Thursday, February 28, 2019

Daily Blog #634: AWS GuardDuty false positives

Hello Reader,
               This another post that I'm making in the hopes that someone who is searching for this will find it and get their answer.

Do you have VMs running in AWS?
Do you have Amazon GuardDuty running?
Did you just get an alert that claimed your VM is originating an external connection to an external IP on a weird port (such as source port 80 and destination port 80)?

Well as it turns out, it may be a false positive. It appears with all the VPC logs being fed through GuardDuty that there is an issue detecting the difference between inbound and outbound traffic currently. This may lead to an alert like the one described above being triggered of someone were to just portscan you with a source port of 80.

Why would someone portscan with a source port of 80? To get around simple firewalls who allow traffic to flow on port 80 but not other ports.

So if you just got this alert and you are madly triaging the system and not finding any evidence of compromise ... contact AWS it may be a false positive. 

No comments:

Post a Comment