Finding Suspicious Traffic using CloudWatch Log Insights and VPC Flow Logs

Share on:

While playing around with AWS CloudWatch Log Insights to analyze VPC flow logs, I thought of a couple of fun ways to identify (probably) malicious traffic.

Finding Vulnerability Scanners

These are the guys that hammer your box looking for anything from silly SQL injection attacks (so 2005) to CSRF vulnerabilities. The tell: look for hosts that reuse the same source port.

The Query

1filter (srcPort > 1024 and srcAddr != "private-IP") |
2stats count(*) as records by srcAddr,srcPort |
3sort records desc |
4limit 5

The Results

Suspicious traffic from the same source port

Finding Port Scanners

They just want to know if anybody’s listening. The tell: sending packets to a bunch of closed ports.

The Query

1filter (action="REJECT") |
2stats count_distinct(dstPort) as portcount by srcAddr |
3sort portcount desc |
4limit 5

The Results

The same source sending packets to a bunch of different ports