Suricata Rule Generator for AWS Network Firewall

Current Version: 1.30.0

A GUI application for creating, editing, and managing Suricata rules - specifically designed for AWS Network Firewall deployments using strict rule ordering.

Screenshot

The main interface showing the color-coded rules table, tabbed editor with Rule Editor and Rule Variables tabs, and comprehensive rule management controls.

🚀 Getting Started

Quick Start

💡 New to the application? Choose your path:

Path 1: For Experienced Python Users

# 1. Verify Python 3.6+ is installed
python3 --version

# 2. Clone the repository
git clone https://github.com/aws-samples/sample-suricata-generator
cd sample-suricata-generator

# 3. Run the application
python3 suricata_generator.py

Path 2: First Time Setup (Step-by-Step)

✅ Install Python 3.6+ - See Installation below
✅ Verify tkinter - Run: python3 -c "import tkinter; print('tkinter is available')"
✅ Download - Clone repository or download ZIP
✅ Run - Execute: python3 suricata_generator.py

Path 3: Your First Rule (Complete Beginner)

📝 Launch the application (it opens with a blank canvas)
🖱️ Click in the empty area below the table
🎯 Fill in the fields:
- Action: pass
- Protocol: tcp
- Source Network: $HOME_NET
- Destination: any / any
- Message: "My first rule"
- SID: 100 (auto-suggested)
💾 Click "Save Changes"
🎉 Your rule appears in the table!

Installation

System Requirements

Required:

Python 3.6 or higher
tkinter (GUI library)

Optional:

wxPython (for Advanced Editor with code folding)

Step 1: Install Python

Windows:

Check if installed: python --version or python3 --version
If needed, download from python.org
Important: Check "Add Python to PATH" during installation
Verify: python --version

macOS:

# Check current version
python3 --version

# Install via Homebrew (recommended)
brew install python3

# Or download from python.org

Linux (Ubuntu/Debian):

# Check current version
python3 --version

# Install if needed
sudo apt update
sudo apt install python3 python3-pip

Linux (CentOS/RHEL/Fedora):

# CentOS/RHEL
sudo yum install python3 python3-pip

# Fedora
sudo dnf install python3 python3-pip

Step 2: Install tkinter (GUI Library)

Verify tkinter is installed:

python3 -c "import tkinter; print('tkinter is available')"

If successful, skip to Step 3. Otherwise:

macOS:

# Method 1: Reinstall Python from python.org (includes tkinter)
# Download from https://www.python.org/downloads/

# Method 2: Install via Homebrew
brew install [email protected]  # Replace with your Python version

Ubuntu/Debian:

sudo apt update
sudo apt install python3-tk

CentOS/RHEL/Fedora:

# CentOS/RHEL
sudo yum install python3-tkinter

# Fedora
sudo dnf install python3-tkinter

Windows:

Reinstall Python from python.org
Ensure "tcl/tk and IDLE" component is selected

Step 3: Download the Application

Option A - Clone Repository:

git clone https://github.com/aws-samples/sample-suricata-generator
cd sample-suricata-generator

Option B - Download ZIP:

Download ZIP from GitHub repository
Extract to your preferred location
Navigate to folder in terminal

Step 4: Run the Application

python3 suricata_generator.py

Windows users:

python suricata_generator.py

Optional: Install Advanced Editor Support

The Advanced Editor requires wxPython (optional - main app works without it):

# Install wxPython
pip install wxPython

# Or pip3 on some systems
pip3 install wxPython

# Verify installation
python3 -c "import wx; print('wxPython version:', wx.version())"

Platform-Specific Notes:

Windows: May take several minutes to install
macOS: May take 10-15 minutes (compiles native components). If build fails, install Xcode Command Line Tools: xcode-select --install
Linux: Install system dependencies first (see platform-specific instructions below)

Linux Dependencies:

# Ubuntu/Debian
sudo apt install libgtk-3-dev libwebkit2gtk-4.0-dev
pip3 install wxPython

# Or use system package
sudo apt install python3-wxgtk4.0

# Fedora
sudo dnf install python3-wxpython4

💡 Don't worry! All core features work without wxPython. It's only needed for the Advanced Editor (Tools > Advanced Editor).

Optional: Create Standalone Executable

Use PyInstaller to create an executable that runs without Python installation:

# Install PyInstaller
pip3 install pyinstaller

# Create executable (macOS/Linux)
pyinstaller --onefile --windowed --name "Suricata Rule Generator" \
  --add-data "screenshot.png:." \
  --add-data "README.md:." \
  --add-data "RELEASE_NOTES.md:." \
  suricata_generator.py

# Windows (use semicolon instead of colon)
pyinstaller --onefile --windowed --name "Suricata Rule Generator" ^
  --add-data "screenshot.png;." ^
  --add-data "README.md;." ^
  --add-data "RELEASE_NOTES.md;." ^
  suricata_generator.py

# Executable created in dist/ directory

PyInstaller Notes:

Executables are platform-specific (build on target OS)
Single-file executables are 40-60MB (include Python runtime)
macOS may show Gatekeeper warnings (right-click > Open to bypass)

Troubleshooting

Common Installation Issues

"python: command not found"

Try python3 instead of python
Windows: Ensure Python was added to PATH during installation
Restart terminal after Python installation

"No module named 'tkinter'"

Install tkinter using platform-specific commands above
macOS: May need to reinstall Python from python.org
Verify: python3 -c "import tkinter"

Permission errors (Linux/macOS):

Use python3 instead of python
Don't use sudo to run the application
Ensure script has execute permissions: chmod +x suricata_generator.py

Application doesn't start:

Verify you're in the correct directory
Check Python version: python3 --version (must be 3.6+)
Ensure all files are present
Run from command line to see error messages

Common Usage Issues

🔴 SID Conflicts

Application prevents duplicate SIDs
Use SID Management to bulk renumber if needed

🌐 Network Validation Errors

Use proper CIDR format (e.g., 192.168.1.0/24)
Or use variables like $HOME_NET

🔤 Variables Not Persisting

Check for companion .var files in same directory
Variables automatically save/load with .suricata files

📦 Export Capacity Errors

AWS Network Firewall max capacity: 30,000
Use analysis to check rule count
Consider splitting into multiple rule groups

🔍 Search Not Finding Results

Check search scope (field-specific vs all fields)
Verify action filters aren't hiding results
Try clearing filters (Edit > Clear All Filters)

⚠️ Orange Warning Icons

Protocol/port combination warnings are informational only
Review if unusual combinations are intentional

📚 Core Concepts

Rule Format

Suricata rules follow this standard format:

action protocol src_net src_port direction dst_net dst_port (options)

Components:

action: pass, drop, reject, alert
protocol: tcp, udp, http, tls, dns, etc. (26 protocols supported)
src_net: Source network (CIDR, "any", or variable)
src_port: Source port (number, range, "any", or variable)
direction: -> (unidirectional) or <> (bidirectional)
dst_net: Destination network
dst_port: Destination port
options: Keywords in parentheses: msg, content, sid, rev, etc.

Example:

pass tls $HOME_NET any -> any any (tls.sni; content:".example.com"; endswith; nocase; msg:"Allow example.com"; sid:100; rev:1;)

Supported Protocols: dcerpc, dhcp, dns, ftp, http, http2, icmp, ikev2, imap, ip, krb5, msn, ntp, quic, smb, smtp, ssh, tcp, tftp, tls, udp

SID Numbers

🔢 SIDs (Signature IDs) uniquely identify each rule in your rule group.

Key Facts:

✅ Valid Range: 1-999999999
🚫 Must Be Unique: No duplicate SIDs allowed in a rule group
🤖 Auto-Generation: Application suggests next available SID for new rules
📋 Preservation: Copy/paste within app auto-renumbers to prevent conflicts

Best Practices:

Start at 100 for custom rules
Reserve 999991-999999 for default deny rules
Use SID Management for bulk renumbering

Variables Overview

💡 Variables are reusable definitions for networks and ports, making rules more maintainable.

Variable Types

IP Sets ($) - Network definitions

$HOME_NET = [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
$EXTERNAL_NET = [!10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16]

Port Sets ($) - Port definitions

$WEB_PORTS = [80,443,8080,8443]
$HIGH_PORTS = [1024:65535]

Reference Sets (@) - AWS VPC Managed Prefix Lists

@CORPORATE_NETWORKS = arn:aws:ec2:region:account:managed-prefix-list/pl-id

Variable Benefits

📝 Maintainability: Update definition once, affects all rules
🔄 Reusability: Use same variable across multiple rules
📊 Readability: Semantic names more meaningful than raw IPs
🔒 AWS Integration: Reference Sets sync with AWS managed lists

Network Field Validation

Source and destination network fields accept:

"any" - Matches all networks

any

CIDR Notation - Single or multiple networks

192.168.1.0/24
10.0.0.1/32
[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]

Variables - Reusable definitions

$HOME_NET
@CORPORATE_NETWORKS

Negation - Exclude specific networks

!192.168.1.0/24
[192.168.0.0/16,!192.168.1.0/24]

Port Validation:

Single port: 80
Port range: [8080:8090]
Multiple ports: [80,443,8080]
Complex: [80:100,!85]
Variables: $WEB_PORTS (only $ prefix allowed for ports)

⚠️ AWS Requirement: Port ranges and lists MUST use brackets. Port variables must use $ prefix (not @).

File Format

Rules are saved as text files with .suricata extension:

Main File (.suricata):

Contains all Suricata rules
Supports comments (lines starting with #)
Preserves blank lines for organization
UTF-8 encoding with Unix line endings (LF)

Companion File (.var):

Automatically created alongside .suricata files
Stores variable definitions (IP sets, port sets, reference sets)
JSON format for easy parsing
Automatically loaded when opening .suricata files

Change History File (.history):

Created when change tracking is enabled
Stores complete revision history with snapshots
JSON format for audit trails
Automatically loaded when opening .suricata files

CloudWatch Statistics File (.stats):

Saved manually from Rule Usage Analysis Results window
Stores CloudWatch analysis results for offline access
JSON format with usage metrics and timestamps
Automatically loaded when opening .suricata files

Example Files:

my_rules.suricata  → Contains rules
my_rules.var       → Contains variable definitions
my_rules.history   → Contains change history (if tracking enabled)
my_rules.stats     → Contains CloudWatch statistics (if saved)

💡 All companion files are automatically saved and loaded with your rule files!

💼 Basic Workflows

Creating and Editing Rules

Creating Individual Rules

Click to Add: Click in empty area below existing rules
Fill Fields: Enter action, protocol, networks, ports, message, SID
Protocol-Aware Content: Content keywords auto-populate based on protocol
Save: Click "Save Changes" to add rule to table

💡 Auto-Generated SIDs: Application suggests next available SID automatically.

Editing Existing Rules

Method 1: Inline Editing

Select a rule from the table
Modify fields in bottom editor panel
Click "Save Changes"

Method 2: Double-Click

Double-click any rule to open edit dialog
Edit all fields in one window
OK to save or Cancel to discard

Method 3: Advanced Editor

Press Ctrl+E or Tools > Advanced Editor
Edit rules as text with code folding
Real-time validation and auto-complete

Managing Comments

💬 Comments help document and organize your rules:

Click "Insert Comment" to add documentation
Double-click comments to edit text
Comments preserved in exports and analysis

Rev Keyword Support (v1.9.0+)

The application automatically manages rule versioning:

Auto-Incrementing: Rev increments when rule fields change (except message)
New Rules: Start with rev=1
Message Exception: Message changes don't increment rev
Read-Only Display: Rev field appears next to SID (auto-managed)

Example:

pass tcp any any -> any 80 (msg:"Allow HTTP"; sid:100; rev:2;)

Rule Management Operations

🗑️ Delete: Select rules and press Delete key
⬆️⬇️ Move: Use arrows to reorder rules
➕ Insert: Add rules at specific positions
💬 Comment: Add documentation lines
🔄 Toggle: Press Space to enable/disable rules (converts to comments)
↩️ Undo: Ctrl+Z to revert changes

File Operations

New File

File > New or Ctrl+N
Starts with blank canvas
Prompts to save current file if modified

Open File

File > Open or Ctrl+O
Opens .suricata files
Automatically loads companion .var file for variables
Auto-enables change tracking if .history file exists

Save Operations

Save: Ctrl+S (saves to current file)
Save As: Save with new filename
Auto-Save Variables: Companion .var file created automatically
Change History: Pending history saved to .history file (if tracking enabled)

Color Coding in Table

Rules are color-coded by action type:

🟢 Green: pass actions
🔵 Blue: alert actions
🔴 Red: drop actions
🟣 Purple: reject actions
⚫ Grey: comments
🟡 Yellow: search result highlights

Managing Variables

The Variables Tab

The Rule Variables tab provides comprehensive variable management with auto-detection and persistence.

Adding Variables

Method 1: Auto-Detection

Variables automatically detected when used in rules
Switch to Variables tab to see detected variables
Fill in definitions for empty variables

Method 2: Manual Addition

Switch to Variables tab
Click "Add Variable"
Enter name (e.g., $WEB_SERVERS)
Select type (IP Set, Port Set, or IP Set Reference)
Enter definition and optional description

Method 3: Add Common Ports (New in v1.24.1)

Click "Add Common Ports" button
Browse 22 pre-configured port variables across 7 categories:
- Infrastructure Services (DNS, DHCP, NTP, SNMP)
- Windows/Active Directory (SMB, RPC, Kerberos)
- Web Services (HTTP, HTTPS, proxy ports)
- Databases (MySQL, PostgreSQL, MongoDB, Redis)
- Email (SMTP, IMAP, POP3)
- Security/Threat Detection (malware C2, crypto mining)
- Remote Access (SSH, RDP, Telnet)
Select desired variables
Click "Apply"

Variable Naming Rules

IP Sets: Must start with $ (e.g., $HOME_NET)
Port Sets: Must start with $ (e.g., $WEB_PORTS)
Reference Sets: Must start with @ (e.g., @ALLOW_LIST)
Characters: Alphanumeric and underscores only
Case: Typically uppercase by convention

Variable Formats

CIDR Lists:

Single: 192.168.1.0/24
Multiple: [192.168.1.0/24,10.0.0.0/8]
Negated: [192.168.1.0/24,!192.168.1.5]

Port Lists:

Single: 80
Multiple: [80,443,8080]
Range: [1024:65535]
Complex: [80:100,!85,443,8080]

Reference ARNs:

arn:aws:ec2:region:account:managed-prefix-list/pl-id

Variable Operations

✏️ Edit: Double-click variable to modify definition
🗑️ Delete: Select and click "Delete Variable"
🔄 Auto-Cleanup: Unused variables automatically removed
📝 Descriptions: Add optional descriptions for documentation

Special Variables

$HOME_NET:

Auto-detected and defaults to RFC1918 private address space
Represents your internal network
Used in most egress rules

$EXTERNAL_NET:

Automatically defined as negation of $HOME_NET
Managed by AWS Network Firewall
Shows as grey/read-only in Variables tab

Managing AWS Tags ⭐ NEW in v1.28.0

🏷️ Tag your rule groups for better AWS resource organization, cost allocation, and compliance tracking.

The AWS Tags tab provides management of tags that will be applied to your rule group during export to AWS.

The AWS Tags Tab

Located between Rule Variables and Change History tabs, the AWS Tags tab displays all tags as key-value pairs in a two-column table.

Adding Tags

Method 1: Add Individual Tag

Switch to AWS Tags tab
Click "Add Tag"
Enter tag key (1-128 characters)
Enter tag value (0-256 characters, empty allowed)
Click "Save"

Tag Requirements:

Key: 1-128 characters
Value: 0-256 characters (empty allowed)
Valid Characters: a-z, A-Z, 0-9, space, + - = . _ : / @
Reserved Prefix: Cannot start with aws: (case-insensitive)
Uniqueness: Keys must be unique within a rule group

Tag Operations

✏️ Edit: Double-click tag to modify value (keys are immutable)
🗑️ Delete: Select tag and click "Delete Tag"
📝 Change Tracking: All tag operations logged when tracking enabled

Default Tag

ManagedBy Tag:

Automatically added when program starts or new files created
Value: "SuricataGenerator"
Identifies tool-managed resources in AWS
Can be edited or deleted if desired
Added to v1.0 format files when first opened

Common Tag Examples

Cost Allocation:

Environment: Production
CostCenter: IT-Security
Project: NetworkFirewall

Resource Organization:

Owner: SecurityTeam
Team: CloudOps
Application: CoreNetworking

Compliance:

Compliance: PCI-DSS
DataClassification: Internal
CreatedBy: automation

Export Integration

Tags are automatically applied during all export operations:

Terraform Export: Tags added to resource tags block
CloudFormation Export: Tags added to Tags array in template
AWS Direct Deploy: Tags included in API call to Network Firewall

Example Terraform Output:

resource "aws_networkfirewall_rule_group" "suricata_rule_group" {
  capacity = 150
  name     = "suricata-generator-rg"
  
  tags = {
    Name        = "suricata-generator-rg"
    Environment = "Production"
    ManagedBy   = "SuricataGenerator"
    Owner       = "SecurityTeam"
  }
}

Import Integration

When importing rule groups from AWS:

User-defined tags automatically imported
AWS-managed tags (aws: prefix) filtered out
Tags loaded into AWS Tags tab for editing

Storage

Persistent in .var File:

Tags saved in enhanced v2.0 .var file format
Stored alongside variables in same companion file
Format: {"format_version": "2.0", "variables": {...}, "tags": {...}}
Backward compatible with v1.0 format (auto-upgrades on save)

Benefits

AWS Console:

🔍 Filtering: Filter rule groups by tag in AWS Console
🔎 Search: Search for resources using tags
📊 Organization: Group related resources together

Cost Management:

💰 Cost Explorer: Track costs by CostCenter or Project tags
📈 Billing Reports: Allocate rule group costs to teams
💳 Chargeback: Enable showback/chargeback by tag

Compliance:

📋 Ownership: Document resource ownership
🔒 Security: Tag-based IAM policies for access control
📝 Auditing: Track compliance requirements

Automation:

🤖 Policy Enforcement: Identify tool-managed resources
🔄 Lifecycle Management: Automate based on tags
📦 Inventory: Track resource metadata programmatically

AWS Tag Limits

Maximum tags per resource: 200
Tag key length: 1-128 characters
Tag value length: 0-256 characters
Reserved prefix: aws: (case-insensitive)

💡 Zero Extra Steps: Tags automatically included in exports - no additional configuration needed!

Copy and Paste

📋 Efficient rule management with intelligent clipboard operations.

The Dual-Clipboard System

The application uses two clipboards simultaneously for optimal workflow:

Internal Clipboard (Copy/Paste Within Program)

Auto-renumbers SIDs to prevent conflicts
Safe to paste multiple times
Perfect for duplicating rules as templates

System Clipboard (Copy to External Programs)

Preserves original SID numbers
Use for sharing rules via email/chat
Use for moving rules between files

Copy Operations

Copy Rules:

Select one or more rules
Press Ctrl+C or right-click > Copy
Both clipboards populated automatically

What Gets Copied:

Regular rules with all fields
Comments and blank lines
Structure and formatting

Paste Operations

Paste Rules:

Select position (or paste at end)
Press Ctrl+V or right-click > Paste
Application auto-detects source and assigns SIDs appropriately

Smart Detection:

Detects if clipboard content is from this program or external source
Internal: Uses pre-calculated SIDs (conflict-free)
External: Parses text and assigns new SIDs

Use Cases

Within Program:

✅ Duplicate rules for variations
✅ Copy rule templates
✅ Reorganize rules

External Sharing:

✅ Email rules to colleagues with original SIDs
✅ Copy rules to documentation
✅ Move rules between different .suricata files
✅ Edit in external text editor

💡 Pro Tip: Toggle selection by clicking selected rules again - deselect before pasting elsewhere to avoid confusion.

Keyboard Shortcuts

⌨️ Work faster with these keyboard shortcuts:

File Operations

Ctrl+N: New file
Ctrl+O: Open file
Ctrl+S: Save file

Editing

Ctrl+Z: Undo last change
Ctrl+C: Copy selected rules
Ctrl+V: Paste rules
Delete: Delete selected rules
Space: Toggle selected rules (enable/disable)

Navigation

Down Arrow: Navigate to placeholder (when at last rule)
End: Jump to placeholder row
Home: Jump to first rule
Ctrl+G: Go to line number

Search

Ctrl+F: Open find dialog
F3: Find next
Shift+F3: Find previous
Escape: Close search

Advanced Features

Ctrl+E: Open advanced editor
Ctrl+A: Select all rules (when table has focus)

💡 Context-Sensitive: Some shortcuts only work when the rules table has focus (not text fields).

🎯 Advanced Features

Rule Templates

🎯 Quick rule generation from pre-built security patterns - new in v1.24.0!

Rule Templates provide pre-configured security patterns that generate complete Suricata rules with minimal input. Templates range from simple one-click policies to complex parameterized patterns.

Accessing Templates

File > Insert Rules From Template
Organized by Category: Protocol Enforcement, Cloud Security, Threat Protection, Geographic Control, Application Control, HTTP Security, Default Deny
Complexity Indicators: Beginner, Intermediate, Advanced labels
14 Built-in Templates: Ready to use immediately

Available Templates

Protocol Enforcement:

🔍 Force Route 53 Resolver (Block Direct DNS)
🔒 Enforce TLS Version (parameterized)
🔧 Enforce Protocol Port Usage (parameterized)
📁 Block File Sharing Protocols (parameterized)

Cloud Security:

☁️ Enforce HTTPS for AWS Services

Threat Protection:

⛏️ Block Cryptocurrency Mining
🦠 Block Malware C2 Ports
🚫 Block Direct-to-IP Connections
⚠️ Block High-Risk Destination Ports (parameterized)

Geographic Control:

🌍 Geographic Country Control (parameterized - 180+ countries)

Application Control:

🔐 JA3 Fingerprint Control (parameterized)

HTTP Security:

📎 Block File Extensions (parameterized)
🚦 HTTP Method Control (parameterized)

Default Deny:

🚪 Default Block Rules (comprehensive egress/ingress deny)

Using Templates

Basic Workflow:

Select: Browse templates by category
Configure: Fill in parameters (if required)
Preview: Review generated rules with SID suggestions
Test Mode: Optional - converts all actions to 'alert'
Apply: Rules inserted with automatic variable detection

Parameter Types:

Radio Buttons: Select one option (e.g., TLS version, geographic mode)
Checkboxes: Boolean options (e.g., bidirectional enforcement)
Text Input: Free-form with validation (e.g., JA3 hash)
Multi-Select Port: Choose multiple ports from list
Multi-Select Protocol: Choose multiple protocols
Multi-Select Country: Regional country selection (180+ countries)

Template Features

Smart SID Assignment:

Auto-suggests next available SID
Default Block rules use predefined high SIDs (999991-9999915)
Conflict detection with automatic resolution

Test Mode:

Available for all templates
Converts actions to 'alert' for safe testing
Adds [TEST] prefix to messages

Special Templates:

Default Block Rules - Comprehensive deny ruleset

Dual Insertion: Rules inserted at both TOP and BOTTOM of file
Top Rules: Allow TCP handshake setup (critical for established connections)
Bottom Rules: Default deny for all protocols (egress and ingress)
Predefined SIDs: Uses specific SIDs (202501021-25, 999991-997, 999999, 9999910-15)
Flowbits Coordination: Advanced Suricata features for efficient processing

Geographic Country Control - GeoIP filtering

Block Mode: Deny-list selected countries (1 rule per country)
Allow Mode: Allow-list selected countries (1 combined rule)
Direction Control: Egress, ingress, or both
Regional Selection: Browse countries by region (Asia, Americas, Africa, Middle East, Europe, Oceania)

Benefits

⚡ Rapid Deployment: Generate multiple rules in seconds
📚 Best Practices: Templates embody security standards
🎯 Consistency: Standardized patterns across teams
🔧 Customizable: Parameters adapt to specific needs
📖 Educational: Learn from working examples

URL and Domain Category Filtering

🔗 Block traffic by AWS-maintained content categories - No manual domain lists needed! ⭐ NEW in v1.30.0

AWS Network Firewall now supports category-based filtering using AWS's automatically-updated category database. Block entire threat categories (malware, phishing, C2) or productivity categories (social media, shopping, entertainment) without maintaining domain lists manually.

Two AWS Keywords

aws_url_category (HTTP only)

Evaluates complete URLs and domains in HTTP/HTTPS traffic
Requires TLS inspection for HTTPS effectiveness
Best for: Content filtering, security policies requiring URL path inspection

aws_domain_category (TLS and HTTP)

Evaluates domain-level information from TLS SNI or HTTP host headers
Works without TLS inspection (inspects SNI field)
Best for: Threat protection, works in all TLS configurations

51 Categories Across 6 Groups

Security Threats (10): Malware, Phishing, Command and Control, Hacking, Malicious, Spam, Parked Domains, Private IP Address, Proxy Avoidance, Criminal and Illegal Activities

Restricted Content (8): Child Abuse, Adult and Mature Content, Violence and Hate Speech, Abortion, Dating, Gambling, Marijuana, Redirect

Productivity (9): Social Networking, Entertainment, Shopping, Email, News, Online Ads, Search Engines and Portals, Sports and Recreation, Translation

Lifestyle (14): Health, Travel, Pets, Food and Dining, Fashion, Religion, Arts and Culture, Family and Parenting, Hobbies and Interest, Home and Garden, Real Estate, For Kids, Science, Vehicles

Business/Professional (8): AI and Machine Learning, Education, Government and Legal, Military, Technology and Internet, Business and Economy, Career and Job Search, Science

Financial (2): Cryptocurrency, Financial Services

Three Access Methods

Method 1: Rule Templates (Primary - Bulk Operations)

File > Insert Rules From Template:

Select template:
- Block URL Categories (HTTP Security category) - Requires TLS inspection for HTTPS
- Block Domain Categories (Threat Protection category) - Works without TLS inspection
Two-Panel Selection UI:
- Left: Categories organized by group with search
- Right: Selected categories summary
Configure Options:
- Protocol selection (TLS or HTTP for domain categories)
- Test mode available
Apply: Generates 1 rule with comma-separated categories

Example Generated Rule:

drop tls $HOME_NET any -> any any (msg:"Block Malware, Phishing, and 1 more"; flow:to_server; aws_domain_category:Malware,Phishing,Command and Control; sid:100; rev:1;)

Method 2: Insert Category Button (Secondary - Quick Additions)

In Main Program Editor:

Set protocol to HTTP or TLS (button auto-enables)
Click "Insert Category..." button (next to 'Insert Domain Allow Rule' button)
Category Picker Dialog:
- HTTP protocol: Choose between URL or Domain category via radio buttons
- TLS protocol: Automatically uses Domain category
- Multi-select support (Ctrl+click for multiple)
- Real-time preview showing generated syntax
Click "Insert" - content and message fields auto-populate

Features:

Smart Content Insertion: Auto-adds flow:to_server if Content field empty
Message Auto-Population: Generates descriptive messages automatically
Multi-Select: Select multiple categories with comma-separated syntax

Method 3: Advanced Editor (Tertiary - Power Users)

Tools > Advanced Editor (Ctrl+E):

Type aws_url_category: or aws_domain_category:
Auto-complete shows all 51 categories
Type to filter categories
Select and insert

Validation:

Real-time red squiggles for protocol mismatches
Hover tooltips explain errors
aws_url_category requires HTTP protocol
aws_domain_category requires TLS or HTTP

Protocol Requirements

aws_url_category:

✅ HTTP protocol only
⚠️ Requires TLS decryption for HTTPS traffic effectiveness
Without TLS decryption: Only inspects ~5% of web traffic (unencrypted HTTP)

aws_domain_category:

✅ TLS protocol (inspects SNI field - works without TLS decryption)
✅ HTTP protocol (inspects host header)
More versatile for threat protection

Multi-Category Support

Efficient Syntax:

# Multiple categories in one rule (comma-separated)
aws_domain_category:Malware,Phishing,Command and Control

# More efficient than separate rules:
aws_domain_category:Malware
aws_domain_category:Phishing
aws_domain_category:Command and Control

Validation and Error Prevention

Save Validation:

Prevents saving rules with invalid protocol/category combinations
Clear error messages with remediation steps
Example: "aws_url_category only supports HTTP protocol"

Advanced Editor Validation:

Real-time red squiggles under invalid combinations
Protocol mismatch detection as you type
Hover tooltips explain requirements

Benefits

Simplified Security Management:

📦 No Manual Lists: AWS maintains and updates category database automatically
🎯 Threat Protection: Block entire threat categories (malware, phishing, C2)
📊 Productivity Control: Block time-wasting categories (social media, entertainment)
🔒 Compliance: Block restricted content for legal/HR requirements
⚡ Fast Deployment: Generate category rules in seconds
🔄 Automatic Updates: Categories evolve with threat landscape

Business Value:

Better Coverage: AWS's database provides broader protection than manual lists
Reduced Maintenance: No more researching and entering domains manually
Multiple Workflows: Choose template, editor button, or advanced editor
Clear Organization: 6 category groups make selection intuitive

Use Cases

Threat Protection:

# Block security threat categories
drop tls $HOME_NET any -> any any (msg:"Block Malware and Phishing"; flow:to_server; aws_domain_category:Malware,Phishing; sid:100; rev:1;)

Productivity Policy:

# Block social media and entertainment
drop http $HOME_NET any -> any any (msg:"Block Social Networking and Entertainment"; flow:to_server; aws_url_category:Social Networking,Entertainment; sid:101; rev:1;)

Compliance:

# Block restricted content
drop tls $HOME_NET any -> any any (msg:"Block Child Abuse, Adult and Mature Content, and 1 more"; flow:to_server; aws_domain_category:Child Abuse,Adult and Mature Content,Violence and Hate Speech; sid:102; rev:1;)

TLS Decryption Considerations

For Maximum Effectiveness:

Configure AWS Network Firewall TLS decryption for HTTPS traffic
Without TLS decryption: aws_url_category only inspects unencrypted HTTP (~5% of Internet traffic)
With TLS decryption: Both keywords inspect HTTPS traffic effectively
aws_domain_category works without TLS decryption (SNI field inspection)

Documentation:

AWS Network Firewall TLS Inspection

Important Constraints

❌ Cannot combine with geoip: Category keywords cannot be used with geoip keyword in same rule
✅ Test Mode Support: Templates support test mode (converts to alert actions)
✅ Change Tracking: All category rule operations tracked when enabled
✅ Export Support: Category rules export correctly to Terraform, CloudFormation, and AWS

💡 Pro Tip: Use templates for initial security baseline (select all security threats), then use Insert Category button for one-off additions.

Bulk Domain Import

📦 Import hundreds of domains and automatically generate rules for each one - now with AWS Domain List import in v1.27.7!

Two Import Methods ⭐ NEW

Method 1: AWS Domain List Import ⭐ NEW in v1.27.7

Browse and import Domain List rule groups directly from AWS
No CLI commands or file exports needed
Visual search and protocol customization
Multi-select support to combine multiple rule groups in one import

Method 2: Text File Import (Original Method)

Import domains from local text files
One domain per line format
Useful for custom domain lists

Method 1: AWS Domain List Import (New)

Requirements:

boto3 installed: pip install boto3
AWS credentials configured
IAM permissions for Network Firewall

Workflow:

File > Import Domain List
Select "Import from AWS Domain List Rule Group"
Browse Domain Lists:
- Search and filter by rule group name
- Select AWS region from dropdown
- Expand to see capacity, domain count, target types, action
- Only Domain List types selectable (5-tuple/Suricata grayed out)
- Select one or more Domain List rule groups:
  - Single-click to select one rule group
  - Ctrl+Click to add/remove additional rule groups
  - Shift+Click to select range of rule groups
  - Non-Domain List types automatically deselected if selected
Click Import (with or without expanding)
Review Preview:
- Single Selection: Shows standard preview with rule group metadata
- Multiple Selection: Shows combined preview with:
  - Total rule groups being combined
  - Total domains across all groups
  - Combined target types (union of HTTP_HOST/TLS_SNI)
  - Mixed action warning (if ALLOWLIST + DENYLIST selected)
  - List of all rule groups with details
Configure Bulk Import:
- Protocol Selection: HTTP and/or TLS (pre-checked based on combined AWS TargetTypes)
- Action defaults to first rule group's action (with warning if mixed)
- All existing bulk import options available
- Source description shows number of combined groups
Import: Rules generated with metadata comments listing all sources

AWS Configuration Mapping:

ALLOWLIST → pass action (default)
DENYLIST → drop action (default)
HTTP_HOST → Pre-checks HTTP rules checkbox
TLS_SNI → Pre-checks TLS rules checkbox
Both targets → Both checkboxes pre-checked

Domain Normalization:

AWS wildcard format (.example.com) automatically normalized to example.com
Generated rules use dotprefix; content:".example.com" to preserve wildcard behavior
Critical for consolidation algorithm to work correctly

Benefits:

⚡ Streamlined Workflow: Import Domain Lists in seconds
🔍 Visual Discovery: Browse and search Domain Lists
🎯 Protocol Flexibility: Choose which protocols to generate (HTTP, TLS, or both)
🔗 Multi-Select Support: Combine multiple Domain List rule groups in one import
📊 Full Integration: Works with consolidation, SID management, change tracking
🌐 Multi-Region: Select AWS region in browser dialog
🔄 Automatic Deduplication: Consolidation removes duplicates across combined groups

Method 2: Text File Import

Basic Usage:

File > Import Domain List
Select "Import from text file"
Choose text file (one domain per line)
Configure Bulk Import:
- Action: pass, drop, or reject
- Starting SID: First SID to use
- Message Template: Use {domain} as placeholder
- Alert on Pass: Control logging for pass rules
- Strict Domain List: Exact match vs wildcard matching
- Protocol Selection: HTTP and/or TLS checkboxes (both checked by default)
  - Uncheck to generate only HTTP or only TLS rules
  - Validation prevents importing with zero protocols selected
  - Rule count preview updates based on selection
Import: Click to generate rules

Protocol Defaults (Text File):

Both HTTP and TLS checkboxes pre-checked by default
User can customize to generate single-protocol rules if desired
Same consolidation and preview features as AWS import

Domain Consolidation (Automatic)

⚡ Smart grouping reduces rule count by finding optimal parent domains.

How It Works:

Analyzes domain relationships
Finds most specific common parents
Groups related subdomains automatically

Example:

Input domains:
- mail.server.com
- web.server.com  
- api.server.com
- server.com

Result: 1 rule for *.server.com (instead of 4 rules)
Savings: 8 rules → 2 rules (75% reduction)

Benefits:

📊 Significantly reduced rule count
🎯 Automatic optimization
👁️ Real-time preview shows savings
🔧 Enabled by default (disable with "Strict domain list")

Rule Generation Logic

All Actions:

Creates 2 rules per domain (TLS + HTTP) when both selected
Matches both encrypted and unencrypted traffic

Pass Action with Alert on Pass (default):

Includes embedded alert keyword
Provides logging without separate alert rules

Pass Action without Alert on Pass:

Separate rules for pass and alert actions

AWS Rule Group Import

📥 Import existing AWS Network Firewall rule groups for editing and enhancement - Direct AWS connectivity in v1.27.3!

Two Import Methods

Method 1: Direct AWS Import ⭐ NEW in v1.27.3

Browse and import directly from your AWS account
No CLI commands needed
Visual search and selection
Instant preview before importing

Method 2: JSON File Import (Original Method)

Export rule group using AWS CLI
Import the JSON file
Useful for offline workflows

Method 1: Direct AWS Import (Recommended)

Requirements:

boto3 installed: pip install boto3
AWS credentials configured
IAM permissions for Network Firewall (see Help > AWS Setup)

Workflow:

File > Import Stateful Rule Group
Select "Import from AWS" in the import options dialog
Browse Rule Groups:
- Search and filter by name
- Sort by name or type
- Click ▶ to expand and view details (capacity, rule count, description)
- STATEFUL rule groups are selectable
- STATELESS rule groups shown grayed out (not supported)
Select Rule Group and click "Preview Import"
Review Preview:
- Complete metadata (ARN, capacity, description, region)
- Rules count and first 10 rules preview
- Variables count and preview
- Import summary
Click "Import" to complete

Benefits:

⚡ Faster: No CLI commands or file management
🔍 Visual: Browse and search all rule groups
📊 Informed: Preview details before importing
🎯 Direct: Single-menu workflow
🌐 Multi-Region: Select region from dropdown

Method 2: JSON File Import

When to Use:

Working offline without AWS connectivity
Importing rule groups from shared JSON files
Scripted/automated workflows

Generating the JSON Export:

# Using ARN
aws network-firewall describe-rule-group \
  --rule-group-arn arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/MyRuleGroup \
  > my_rule_group.json

# Or using name
aws network-firewall describe-rule-group \
  --rule-group-name MyRuleGroup \
  --type STATEFUL \
  > my_rule_group.json

Importing the JSON File:

File > Import Stateful Rule Group
Select "Import from JSON File" in the import options dialog
Browse and select the JSON file
Review preview
Click "Import"

Import Features (Both Methods)

Complete Data Import:

✅ Rules converted from AWS 5-tuple to Suricata format
✅ IPSets imported as IP Set variables ($HOME_NET)
✅ PortSets imported as Port Set variables ($WEB_PORTS)
✅ Metadata preserved in comment header
✅ ReferenceSets (@variables) imported correctly

Smart Processing:

Auto-renumbers duplicate SIDs within import
Forces new file (prompts to save current work first)
Type validation (only STATEFUL rule groups)
Variable prefix conversion (HOME_NET → $HOME_NET)
Format detection (Standard 5-tuple vs Suricata)

Region Selection: (Direct AWS Import only)

Dropdown selector in browse dialog
Choose from 11 common regions
Remembers last selected region during session

Use Cases

🔧 Edit existing AWS rules in GUI
🔄 Round-trip workflow (AWS → Edit → AWS)
📝 Add organization and comments
🎯 Quickly begin using Suricata-formatted rules
🔨 Apply bulk modifications to AWS rule groups
🌍 Multi-region rule management

Setup for Direct AWS Import

Prerequisites:

Install boto3: pip install boto3
Configure AWS credentials (one of):
- AWS CLI: aws configure
- Environment variables
- IAM role (if on AWS)
Verify connection: Help > AWS Setup > Testing tab

Required IAM Permissions:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "network-firewall:ListRuleGroups",
      "network-firewall:DescribeRuleGroup"
    ],
    "Resource": "arn:aws:network-firewall:*:*:*"
  }]
}

💡 Help Available: Click Help button in import dialog or visit Help > AWS Setup for complete setup guide.

Rule Filtering

🎯 Focus on relevant rules by temporarily hiding others - essential for large rule sets!

The rule filtering feature provides non-destructive filtering to temporarily hide rules from view based on multiple criteria. Filtered rules remain in the file and are saved/exported normally.

Accessing Filters

Filter Bar: Appears above rules table (collapsed by default)
Click to Expand: Access all filtering controls
Instant Updates: Most filters apply immediately

Filter Options

By Action:

Individual checkboxes for Pass, Drop, Reject, Alert, Comments
Toggle to show/hide specific action types
Instant filtering as checkboxes change

By Protocol:

Multi-select dropdown with all 26 protocols
Select multiple protocols to display
Shows count when multiple selected

By SID Range:

Enter "From" and "To" SID values
Exclude Mode: Invert filter to hide range
Click "Apply" to activate

By Variable:

Dropdown shows variables used in current file
Filter rules using specific variables
Click "Apply" to activate

Filter Status

Status Bar: Shows "Showing X of Y rules" when active
Filter Description: Displays active criteria
Original Line Numbers: Preserved for reference
Clear All: Reset all filters to show all rules

Smart Features

Auto-Clear on Edit: Filters clear when edited rules don't match criteria
Visual Feedback: Filter bar highlighted when active
Non-Destructive: Filtered rules remain in file

Use Cases

📊 Manage large rule sets (100+ rules)
🎯 Focus on specific rule types
🔍 Troubleshoot issues by isolation
💡 Review specific sections

Bulk SID Management

🔢 Bulk renumber SIDs for better organization and conflict resolution.

Accessing SID Management

Tools > SID Management
Available when rules exist
Works on all rules or selected rules

Features

Scope Options:

All rules in file
Selected rules only
Rules by action type (pass, drop, reject, alert)

Renumbering Controls:

Starting SID: First SID to use
Increment: Gap between SIDs (default: 10)
Preview: See changes before applying

Conflict Detection:

Check for SID conflicts before applying
Visual conflict report with line numbers
Resolution strategies available

Resolution Strategies:

Skip Conflicts: Find next available SID
Restart with Safe SID: Begin at max SID + 10
Overwrite: Replace conflicting SIDs (⚠️ modifies other rules)

Use Cases

🔄 Reorganize SIDs by rule type
🔧 Fix SID gaps and inconsistencies
📦 Prepare rules for merging with other files
🎯 Group rules by SID range

↩️ Undo Support: All SID changes can be reverted with Ctrl+Z.

Advanced Editor

💻 Professional code editing with IDE-like features - new in v1.19.0, enhanced with Scintilla in v1.23.0!

The Advanced Editor provides a powerful text-based interface with native code folding, auto-complete, and real-time validation.

Accessing Advanced Editor

Tools > Advanced Editor or Ctrl+E
Requirements: wxPython (optional - prompts to install if missing)
Modal Window: 1000x700 resizable with professional layout

Code Folding (Scintilla Feature)

Fold by Blank Lines:

Blank lines separate rules into collapsible groups
Click +/- icons in fold margin
Essential for organizing large rule sets

Comment Blocks:

Consecutive comments (2+) fold together
Keep related documentation collapsed
Expand when needed

Box-Style Markers:

Visual +/- icons in left margin
Intuitive expand/collapse interface
Standard editor convention

Real-Time Validation

Error Detection (Red Underlines):

Invalid actions, protocols, networks, ports
Malformed syntax and missing required fields
Direction indicator errors

Warning Detection (Orange Underlines):

Unknown keywords (forward compatibility)
Undefined variables (prompts to define)
Duplicate SIDs within file

Hover Tooltips:

Detailed error information
Suggestions for fixes
Shows expected values

Status Bar:

Error and warning counts
Line and column position
Current rule number
Modification status

Smart Auto-Complete

Context-Aware Suggestions:

Actions: alert, pass, drop, reject, # (comment)
Protocols: All 26 supported protocols
Networks/Ports: "any", CIDRs, port ranges, variables
Content Keywords: 50+ Suricata keywords from content_keywords.json

Trigger Methods:

Auto-appears while typing
Manual trigger with Ctrl+Space
Navigate with Up/Down arrows
Accept with Tab or Enter

Advanced Editing Features

Smart Typing:

Auto-Close: ( [ " auto-insert matching closing character
Smart Tab: Jump to next semicolon in options
Smart Backspace: Delete matching bracket/quote pairs

Code Manipulation:

Comment Toggle: Ctrl+/ to comment/uncomment lines
Clipboard: Ctrl+X/C/V with system integration
Undo/Redo: Multi-level Ctrl+Z and Ctrl+Y
Go to Line: Ctrl+G for quick navigation

Find and Replace

Unified Dialog:

Ctrl+F opens comprehensive find/replace
Field-specific search (message, content, networks, ports, SID, protocol, all)
Action filtering (include/exclude by action type)
Replace current or Replace All with confirmation

Search Options:

Case-sensitive matching
Whole word only
Regular expression support

Visual Highlights:

Current match in yellow
Other matches in gray
F3 for next, Shift+F3 for previous

Save and Validation

Comprehensive Validation:

All rules validated on save
Errors auto-commented with # [SYNTAX ERROR] prefix
Warnings preserved (unknown keywords allowed)
Confirmation dialog with detailed summary

Auto-Create Variables:

Undefined variables automatically created
Added to Variables tab with empty definitions
Prompts to define before analysis/export

Benefits

💼 Professional Workflow: Text-based editing for power users
📁 Code Folding: Essential for large files
✅ Real-Time Validation: Catch errors as you type
🚀 Fast Editing: Auto-complete and smart typing
🔒 Safety Net: Comprehensive validation prevents invalid rules

💡 Optional Feature: Main application works fully without wxPython. Install only if you want the Advanced Editor.

CloudWatch Rule Usage Analysis

📊 Discover which rules are actually being used in production - AWS integration new in v1.27.0!

The Problem This Solves

Extending AWS Network Firewall Observability While the AWS Dashboard provides excellent traffic volume and basic statistics, network security teams need deeper insights into individual rule performance. This feature extends AWS monitoring capabilities by:

✅ Identifying which specific rules are triggering in your traffic
✅ Discovering rules that have never matched any traffic
✅ Detecting rules that might be shadowed by earlier rules based on hit patterns
✅ Revealing which rules are handling the majority of your traffic

This feature accomplishes this by directly querying AWS CloudWatch Logs to provide comprehensive per-rule usage analytics that complement your existing AWS monitoring.

What You Get

The CloudWatch Rule Usage Analyzer provides eight comprehensive analytical views from a single query:

1. Summary Dashboard

Rule group health score (0-100) with visual gauge
Quick statistics (unused, low-frequency, high-traffic, unlogged rules)
Performance insights (Pareto analysis showing top performers)
Priority recommendations ranked by impact

2. Unused Rules Tab - Confirmed Unused

Rules ≥14 days old with 0 hits - safe to remove
Bulk Actions: Delete or comment out selected rules
Color Coding: Green background for confirmed unused status
Shows line number, SID, age, message, and rule preview

3. Unused Rules Tab - Recently Deployed

Rules <14 days old with 0 hits - too new to judge
Warning Status: Recommends waiting before removal
Color Coding: Light yellow background for recent status
Shows same columns as Confirmed Unused

4. Unused Rules Tab - Never Observed

Unknown age with 0 hits - manual review recommended
Information Status: Deployment date unavailable
Color Coding: Light gray background for unknown status
Suggests enabling change tracking for future accuracy

5. Low-Frequency Rules Tab

Identifies rules with <10 hits in the analysis period
Staleness Indicators: Color-coded by last hit timestamp
- Very light yellow: <7 days ago
- Light yellow: 7-14 days ago
- Yellow-orange: 14-21 days ago
- Orange: >21 days ago
Shadow Detection Hints: May indicate rules blocked by earlier rules

6. Rule Effectiveness Tab

Pareto Analysis: Shows which rules handle most traffic
Top 20 Performers: Rules sorted by hit count
Overly-Broad Detection: Flags rules handling excessive traffic (>10%, >15%, >30%)
- Critical (>30%): Immediate review recommended
- High (>15%): Review soon
- Medium (>10%): Consider reviewing
Actionable Recommendations: Suggests splitting broad rules into specific ones

7. Efficiency Tiers Tab

Visual distribution of rules by usage level
Five Tiers: Critical, High, Medium, Low, Unused
Bar Chart Visualization: Color-coded bars showing rule distribution
Health Benchmarks: Indicates healthy vs. problematic distributions
Tier Navigation: Click to view rules in each category

8. Search Tab

Quick SID lookup with detailed statistics
Shows hits, percentage of traffic, last hit timestamp, rule age
Recent searches for quick access
Full rule display with contextual analysis

9. Unlogged Rules Tab

Shows rules that don't write to CloudWatch Logs
Pass rules without 'alert' keyword: Cannot be tracked via CloudWatch
Drop/reject with 'noalert' keyword: Logging explicitly suppressed
May be actively processing traffic but won't show hits
Excluded from health score calculations and unused detection
Provides recommendations for enabling logging if needed

10. Untracked Rules Tab

Shows SIDs found in CloudWatch logs but not in your current file
Recently deleted/commented rules: Still in logs during analysis timeframe
AWS default policy rules: Alert/drop defaults not in your rule group
Excluded from all analysis calculations
Helps identify rules removed from file or applied by AWS policy

Right-Click Quick Lookup

After running analysis once, right-click any rule in the main table:

Context Menu: "View CloudWatch Statistics"
Instant Results: Shows cached stats without re-querying CloudWatch
Comprehensive Data: Hits, percentage, last hit, rule age, category
Quick Refresh: Option to re-run analysis if needed

Deployment-Aware Intelligence

The analyzer integrates with your existing change tracking to provide confidence-based recommendations:

With Change Tracking Enabled:

Knows exact age of each rule from revision history
Separates recently deployed rules (< X days) from confirmed unused rules
Avoids false recommendations to remove rules still being tested

Without Change Tracking:

All unused rules categorized as "Unknown Age"
Recommends manual review before removal
Still provides accurate hit counts and percentages

Setup Requirements

One-Time Setup:

Install boto3: pip install boto3 (AWS SDK for Python)
Configure AWS Credentials: Use AWS CLI (aws configure) or environment variables

IAM Permissions: Requires read-only CloudWatch Logs access

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["logs:StartQuery", "logs:GetQueryResults"],
    "Resource": "arn:aws:logs:*:*:log-group:/aws/network-firewall/*"
  }]
}

Enable CloudWatch Logging: Your AWS Network Firewall must log to CloudWatch

In-App Help:

Help > Rule Usage Analyzer Setup: Complete setup guide
Four Tabs: Prerequisites, IAM Permissions, Credentials, Testing
Copy-Paste Ready: IAM policy included for easy setup
Connection Test: Built-in testing before running analysis

Running Analysis

Tools > Analyze Rule Usage
Configure Parameters:
- Log Group Name: Your CloudWatch log group path
- Time Range: 7, 30, 60, or 90 days
- Low-Frequency Threshold: Hit count defining "low-frequency" threshold
- Minimum Days in Production: Days before considering rules unused
Click Analyze
Wait: ~10-60 seconds for CloudWatch query (progress shown)
Review Results: Six-tab window with comprehensive analytics

Key Features

Efficient CloudWatch Querying:

Server-Side Aggregation: Processes millions of logs in AWS
Minimal Data Transfer: Returns ~200KB for 10,000 rules
Single Query: All tabs populated from one query
Cached Results: Instant right-click lookups after initial analysis

Smart Analysis:

Unused Detection: Set difference logic (100% accurate)
Percentage Calculations: Shows each rule's share of total traffic
Hits Per Day: Normalized metrics across time ranges
Broadness Detection: Identifies rules handling excessive traffic

Persistent Statistics:

Save Button: Save analysis results to .stats file for offline access
Auto-Load: Statistics automatically loaded when opening rule files
Session Caching: Loaded stats persist until new analysis run
Cached Prompt: Shows "view cached or run new" dialog with saved data

Export and Sharing:

HTML Reports: Professional formatted with color coding
Plain Text Reports: Simple format for any text editor
Complete Data: Includes all tabs and recommendations

Real-World Benefits

Capacity Optimization:

Before: 10,150 rules consuming capacity
Analysis Results:
  - 275 confirmed unused rules (2.7%)
  - 89 low-frequency rules (<10 hits/30 days)
  
Actions Taken:
  - Removed 180 confirmed unused rules
  - Capacity freed: 1.8%
  - Monitoring remaining 95 for additional optimization

Security Improvement:

Effectiveness Tab Finding:
  - SID 100 handles 45% of total traffic
  - Rule: pass tcp $HOME_NET any -> any any (flow:established; ...)
  - Too broad - matches ALL established TCP
  
Recommendation:
  - Split into specific rules for known services
  - Improved security posture
  - Better visibility per service

Shadow Rule Detection:

Low-Frequency Tab Finding:
  - SID 5500: 3 hits in 30 days
  - Last hit: 18 days ago
  - Likely shadowed by earlier rule
  
Action:
  - Use Review Rules to find shadowing rule
  - Reorder or refine rules for better coverage

Why This Is Invaluable

Extending AWS Network Firewall Monitoring:

This feature builds upon AWS Network Firewall's robust monitoring foundation by adding rule-level analytics:

What This Feature Adds to Your AWS Monitoring:

Data-Driven Decisions: Remove rules confidently with evidence
Capacity Management: Free up capacity by removing unused rules
Performance Insights: Understand which rules do the heavy lifting
Security Validation: Identify overly-broad rules needing refinement
Shadow Detection: Find rules that may be blocked by earlier rules
Deployment Awareness: Won't flag recently deployed rules as unused

Use Cases

Ongoing Optimization:

Run monthly to identify unused rules
Monitor rule effectiveness over time
Track impact of rule changes

Pre-Deployment Validation:

Export rule group IaC with Test Mode enabled (v1.26.0)
Deploy and run usage analysis
Identify false positives before enforcing
Export production version rule group IaC with confidence

Capacity Planning:

Identify low-value rules for removal
Make room for new rules without hitting 30,000 limit
Prioritize most effective rules

Security Audits:

Document which rules are actually protecting you
Identify gaps in coverage
Demonstrate compliance with usage data

Technical Details

CloudWatch Logs Insights Query:

Aggregates SID hit counts server-side
Returns total hits and last hit timestamp per SID
Efficient pagination for large rule groups (>10,000 rules)
Typical query time: 10-60 seconds depending on time range

Analysis Window:

7 days: Fast analysis, recent trends
30 days: Balanced view (recommended default)
60 days: Longer-term patterns
90 days: Comprehensive historical view

Privacy and Security:

Read-Only: Only queries logs, never modifies anything
Standard AWS Auth: Uses same credentials as AWS CLI
No Stored Credentials: Application never stores AWS credentials
Minimal Permissions: Only CloudWatch Logs read access required

Benefits Summary

🎯 Actionable Insights: Priority-ranked recommendations with expected impact
📊 Visual Analytics: Health scores, charts, color-coded tables
🔍 Deep Visibility: Understand your rule group performance
💰 Cost Optimization: Remove unnecessary rules, improve efficiency
🔒 Security Enhancement: Identify and refine overly-broad rules
⏱️ Time Savings: Automated analysis vs. manual CloudWatch queries
📈 Continuous Improvement: Regular monitoring for ongoing optimization

🌟 Game Changer: This feature complements the AWS Network Firewall Monitoring and Observability dashboard by providing invaluable insights into your Network Firewall's rule behavior vs. traffic behavior.

Analyze Traffic Costs

💰 Identify where your firewall costs are coming from and discover VPC endpoint opportunities for cost savings! ⭐ NEW in v1.29.0

The Traffic Cost Analyzer provides comprehensive analysis of your AWS Network Firewall data processing costs by correlating CloudWatch Logs to show exactly where bandwidth is going and which AWS services could benefit from VPC endpoints.

What This Feature Does

Cost Visibility:

Analyze traffic patterns to understand firewall data processing costs
See bandwidth breakdown by destination (internet vs AWS services vs internal)
Identify high-cost traffic destinations with HTTP/TLS hostname resolution
Calculate regional pricing for accurate cost estimates

VPC Endpoint Recommendations:

Smart cost-benefit analysis determines when VPC endpoints are worth deploying
Break-even calculations show exact traffic thresholds
Gateway endpoints (FREE) always recommended for S3/DynamoDB
Interface endpoints only recommended when cost-effective

Three-Tab Dashboard

Tab 1: Internet Traffic

Non-AWS traffic with hostnames/domains (HTTP, TLS SNI)
Cost breakdown per destination
Source IP drill-down to see which hosts generate traffic
Identifies optimization opportunities (Windows Update, CDNs, package registries)

Tab 2: AWS Service Traffic

AWS services with traffic volumes and costs
VPC endpoint recommendations with monthly savings projections
Regional pricing accuracy
Cross-region traffic identification with alternative suggestions

Tab 3: Internal Traffic

VPC-to-VPC communication patterns
Internal traffic costs
Source-to-destination flow analysis

Intelligent VPC Endpoint Recommendations

Gateway Endpoints (Always FREE):

S3 and DynamoDB gateway endpoints cost $0
Always recommended when same-region traffic detected
Eliminate firewall data processing charges completely
Example: 245 GB/month to S3 → Save $15.93/month ($191/year)

Interface Endpoints (Cost-Benefit Analysis):

Break-even threshold: 112 GB/month for same-region (us-east-1: $7.30/month endpoint cost ÷ $0.065/GB)
Only recommended when traffic exceeds break-even
Example: 85 GB/month to SSM → Skip (not cost-effective)
Example: 180 GB/month to Lambda → Deploy (saves $4.40/month)

Regional Pricing:

Accurate cost calculations using regional firewall data processing rates
Interface endpoint costs vary by region
Break-even thresholds adjusted per region automatically

Cross-Region Guidance:

Identifies cross-region AWS service traffic
Suggests alternatives (S3 CRR, DynamoDB Global Tables)
Interface endpoint support varies by service

CloudWatch Logs Integration

Correlation Engine:

Combines FLOW logs (traffic volumes) with ALERT logs (hostnames/SNI)
Correlates via flow_id for complete traffic picture
Handles millions of log entries efficiently

Pagination Support:

Automatic chunking for queries exceeding 10K flows
Progress tracking with cancellation support
Handles very large datasets gracefully

AWS Service Detection:

Downloads AWS IP ranges for service identification
Interval tree for O(log n) lookups (100,000x faster than naive approach)
Identifies S3, DynamoDB, Lambda, EC2, and 20+ other services

Data Caching

Save Results:

Save analysis results to .stats file (same format as Rule Usage stats)
Unified v2.0 format supports both Rule Usage and Traffic Analysis data
Avoid CloudWatch Logs query charges on repeat views

Auto-Load:

Cached data detected when rule file is opened
Prompt to load cached (instant) or run fresh analysis
Shows data age for informed decision

Instant Drill-Down:

Cached data supports all three main tabs
Individual flow data not cached (keeps file size reasonable)
Drill-down features work with fresh analysis only

Expandable Drill-Down

Double Click Any Row:

See source IP breakdown showing which internal hosts generate traffic
Expand source IPs to see individual flows with timestamps
Sort by any column (traffic volume, cost, flow count)

Timestamp Sorting:

Click "Source IP" column to sort flows by timestamp
See most recent activity first
Useful for identifying current vs historical patterns

Custom Date Ranges

Flexible Time Periods:

Preset ranges: 7, 15, 30, 60, 90 days
Custom date range picker
Analysis metadata shows exact date range used

Requirements

One-Time Setup:

Install boto3 and dependencies: pip install boto3 intervaltree requests
Configure AWS credentials (AWS CLI or environment variables)
AWS Network Firewall must log to CloudWatch:
- FLOW logs (traffic volumes) - Required
- ALERT logs (hostnames/SNI) - Required for hostname visibility
IAM permissions for CloudWatch Logs

CloudWatch Query Costs:

CloudWatch Logs Insights charges $0.005 per GB scanned
Typical 30-day analysis: $0.50 - $2.00
Cost warning shown before running analysis
Cached results avoid repeated charges

Running Analysis

Tools > Analyze Traffic Costs
Configure:
- Flow log group (required)
- Alert log group (optional but recommended)
- AWS region
- Time range (7-90 days or custom)
Click Analyze
Wait: ~60-120 seconds for CloudWatch queries
Review: Three-tab dashboard with comprehensive insights

Benefits

Cost Optimization:

Potential VPC endpoint savings: $50-200/month
Gateway endpoints (FREE) eliminate costs for S3/DynamoDB traffic
Interface endpoints only recommended when ROI is positive
Regional pricing ensures accurate projections

Traffic Visibility:

See exactly where bandwidth is going
HTTP/TLS hostname resolution shows application-level detail (when available)
Multiple destination IPs per hostname consolidated (CDN load balancing)
Source IP drill-down shows which hosts consume bandwidth

Smart Recommendations:

Break-even analysis prevents wasteful endpoint deployments
Alternative suggestions for sub-threshold traffic
Regional considerations for cross-region traffic
Data-driven decisions backed by actual traffic analysis

Easy to Use:

Works with existing CloudWatch logs
No additional AWS configuration needed
Caching reduces CloudWatch charges
CSV export for offline analysis and reporting

Use Cases

Monthly Cost Review:

Identify new VPC endpoint opportunities
Track traffic pattern changes
Verify existing endpoints still cost-effective
Report savings to management

Architecture Optimization:

Discover cross-region traffic patterns
Identify candidates for S3 Cross-Region Replication
Find opportunities for DynamoDB Global Tables
Optimize service placement decisions

Troubleshooting High Bills:

See which destinations consume most bandwidth
Identify unexpected traffic patterns
Correlate costs with specific applications
Drill down to source IPs for accountability

💰 ROI: Analysis costs $0.50-$2.00 but identifies $50-200/month in potential savings. The query cost is recovered quickly!

Rule Group Analysis

🔍 Detect shadowing and conflicts before deployment to AWS.

The analysis engine detects common rule issues that can cause unexpected behavior in production.

Running Analysis

Tools > Review Rules
Define variable CIDRs if prompted
Progress dialog shows analysis status
Comprehensive report when complete

Analysis Features

Complete Shadow Detection:

Identifies when upper rules ALWAYS prevent lower rule execution
Protocol layering awareness
Flow state analysis
Geographic specificity recognition

Conflict Categories:

🔴 Critical: Security bypasses (pass shadowing drop/reject)
🟠 Warning: Missing alerts, unreachable rules
🔵 Informational: Redundant rules with same actions

AWS Compliance:

Validates rule structure for AWS Network Firewall
Checks variable usage and formats
Verifies protocol/port combinations

Report Features

Detailed Findings:

Line numbers for both conflicting rules
Conflict type and severity
Recommendations for resolution
Example corrections

Export Options:

📄 HTML: Professional formatted report
📑 PDF: Browser-based PDF generation
📋 Copy: Right-click to copy results

Benefits

🛡️ Prevent Security Gaps: Find bypasses before deployment
📊 Understand Rule Interaction: Learn why rules conflict
🎓 Educational: Detailed explanations of each issue
💾 Documentation: Export reports for team review

Infrastructure Export

🏗️ Deploy to AWS with infrastructure as code templates or direct deployment.

Generate AWS Network Firewall resources for deployment in multiple formats:

Export Formats

Terraform (.tf): Complete resource definition for Terraform workflows
CloudFormation (.cft): JSON template for CloudFormation stacks
AWS Network Firewall (Direct Deploy): Deploy directly to AWS ⭐ NEW in v1.27.2

AWS Network Firewall Direct Deploy ⭐ NEW

🚀 Deploy rule groups directly to AWS without intermediate IaC files!

How to Use:

File > Export - Export Options dialog appears
Select "AWS Network Firewall (Direct Deploy)"
Optional: Enable Test Mode - Convert all actions to 'alert' for safe testing
Optional: Run Analyzer - Pre-validate rules before deployment
Click Continue - Configure deployment settings
AWS Configuration Dialog:
- Rule group name (auto-sanitized from filename)
- Real-time validation (AWS naming requirements)
- Deployment summary (rules count, capacity, mode, region)
Click Deploy - Direct deployment to AWS Network Firewall

Features:

Smart Name Handling:

Auto-sanitizes current filename for AWS compliance
Real-time validation with visual feedback (✓/✗)
Character counter (128 char limit)
AWS naming rules enforced:
- Valid: a-z, A-Z, 0-9, - (hyphen)
- Cannot start/end with hyphen
- No consecutive hyphens (--)

Overwrite Protection:

Detects existing rule groups before deployment
Shows comprehensive confirmation dialog:
- Existing capacity and rule count
- Format detection (Standard 5-tuple vs Suricata)
- Firewall associations (⚠️ CRITICAL if attached)
- Format conversion notice (if converting to Suricata)
User must confirm before overwriting

Pre-Deployment Options:

Test Mode: Convert all actions to 'alert' (same as other exports)
Analyze Before Export: Run rule analyzer first
- Shows summary (critical/warnings/info counts)
- Option to view full report or continue
- Helps catch issues before deployment

Deployment Details:

Automatically calculated capacity
Shows target AWS region
Preserves all variables (IPSets, PortSets, ReferenceSets)
Uses STRICT_ORDER rule evaluation
Adds version metadata to description

Success Confirmation:

Shows deployed rule group details
Displays ARN and status
Clickable link to AWS Console
Integrated with change tracking

Benefits:

⚡ Instant Deployment: No intermediate files needed
🔄 Round-Trip Workflow: Import → Edit → Deploy seamlessly
🛡️ Safe Overwrites: Clear warnings for live firewalls
🎯 Format Conversion: Automatically handles Standard to Suricata conversion
✅ Pre-Validation: Optional analyzer check before deployment
📊 Full Integration: Works with test mode and change tracking

Requirements:

boto3 installed: pip install boto3
AWS credentials configured
IAM permissions: CreateRuleGroup, UpdateRuleGroup, DescribeRuleGroup
See Help > AWS Setup for complete setup guide

Alert-Only Test Mode (Works with ALL export formats) 🧪

🧪 Test rules safely in production without risk of service disruption!

Export rules with all actions converted to 'alert' for safe testing while preserving original action information in CloudWatch logs.

How to Use:

File > Export - Export Options dialog appears
Select Format - Choose Terraform, CloudFormation, or AWS Direct Deploy
Check Test Mode - ☑️ "Export for testing (alert-only)"
Review Preview - See first 3 converted rules with [TEST-ACTION] prefixes (Terraform/CloudFormation only)
Read Prerequisites - Review AWS policy configuration requirements
Export/Deploy - Save file or deploy directly to AWS

Action Preservation:

[TEST-PASS] → Would have allowed traffic
[TEST-DROP] → Would have blocked traffic silently
[TEST-REJECT] → Would have blocked with TCP reset
[TEST-ALERT] → Was already alert (no change)

AWS Policy Prerequisites (CRITICAL):

For test mode to work, your AWS Network Firewall POLICY must be configured:

✅ REQUIRED: NO default drop action
❌ Do NOT use 'Drop all', 'Drop established', or 'Application Layer drop established'
✅ OPTIONAL: Add 'Alert all' or 'Alert established' for enhanced visibility

Why This Matters:

Alert rules only log traffic (don't control it)
With no default drop action, traffic flows normally
CloudWatch logs show what would have happened
If policy has default drop, all traffic gets blocked

CloudWatch Log Analysis:

[TEST-PASS] Allow HTTPS to AWS services     ← Would have allowed
[TEST-DROP] Block SSH from internet         ← Would have blocked  
[TEST-REJECT] Reject HTTP to direct IPs     ← Would have rejected
[TEST-ALERT] Monitor DNS tunneling          ← No change (already alert)

Benefits:

🛡️ Zero Risk: Source file never modified
⚡ Fast Iteration: No manual rule editing needed
📊 Clear Visibility: See intended actions in CloudWatch
✅ Confidence: Validate before enforcing
📝 Compliance: Document testing phase

Workflow:

Export with test mode → Deploy to AWS
Monitor CloudWatch logs for [TEST-DROP], [TEST-PASS], etc.
Identify false positives from log analysis
Export without test mode → Deploy production rules

Export Features

File > Export

Export Options dialog with format selection (Terraform, CloudFormation, AWS Direct)
Test mode option (applies to all formats)
Optional pre-export rule analysis
Generates complete infrastructure code or deploys directly

What's Included (All Formats):

⚙️ Dynamic Capacity: Auto-calculated from rule count
🔗 Variable Integration: IP sets, port sets, reference sets
📋 STRICT_ORDER: Configured automatically
📝 Version Info: Generator version in metadata
🔒 Proper Escaping: Handles special characters
🛡️ Validation: Checks for undefined variables before export

Format-Specific Features:

Terraform (.tf):

Complete resource definition with variables
No size limits
Best for large rule sets (500+ rules)

CloudFormation (.cft):

JSON template with validation
51.2 KB Limit: Warns if requires S3 upload
1 MB Limit: Blocks if exceeds absolute maximum
Size Guidance: Shows remaining capacity

AWS Direct Deploy:

Immediate deployment to AWS
Smart name sanitization
Overwrite detection and confirmation
Format conversion support
Success confirmation with AWS Console link

Terraform Example:

resource "aws_networkfirewall_rule_group" "suricata_rules" {
  capacity = 150
  type     = "STATEFUL"
  name     = "suricata-generator-rg"
  
  rule_group {
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
    rules_source {
      rules_string = <<-EOT
        pass tcp any any -> any 80 (msg:"Allow HTTP"; sid:100; rev:1;)
      EOT
    }
  }
}

Deployment Workflows

IaC Workflow (Terraform/CloudFormation):

Generate rules in GUI
Define variables in Variables tab
Export as Terraform or CloudFormation
Deploy to AWS using your IaC pipeline
Re-import from AWS for future edits

Direct Deploy Workflow (AWS):

Generate rules in GUI
Define variables in Variables tab
File > Export > AWS Network Firewall (Direct Deploy)
Configure name and options
Click Deploy - instant deployment to AWS
Re-import from AWS for future edits

Round-Trip Workflow:

Import from AWS (browse or JSON file)
Edit rules in Suricata Generator
Export back to AWS (direct deploy)
Repeat as needed

Change Tracking

📝 Comprehensive audit trail with per-rule rollback - new in v1.16.0, enhanced with rollback in v1.25.0!

Enabling Tracking

Tools > Enable Change Tracking
Toggles tracking on/off
Adds header to file when enabled
Auto-enables when opening files with existing history

What Gets Tracked

File Operations:

File creation with timestamp
File saves with modification info

Rule Operations:

Rules added, modified, deleted
Bulk operations (paste, template application)
SID renumbering operations
Rule rollbacks (v1.25.0) - Rollback to previous revisions

Advanced Operations:

Advanced Editor changes (with summary)
Template applications with details
Domain import operations

Per-Rule Revision History & Rollback (New in v1.25.0)

Rev Dropdown for Rollback:

When change tracking is enabled, the Rev field becomes an interactive dropdown
Shows complete revision history for each rule (by SID)
Displays timestamps for each revision: "Rev 3 - 2026-01-01 01T09:32"
Click to select any previous revision to review or rollback

Side-by-Side Comparison:

Before rolling back, view detailed comparison of current vs selected revision
Compare all rule fields with changed fields highlighted in red
Review full rule syntax for both versions
Make informed decision before proceeding

Non-Destructive Rollback:

Selecting a revision populates the Rule Editor (doesn't immediately change the rule)
Review rolled-back values before committing
Click "Save Changes" to commit the rollback
Cancel by selecting another rule or closing editor without saving
Full Ctrl+Z undo support for all rollback operations (undos not tracked in history)

Linear History:

All revisions preserved permanently - old versions never deleted
E.g. Rolling back to Rev 2 creates a new Rev value (with Rev 2's content)
Complete audit trail maintained for compliance
Can rollback to any previous revision at any time

Automatic Snapshots:

Rule snapshots automatically saved during all rule modifications (except message field)
Works with rule edits, new rules, rule templates, and bulk operations
Optimized storage (snapshots embedded inline with change entries)
Typical file size: ~500KB for 100 rules × 10 revisions each

Snapshots not supported for Advanced Editor changes:

Modifying a rule in the advanced editor does not create new rule snapshot
Rule changes made in the advanced editor are summarized in Change History tab

Legacy File Upgrade:

Existing .history files (v1.0) continue to work normally
Optional upgrade prompt to enable rollback for current rules (v1.0 history)
Upgrade creates baseline snapshots for all rules at current revision number
Rollback capability enabled from upgrade point forward

History Display

History Tab:

Chronological list of all changes including rollbacks
Timestamps in ISO format
Version numbers for each operation
Detailed change information
Rollback entries show source and target revisions

Storage

Companion .history File:

JSON format for machine readability (v2.0 format with snapshots)
Saves along with .suricata file
Automatically loads on file open
Backward compatible with legacy v1.0 format

Benefits

📋 Audit Trail: Complete record of changes with revision snapshots
🔍 Troubleshooting: Track when issues were introduced and rollback if needed
📊 Team Collaboration: See who changed what and restore previous versions
🔄 Safety Net: Roll back individual rules that were modified incorrectly
🧪 Experimentation: Try changes knowing you can easily revert
📚 Learning: Review how specific rules evolved over time

SIG Type Classification

🎓 Understanding Rule Processing - Learn how Suricata classifies rules - new in v1.20.0!

The application shows how Suricata internally classifies each rule into one of 10 SIG types, which determines processing order and performance characteristics.

What are SIG Types?

Suricata internally classifies rules by their keywords and protocol:

Processing Order: Rules process in type order (not just file order)
Performance: Different types have different performance impacts
Protocol Layering: Explains why some rules shadow others unexpectedly

Accessing SIG Type Information

Main Application:

Tools > Show SIG Type Classification: Toggle SIG Type column
Abbreviated Labels: IPONLY, PKT, APP_TX, etc.
Hidden by Default: Column appears between Line and Action

Advanced Editor:

Status Bar: Shows full SIG type name
Format: "Rule 5/42 | SIG_TYPE_APP_TX | Modified"
Real-Time: Updates as you move between rules
Always Visible: Displayed automatically

Educational Help:

Help > About SIG Types: Complete guide to all 10 types
Processing order explanation
Real-world examples
Link to Suricata documentation

The 10 SIG Types

SIG_TYPE_DEONLY - Decoder events (decode-event keyword)
SIG_TYPE_IPONLY - Basic IP/protocol rules
SIG_TYPE_LIKE_IPONLY - IP rules with negated addresses
SIG_TYPE_PDONLY - Protocol detection (app-layer-protocol)
SIG_TYPE_PKT - Flow keywords (flow:established, flowbits)
SIG_TYPE_PKT_STREAM - Anchored content (startswith, depth)
SIG_TYPE_STREAM - Unanchored content
SIG_TYPE_APPLAYER - Application protocol fields
SIG_TYPE_APP_TX - Sticky buffers (http.host, tls.sni, ja3.hash)
SIG_TYPE_NOT_SET - Error/unknown state

Why It Matters

Protocol Layering:

IP-only rules process before app-layer rules
Can cause unexpected shadowing
Understanding types helps diagnose conflicts

Performance:

Sticky buffer rules (APP_TX) are most efficient
IP-only rules are least specific
Choose appropriate keywords for optimization

Rule Development:

See how Suricata will process your rules
Understand which keywords elevate rules
Make informed keyword choices

📖 Reference

Features List

Core Features

✅ Visual rule management with color-coded table display
✅ Tabbed interface (Rule Editor and Rule Variables)
✅ Inline editing with bottom panel editor
✅ Variable auto-detection and management
✅ Copy/paste with intelligent dual-clipboard system
✅ File operations (new, open, save, save as)
✅ Comment support with formatting
✅ Undo functionality (Ctrl+Z)
✅ Rule movement (up/down controls)
✅ Click-to-insert workflow
✅ Keyboard navigation and shortcuts
✅ Toggle selection for workflow flexibility

Advanced Features

✅ URL and Domain Category Filtering (v1.30.0): AWS-maintained category blocking (51 categories) ⭐ NEW
✅ CloudWatch Rule Usage Analysis (v1.27.0): Production rule effectiveness analytics
✅ Analyze Traffic Costs (v1.29.0): VPC endpoint recommendations and cost analysis
✅ AWS Direct Import (v1.27.3): Browse and import rule groups directly from AWS
✅ AWS Direct Deploy (v1.27.2): Deploy rule groups directly to AWS Network Firewall
✅ Rule Templates (v1.24.0): 16 pre-built security patterns (includes 2 category templates)
✅ Rule Filtering (v1.22.0): Non-destructive rule hiding
✅ Advanced Editor (v1.19.0, Scintilla v1.23.0): Code folding and IDE features
✅ SIG Type Classification (v1.20.0): Educational rule type display
✅ Common Ports Library (v1.24.1): 22 pre-configured port variables
✅ AWS Rule Group Import (v1.18.7): Import from AWS CLI JSON
✅ Change Tracking (v1.16.0): Comprehensive audit trail
✅ Enhanced Search (v1.21.0): Field-specific search with find/replace
✅ Rev Keyword Support (v1.9.0): Automatic rule versioning

Analysis and Validation

✅ CloudWatch Logs integration for production usage analytics
✅ Per-rule hit counts and traffic percentages
✅ Unused rule detection with confidence levels
✅ Overly-broad rule identification
✅ Rule effectiveness and efficiency tier analysis
✅ Rule conflict analysis with shadow detection
✅ AWS Network Firewall compliance validation
✅ Protocol layering detection
✅ Network field validation
✅ SID uniqueness checking
✅ Variable definition validation
✅ HTML/PDF report export

Import and Export

✅ Infrastructure as code export (Terraform, CloudFormation)
✅ AWS Network Firewall direct deploy ⭐ NEW
✅ Bulk domain import with consolidation
✅ AWS rule group direct import (browse AWS) ⭐ NEW
✅ AWS rule group import from CLI JSON
✅ AWS best practices template loading
✅ Test mode export (all formats)
✅ Pre-export rule analysis
✅ Change history export

User Interface

✅ Real-time statistics (action counts, SID ranges)
✅ Status bar with capacity and warnings
✅ Undefined variables detection
✅ IP Set References counter (AWS quota tracking)
✅ Protocol/port combination warnings
✅ Placeholder row for new rule insertion
✅ Double-click editing
✅ Right-click context menus

Content Keywords JSON

🔧 Customize auto-complete by editing content_keywords.json.

The content_keywords.json file defines all Suricata keywords for the Advanced Editor's auto-complete feature.

File Structure

{
  "version": "1.0",
  "description": "AWS Network Firewall Suricata Content Keywords",
  "keywords": [
    {
      "name": "keyword_name",
      "syntax": "keyword_name:<value>",
      "values": ["optional", "valid", "values"],
      "description": "Human-readable description",
      "category": "general|flow|http|tls|dns|protocol"
    }
  ]
}

Adding Keywords

Open content_keywords.json in text editor
Add new keyword object to keywords array
Save file
Reopen Advanced Editor (auto-reloads JSON)

Hot Reload

File loaded each time Advanced Editor opens
Edit JSON while main app is running
No application restart needed
Changes appear immediately

Validation

Unknown keywords generate warnings (not errors)
Allows use of new Suricata features
Forward compatibility maintained

📖 Full Documentation: See docs/content_keywords_json.md for complete reference.

Common Ports JSON

🔧 Extend the port library by editing common_ports.json - new in v1.24.1!

The common_ports.json file defines pre-configured port variables for the Add Common Ports feature.

File Structure

{
  "version": "1.0.0",
  "description": "Common port definitions for Suricata rules",
  "categories": {
    "Category Name": [
      {
        "name": "$VARIABLE_NAME",
        "definition": "[80,443,8080]",
        "description": "Service description"
      }
    ]
  }
}

Current Library

7 Categories:

Infrastructure Services (7 variables)
Windows/Active Directory (5 variables)
Web Services (3 variables)
Databases (7 variables)
Email (3 variables)
Security/Threat Detection (3 variables)
Remote Access (4 variables)

22 Pre-Configured Variables:

$DNS_PORTS, $DHCP_PORTS, $NTP_PORTS
$ACTIVE_DIRECTORY_PORTS, $SMB_PORTS
$WEB_PORTS, $DATABASE_PORTS
And many more...

Adding Custom Variables

Open common_ports.json in text editor
Add variable to existing category or create new category
Save file
Changes appear immediately in Add Common Ports dialog

Benefits

📚 Team-standard port definitions
🔧 No code changes needed
🔄 Instant updates
📝 Documentation included

📖 Full Documentation: See docs/common_ports_json.md for complete reference and customization guide.

Technical Architecture

The application follows a modular architecture with specialized managers:

Core Modules

suricata_generator.py: Main application and manager coordination
suricata_rule.py: Rule parsing, validation, and formatting
constants.py: Application constants and validation patterns
version.py: Centralized version management
security_validator.py: Input validation and security protection

Manager Modules

ui_manager.py: Complete user interface management
template_manager.py: Rule template system (v1.24.0)
file_manager.py: File operations and exports
search_manager.py: Search functionality
rule_filter.py: Rule filtering system (v1.22.0)
domain_importer.py: Bulk domain processing
domain_list_importer.py: AWS Domain List imports (v1.27.7)
stateful_rule_importer.py: AWS rule group imports (v1.18.7)
rule_analyzer.py: Conflict detection and reporting
rule_usage_analyzer.py: CloudWatch usage analytics (v1.27.0)
traffic_analyzer.py: Traffic cost analysis backend (v1.29.0) ⭐ NEW
traffic_analyzer_ui.py: Traffic cost analysis UI (v1.29.0) ⭐ NEW
aws_service_detector.py: AWS service identification from IP addresses (v1.29.0) ⭐ NEW
flow_tester.py: Network traffic simulation
advanced_editor.py: IDE-style text editor (v1.19.0)
revision_manager.py: Per-rule revision history and rollback (v1.25.0)

Configuration Files

content_keywords.json: Auto-complete keyword definitions (v1.19.0)
rule_templates.json: Pre-built security templates (v1.24.0)
common_ports.json: Port variable library (v1.24.1)

Security Features

Injection Protection: Filters dangerous patterns
Path Traversal Prevention: Validates file operations
Input Validation: Length limits and character restrictions
File Security: Size and permission checks
Domain Validation: Format and safety checks

Tips and Best Practices

💡 Get the most out of the Suricata Rule Generator.

Getting Started

🎯 Start Simple: Begin with basic pass/drop rules
📚 Use Templates: Leverage Rule Templates for common patterns
📝 Organize Early: Use comments to document sections

Working with Rules

🔤 Define Variables: Use Variables tab for reusable definitions
🔢 Smart SID Strategy: Start at 100, reserve high SIDs for default deny
📋 Copy/Paste Workflow: Use toggle selection for efficient copying
🔍 Filter Large Sets: Use filtering for files with 100+ rules

Quality Assurance

✅ Validate Early: Run analysis before deploying
🧪 Test Mode: Use template Test Mode for safe validation
📊 Monitor Status: Watch status bar for warnings and statistics
⚠️ Check Warnings: Review orange protocol/port warnings

Advanced Techniques

🏗️ Export Early: Generate infrastructure templates to validate requirements
📈 Enable Tracking: Use change tracking for audit trails
💻 Power User: Learn Advanced Editor for bulk operations
🌍 Geographic Control: Use GeoIP templates for country-based filtering

File Management

💾 Backup Files: Save frequently and use version control
📁 Organize Files: Use consistent naming for .suricata/.var pairs
🔐 Persistent Variables: Variables automatically save with files

AWS Integration

🚀 Import from AWS: Use AWS Rule Group Import to edit existing rules
🔄 Round-Trip: Import from AWS → Edit → Export → Deploy
📦 Capacity Planning: Monitor capacity for AWS limits (30,000 max)
📊 Monitor Usage: Run CloudWatch analysis monthly to identify unused rules
🎯 Optimize Performance: Use Rule Effectiveness tab to refine overly-broad rules
🔍 Shadow Detection: Combine low-frequency findings with Review Rules feature

Support

For issues, questions, or to contribute to the project:

📚 GitHub Repository: https://github.com/aws-samples/sample-suricata-generator
🐛 Issues: Report bugs or request features via GitHub Issues
💬 Help: Use Help > About in application for version information
📖 Documentation: Review source code comments for implementation details
📝 Release Notes: See RELEASE_NOTES.md for complete version history

Repository: aws-samples/sample-suricata-generator

Name		Name	Last commit message	Last commit date
Latest commit History 26 Commits
docs		docs
images		images
.gitignore		.gitignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
RELEASE_NOTES.md		RELEASE_NOTES.md
advanced_editor.py		advanced_editor.py
advanced_editor_tkinter_backup.py		advanced_editor_tkinter_backup.py
aws_service_detector.py		aws_service_detector.py
common_ports.json		common_ports.json
constants.py		constants.py
content_keywords.json		content_keywords.json
domain_importer.py		domain_importer.py
domain_list_importer.py		domain_list_importer.py
file_manager.py		file_manager.py
flow_tester.py		flow_tester.py
requirements.txt		requirements.txt
revision_manager.py		revision_manager.py
rule_analyzer.py		rule_analyzer.py
rule_filter.py		rule_filter.py
rule_templates.json		rule_templates.json
rule_usage_analyzer.py		rule_usage_analyzer.py
search_manager.py		search_manager.py
security_validator.py		security_validator.py
stateful_rule_importer.py		stateful_rule_importer.py
suricata_generator.py		suricata_generator.py
suricata_rule.py		suricata_rule.py
template_manager.py		template_manager.py
traffic_analyzer.py		traffic_analyzer.py
traffic_analyzer_ui.py		traffic_analyzer_ui.py
ui_manager.py		ui_manager.py
version.py		version.py

License

aws-samples/sample-suricata-generator

Folders and files

Latest commit

History

Repository files navigation

Suricata Rule Generator for AWS Network Firewall

Screenshot

Table of Contents

🚀 Getting Started

📚 Core Concepts

💼 Basic Workflows

🎯 Advanced Features

📖 Reference

🚀 Getting Started

Quick Start

Path 1: For Experienced Python Users

Path 2: First Time Setup (Step-by-Step)

Path 3: Your First Rule (Complete Beginner)

Installation

System Requirements

Step 1: Install Python

Step 2: Install tkinter (GUI Library)

Step 3: Download the Application

Step 4: Run the Application

Optional: Install Advanced Editor Support

Optional: Create Standalone Executable

Troubleshooting

Common Installation Issues

Common Usage Issues

📚 Core Concepts

Rule Format

SID Numbers

Variables Overview

Variable Types

Variable Benefits

Network Field Validation

File Format

💼 Basic Workflows

Creating and Editing Rules

Creating Individual Rules

Editing Existing Rules

Managing Comments

Rev Keyword Support (v1.9.0+)

Rule Management Operations

File Operations

New File

Open File

Save Operations

Color Coding in Table

Managing Variables

The Variables Tab

Adding Variables

Variable Naming Rules

Variable Formats

Variable Operations

Special Variables

Managing AWS Tags ⭐ NEW in v1.28.0

The AWS Tags Tab

Adding Tags

Tag Operations

Default Tag

Common Tag Examples

Export Integration

Import Integration

Storage

Benefits

AWS Tag Limits

Copy and Paste

The Dual-Clipboard System

Copy Operations

Paste Operations

Use Cases

Keyboard Shortcuts

File Operations

Editing

Navigation

Search

Advanced Features

🎯 Advanced Features