Amazon Network Firewall · JSON Structure

Openapi Stateful Rule Structure

A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata Rules format, see Rules Format.

Type: object Properties: 3 Required: 3
FirewallIntrusion DetectionNetwork SecurityVPC

StatefulRule is a JSON Structure definition published by Amazon Network Firewall, describing 3 properties, of which 3 are required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

Action Header RuleOptions

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/amazon-network-firewall/refs/heads/main/json-structure/openapi-stateful-rule-structure.json",
  "name": "StatefulRule",
  "description": "A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata <code>Rules</code> format, see <a href=\"https://suricata.readthedocs.iorules/intro.html#\">Rules Format</a>. ",
  "type": "object",
  "properties": {
    "Action": {
      "allOf": [
        {
          "$ref": "#/components/schemas/StatefulAction"
        },
        {
          "description": "<p>Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. </p> <p>The actions for a stateful rule are defined as follows: </p> <ul> <li> <p> <b>PASS</b> - Permits the packets to go to the intended destination.</p> </li> <li> <p> <b>DROP</b> - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>. </p> </li> <li> <p> <b>ALERT</b> - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>. </p> <p>You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with <code>ALERT</code> action, verify in the logs that the rule is filtering as you want, then change the action to <code>DROP</code>.</p> </li> <li> <p> <b>REJECT</b> - Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a <code>RST</code> bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the <a>Firewall</a> <a>LoggingConfiguration</a>.</p> <p> <code>REJECT</code> isn't currently available for use with IMAP and FTP protocols.</p> </li> </ul>"
        }
      ]
    },
    "Header": {
      "allOf": [
        {
          "$ref": "#/components/schemas/Header"
        },
        {
          "description": "The stateful inspection criteria for this rule, used to inspect traffic flows. "
        }
      ]
    },
    "RuleOptions": {
      "allOf": [
        {
          "$ref": "#/components/schemas/RuleOptions"
        },
        {
          "description": "Additional options for the rule. These are the Suricata <code>RuleOptions</code> settings."
        }
      ]
    }
  },
  "required": [
    "Action",
    "Header",
    "RuleOptions"
  ]
}