firewall \
describe-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:123457890:stateful-rulegroup/custom \
--output text --query UpdateToken`)
❯ aws network-firewall update-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
--rules file://custom.rules \
--update-token $UPDATETOKEN
以下為範例輸出。{
"UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
}
} | AWS 系統管理員 |
### 測試更新的提醒功能
| 任務 | Description | 所需的技能 |
| --- | --- | --- |
| 產生測試提醒。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員 |
| 驗證已變更的提醒。 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS 系統管理員 |
## 相關資源
**參考**
+ [從 傳送提醒 AWS Network Firewall 到 Slack 頻道](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html) (AWS 方案指引)
+ [AWS 使用 Suricata 在 上擴展威脅預防 ](https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/)(AWS 部落格文章)
+ [的部署模型 AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/) (AWS 部落格文章)
+ [Suricata 中繼金鑰 ](https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html)(Suricata 文件)
**教學課程和影片**
+ [AWS Network Firewall 研討會](https://networkfirewall.workshop.aws/)
## 其他資訊
以下是來自 Suricata 5.0.2 的分類組態檔案。建立防火牆規則時會使用這些分類。
```
# config classification:shortname,short description,priority
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1
```