feat(rule-group): Adding fromFile method to suricata rule group (#4)

* Adding fromFile method to suricata rule group * updating API docs with changes
durkinza · Jul 30, 2023 · e5e2764 · e5e2764
1 parent 69c8851
commit e5e2764
Show file tree

Hide file tree

Showing 4 changed files with 227 additions and 0 deletions.
diff --git a/API.md b/API.md
diff --git a/src/lib/rule-group.ts b/src/lib/rule-group.ts
@@ -1,3 +1,4 @@
+import { readFileSync } from 'fs';
 import { CfnRuleGroup, CfnRuleGroupProps } from 'aws-cdk-lib/aws-networkfirewall';
 import * as core from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
@@ -392,13 +393,46 @@ export interface StatefulSuricataRuleGroupProps extends StatefulRuleGroupProps {
  readonly rules?: string;
 }
 
+/**
+ * Properties for defining a Stateful Suricata Rule Group from a file.
+ *
+ * @resource AWS::NetworkFIrewall::RuleGroup
+ */
+export interface StatefulSuricataRuleGroupFromFileProps extends StatefulRuleGroupProps {
+ /**
+ * The suricata rules file location
+ *
+ */
+ readonly path: string;
+
+ /**
+ * The encoding to use for the file
+ *
+ * @default - uft-8
+ */
+ readonly encoding?: BufferEncoding;
+}
+
 /**
  * A Stateful Rule group that holds Suricata Rules
  *
  * @resource AWS::NetworkFirewall::RuleGroup
  */
 export class StatefulSuricataRuleGroup extends StatefulRuleGroup {
 
+ /**
+ * Reference Suricata rules from a file,
+ *
+ * @resource AWS::NetworkFirewall::RuleGroup
+ */
+ public static fromFile(scope:Construct, id:string, props:StatefulSuricataRuleGroupFromFileProps):StatefulSuricataRuleGroup {
+ const contents = readFileSync(props.path, props.encoding || 'utf-8').toString();
+ return new StatefulSuricataRuleGroup(scope, id, {
+ rules: contents,
+ ...props,
+ });
+ }
+
  public readonly ruleGroupArn: string;
  public readonly ruleGroupId: string;
 

diff --git a/test/statefulrulegroup.test.ts b/test/statefulrulegroup.test.ts
@@ -284,3 +284,47 @@ test('Can get statelesss rule group by name', () => {
  stateful5TupleRuleGroupArn: 'arn:aws:networkfirewall:statefulrulegroup',
  });
 });
+
+test('Can get statelesss rule group from file', () => {
+ // GIVEN
+ const stack = new cdk.Stack();
+ // WHEN
+ NetFW.StatefulSuricataRuleGroup.fromFile(stack, 'MyStatefulSuricataRuleGroup', {
+ path: './test/suricata.rules',
+ capacity: 100,
+ ruleGroupName: 'MyStatefulRuleGroup',
+ variables: {
+ ipSets: {
+ ipSetsKey: { definition: ['10.0.0.0/16', '10.10.0.0/16'] },
+ },
+ portSets: {
+ portSetsKey: { definition: ['443', '80'] },
+ },
+ },
+ ruleOrder: NetFW.StatefulRuleOptions.STRICT_ORDER,
+ });
+ // THEN
+ Template.fromStack(stack).hasResourceProperties('AWS::NetworkFirewall::RuleGroup', {
+ Capacity: 100,
+ RuleGroupName: 'MyStatefulRuleGroup',
+ Type: 'STATEFUL',
+ RuleGroup: {
+ RuleVariables: {
+ IPSets: {
+ ipSetsKey: {
+ Definition: ['10.0.0.0/16', '10.10.0.0/16'],
+ },
+ },
+ PortSets: {
+ portSetsKey: { Definition: ['443', '80'] },
+ },
+ },
+ RulesSource: {
+ RulesString: 'drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET TROJAN Likely Bot Nick in IRC (USA +..)\"; flow:established,to_server; flowbits:isset,is_proto_irc; content:\"NICK \"; pcre:\"/NICK .*USA.*[0-9]{3,}/i\"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)',
+ },
+ StatefulRuleOptions: {
+ RuleOrder: 'STRICT_ORDER',
+ },
+ },
+ });
+});
diff --git a/test/suricata.rules b/test/suricata.rules
@@ -0,0 +1 @@
+drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)