# AWS threat signature managed rule groups for AWS Network Firewall
This section describes the AWS managed rule groups that inspect for threat signatures for Network Firewall. You see these in the console in the list of AWS managed rule groups, or when you add rule groups to your firewall policy. Through the API, you can retrieve the list of AWS managed rule groups by calling [ListRuleGroups](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ListRuleGroups.html).
Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats. Currently, Network Firewall supports only Suricata-compatible stateful managed rule groups.
Each rule name in the table below is appended by either `StrictOrder` or `ActionOrder`. A firewall policy's *rule evaluation order* determines whether you can add `StrictOrder` or `ActionOrder` managed rule groups to the policy. For example, you can only add a rule group appended with `StrictOrder` if the policy uses strict order for its rule evaluation order. In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see [Managing evaluation order for Suricata compatible rules in AWS Network Firewall](suricata-rule-evaluation-order.md).
| Category | Rule name | Description and label |
| --- | --- | --- |
| Botnet | ThreatSignaturesBotnetStrictOrder, ThreatSignaturesBotnetActionOrder | Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. |
| Botnet Web | ThreatSignaturesBotnetWebStrictOrder, ThreatSignaturesBotnetWebActionOrder | Signatures that detects HTTP botnets. |
| Botnet Windows | ThreatSignaturesBotnetWindowsStrictOrder, ThreatSignaturesBotnetWindowsActionOrder | Detects Windows botnets. |
| Compromised | ThreatSignaturesIOCStrictOrder, ThreatSignaturesIOCActionOrder | Attack Response - Signatures to identify responses indicative of intrusion—examples included but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened. Exploit Kit - Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery. |
| DoS | ThreatSignaturesDoSStrictOrder, ThreatSignaturesDoSActionOrder | Signatures that detect Denial of Service (DoS) attempts. These rules are intended to catch inbound DoS activity, and provide indication of outbound DoS activity. |
| Emerging Threats | ThreatSignaturesEmergingEventsStrictOrder, ThreatSignaturesEmergingEventsActionOrder | Current Events - Signatures with rules developed in response to active and short-lived campaigns and high-profile items that are expected to be temporary. The rules in this category are ones that are not intended to be kept in the ruleset for long, or that need to be further tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID’s of newly found vulnerable apps where we don’t have any detail on the exploit. |
| Exploits | ThreatSignaturesExploitsStrictOrder, ThreatSignaturesExploitsActionOrder | Exploits - Signatures that protect against direct exploits not otherwise covered in a specific service category. This is the category where you'll find specific attacks against vulnerabilities such as against Microsoft Windows. Attacks with their own category such as SQL injection have their own category. ActiveX - Signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls. FTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). This category also includes rules that detect non-malicious FTP activity such as logins for logging purposes. ICMP - Signatures that protect against attacks and vulnerabilities regarding Internet Control Message Protocol (ICMP). NetBIOS - Signatures that protect against attacks, exploits, and vulnerabilities regarding NetBIOS. This category also includes rules that detect non-malicious NetBIOS activity for logging purposes. RPC - Signatures that protect against attacks, exploits, and vulnerabilities regarding Remote Procedure Call (RPC). This category also includes rules that detect non-malicious RPC activity for logging purposes. ShellCode - For remote shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. SNMP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP). This category also includes rules that detect non-malicious SNMP activity for logging purposes. Telnet - Signatures that protect against attacks, exploits, and vulnerabilities regarding TELNET. This category also includes rules that detect non-malicious TELNET activity for logging purposes. TFTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Trivial File Transport Protocol (TFTP). This category also includes rules that detect non-malicious TFTP activity for logging purposes. VOIP - Signatures that protect against attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others. SQL - Signatures that protect against attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL). This category also includes rules that detect non-malicious SQL activity for logging purposes. |
| FUP | ThreatSignaturesFUPStrictOrder, ThreatSignaturesFUPActionOrder | Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate violations to an organization's policy. |
| Malware | ThreatSignaturesMalwareStrictOrder, ThreatSignaturesMalwareActionOrder | Signatures that detect malware (TCP, UDP, SMTP, ICMP, SMB, IP) and WORM. Malware - Detects malicious software. Rules in this category detect activity related to malicious software that is detected on the network including malware in transit, active malware, malware infections, malware attacks, and updating of malware. Worm - Detects malicious activity that automatically attempts to spread across the internet or within a network by exploiting a vulnerability. While the exploit itself is typically identified in the exploit or given protocol category, an additional entry in this category might be made if the actual malware engaging in worm-like propagation can be identified. |
| Malware Coin Mining | ThreatSignaturesMalwareCoinminingStrictOrder, ThreatSignaturesMalwareCoinminingActionOrder | Signatures with rules that detect malware that performs coin mining. These signatures can also detect some legitimate (though often undesirable) coin mining software. |
| Malware Mobile | ThreatSignaturesMalwareMobileStrictOrder, ThreatSignaturesMalwareMobileActionOrder | Signatures that indicate malware that's associated with mobile and tablet operating systems such as Google Android, Apple iOS, and others. Malware that's detected and is associated with mobile operating systems is generally placed in this category rather than the standard categories such as Malware. |
| Malware Web | ThreatSignaturesMalwareWebStrictOrder, ThreatSignaturesMalwareWebActionOrder | Signatures that detect malicious code in HTTP and TLS protocols. |
| Phishing | ThreatSignaturesPhishingStrictOrder, ThreatSignaturesPhishingActionOrder | Signatures that detect credential phishing activity. This includes landing pages exhibiting credential phishing as well as successful submission of credentials into credential phishing sites. |
| Scanners | ThreatSignaturesScannersStrictOrder, ThreatSignaturesScannersActionOrder | Signatures that detect reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools. This category can be useful for detecting early breach activity and post-infection lateral movement within an organization. |
| Suspect | ThreatSignaturesSuspectStrictOrder, ThreatSignaturesSuspectActionOrder | JA3 - Fingerprints malicious SSL certificates using JA3 hashes. These rules are based on parameters that are in the SSL handshake negotiation by both clients and servers. These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation environments. Chat - Signatures that identify traffic related to numerous chat clients such as Internet Relay Chat (IRC). Chat traffic can be indicative of possible check-in activity by threat actors. User Agents - Signatures that detect suspicious and anomalous user agents. Known malicious user agents are generally placed in the Malware category. |
| Web Attacks | ThreatSignaturesWebAttacksStrictOrder, ThreatSignaturesWebAttacksActionOrder | Web Client - Signatures that detect attacks and vulnerabilities regarding web clients such as web browsers as well as client-side applications like CURL, WGET and others. Web Server - Signatures that detect attacks against web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software. Web Specific Apps - Signatures that detect attacks and vulnerabilities in specific web applications. |
# Copying threat signature rules into your own AWS Network Firewall rule group
Network Firewall provides full visibility into the threat signature rule content of its AWS managed rules. This enables you to choose between using the rule group as-is in your firewall policy or copying the rule group's rules into your own rule group and customizing them for your specific needs.
**Important**
Copied rules don't automatically inherit rule updates that AWS makes to managed rule group rules. We recommend that you subscribe to Amazon SNS topics for updates made to the originating rule group. For more information, see [Notifications for threat signature rule group updates](using-managed-rule-groups-sns.md). You're responsible for validating rule changes and making sure that your own rules are up-to-date.
To copy a managed threat signature rule group's rules, create a local copy of the rule group rules, make your modifications, then create your own rule group. The following procedure explains how to copy a threat signature rule group's rules, and then create your own rule group.
------
#### [ Console ]
**To copy a managed threat signature rule group's rules using the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Network Firewall rule groups**.
1. In the **AWS managed rule groups** tab, under **Threat signature rule groups**, select a rule group to view its details.
1. Choose **Duplicate rule group** to copy the rules into your own rule group. You can modify the rule group details, and then choose **Create rule group**.
Alternatively, you can choose **Copy** to copy the rules to your clipboard. You can then modify them in a text editor, or create a new rule group and paste the rules into your own stateful rule group. For information about how to create your own stateful rule group, see [Creating a stateful rule group](rule-group-stateful-creating.md).
------
#### [ CLI ]
**To copy a managed threat signature rule group's rules using the AWS CLI**
1. Run `aws network-firewall list-rule-groups --scope MANAGED --managed-type AWS_MANAGED_THREAT_SIGNATURES` to filter the AWS managed threat signature rule groups.
1. In the following command, replace *rulegroup-arn* with the Amazon Resource Name (ARN) of the threat signature managed rule group that you'd like to copy:
`aws network-firewall describe-rule-group --rule-group-arn rulegroup-arn`.
Network Firewall returns the rule group details in the response, which you can parse and modify in your text editor. Then, you can use the modified rule group details to create your own rule group using the command [create-rule-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/create-rule-group.html).
------
# Getting notified of updates to a threat signature rule group in AWS Network Firewall
You can subscribe to Amazon Simple Notification Service (Amazon SNS) notifications for updates to a managed threat signature rule group, such as updates made for urgent security updates. AWS updates managed threat signature rule groups for Network Firewall as often as once a day to once a week.
The AWS threat signature managed rule groups use a single SNS subscription topic ARN, so you subscribe once for all the rule groups.
**How to subscribe**
To subscribe to notifications for a rule group, create an Amazon SNS subscription for the rule group's Amazon SNS topic ARN.
For information about how to subscribe to an Amazon SNS topic, see [Configuring Amazon Simple Notification Service](https://docs.aws.amazon.com/sns/latest/dg/sns-configuring.html) in the *[Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/)*.
**Where to find the Amazon SNS topic ARN for a threat signature managed rule group**
The AWS managed rule groups use a single SNS topic ARN, so you can retrieve the topic ARN from one of the rule groups and subscribe to it to get notifications for all of the managed rule groups.
+ **Console**
+ On the Network Firewall rule groups page, in the **AWS managed rule group** tab, in the **Threat signature rule groups** section, select a rule group to view the rule group's details. The details include the rule group's Amazon SNS topic ARN.
+ (Option) After you've added the managed rule group into your firewall policy, choose **Edit** on the firewall policy, and then select and edit the rule group rule to view the rule group's Amazon SNS topic ARN.
+ **API** – The [DescribeRuleGroup](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html) response includes `SnsTopic`. The value for `SnsTopic` is the Amazon SNS topic ARN.
+ **CLI** – The [describe-rule-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/describe-rule-group.html) response includes `SnsTopic`. The value for `SnsTopic` is the Amazon SNS topic ARN.
**The notification format for AWS managed rule group**
The Amazon SNS notifications for AWS managed rule groups always contain the fields `Subject`, `Message`, and `MessageAttributes`. Other fields are included according to the type of message and which managed rule group the notification is for.
The following shows an example notification listing for the `AWS-Managed-Threat-Signatures`.
```
{
"Type" : "Notification",
"MessageId" : "82a03348-5419-5945-9a82-699adada25e3",
"TopicArn" : "arn:aws:sns:us-west-2:696851677263:AWS-Managed-Threat-Signatures",
"Subject" : "New version available for: StatefulRG2",
"Message" : "The following Network Firewall managed resource has a new version: arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup/StatefulRG2. To view the new version, either call DescribeRuleGroup or view the resource in the Network Firewall console.",
"Timestamp" : "2022-04-14T21:05:07.002Z",
"SignatureVersion" : "1",
"Signature" : "ZoDQM5iIhp6E7u84qnip14RTQo/5Vi+fpQ7/tYuqwk28o+7uXuHz9TygI6otycw6Dz5Pw+VOLu0PDuIK4xrGwFYrJypbsaZ1cbNRnM9upkzwGH8w/VORCDZ1QwKYKNP4Ep/mSKVyigh9qe+CHSW/jD2HNE9LY96li5D0h7a2594A12MH5koAXucnYUcHkclBAzwwxbbca2fCkI4PaT24SYyHem1COw86hLt1mDZYE8o7crIX7OUN19+/3vAtsJ2NJ4pLbbR7xufWQmQJks90irG9xRk9K5ky+/1xEv33RYPushZIYjf+H3EW7jX6fAc7+Dz/KLCX5Jeft2pheVMomQ==",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2a969abfda.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:AWS-Managed-Threat-Signatures:f2b28278-6d26-4d05-8332-1a96687c850f",
"MessageAttributes" : {
"source_revision_token" : {"Type":"String","Value":"14a7e0f5-e050-40d0-a0b1-001f690d44b9"},
"managed_arn" : {"Type":"String","Value":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup/StatefulRG2"}
}
}
```
The notification contains `source_revision_token`. The value for `source_revision_token` is the `UpdateToken` that you can view when you call [DescribeRuleGroup](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeRuleGroup.html) in the *AWS Network Firewall API Reference*.
For general information about Amazon SNS notification formats and how to filter the notifications that you receive, see [Parsing message formats](https://docs.aws.amazon.com/sns/latest/dg/sns-message-and-json-formats.html) and [Amazon SNS subscription filter policies](https://docs.aws.amazon.com/sns/latest/dg/sns-subscription-filter-policies.html) in the Amazon Simple Notification Service Developer Guide.