Great news for AWS Network Firewall users! AWS has just announced a new feature that simplifies alert generation and enhances network traffic visibility. You can now generate alerts directly from pass action rules, eliminating the need for separate alert rules.
What’s New?
Previously, if you wanted to trigger an alert for traffic matching a specific rule, you had to create two separate rules: one alert rule and one pass rule. For example:
alert tcp source_ip source_port -> destination_ip destination_port (msg:"alert-rule"; sid:1000;)
pass tcp source_ip source_port -> destination_ip destination_port (msg:"alert-rule"; sid:1001;)
Now, you can achieve the same result with a single pass rule by simply adding the alert; keyword:
pass tcp source_ip source_port -> destination_ip destination_port (msg:"pass-rule"; sid:1000; alert;)