search

aws-samples / amazon-guardduty-waf-acl

AWS GD2ACL
https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web-application-firewall-to-automatically-block-suspicious-hosts/
MIT No Attribution
56 stars 40 forks source link

Only Blocking First Offending IP #5

Closed fotzlapen closed 5 years ago

fotzlapen commented 5 years ago

Hi Guys,

I believe there is a bug in the script. When it receives the IP's for a scan they come in as an array. But the script only seems to be blocking the first IP in the array.

This is the offending line:

HostIp = event["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["ipAddressV4"]

portProbeDetails is actually an array of remoteIpDetails that contains more than just one entry. You probably need to loop through this array to block all of the offending IPs. Otherwise you are going to miss a whole bunch of IPs that are attacking you.

I'll attach a patch that I've made but you will probably find a more elegant way to do it with better error handling than my code.

Cheers!

Amazon_GuardDuty_NACL.patch.txt

cgulliver commented 5 years ago

Hi fotzlapen - An updated version of the Lambda code has been added to the dev branch. We are testing but would welcome any feedback if your'e also able to test. Once validated, we will update master branch.

fotzlapen commented 5 years ago

Hi Aws-Samples/Amazon-Guardduty-Waf-Acl,

Looks good to me. It blocked all the IPs that were in my test event this time.

Thanks very much for making this change.

Cheers,

Damon

On Tue, Jul 9, 2019 at 11:32 PM cworrell notifications@github.com wrote:

Hi fotzlapen - An updated version of the Lambda code https://github.com/aws-samples/amazon-guardduty-waf-acl/blob/dev/lambda/guardduty_to_acl_lambda.py has been added to the dev branch. We are testing but would welcome any feedback if your also able to test. Once validated, we will update master,

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aws-samples/amazon-guardduty-waf-acl/issues/5?email_source=notifications&email_token=AHFTFJORAEGCUBS22WLHGODP6SHONA5CNFSM4H5OKZS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZQIW6A#issuecomment-509643640, or mute the thread https://github.com/notifications/unsubscribe-auth/AHFTFJKHY5YZRE6FAI3OWPLP6SHONANCNFSM4H5OKZSQ .

cgulliver commented 5 years ago

Thanks for the feedback. This has been merged.