Closed fotzlapen closed 5 years ago
Hi fotzlapen - An updated version of the Lambda code has been added to the dev branch. We are testing but would welcome any feedback if your'e also able to test. Once validated, we will update master branch.
Hi Aws-Samples/Amazon-Guardduty-Waf-Acl,
Looks good to me. It blocked all the IPs that were in my test event this time.
Thanks very much for making this change.
Cheers,
Damon
On Tue, Jul 9, 2019 at 11:32 PM cworrell notifications@github.com wrote:
Hi fotzlapen - An updated version of the Lambda code https://github.com/aws-samples/amazon-guardduty-waf-acl/blob/dev/lambda/guardduty_to_acl_lambda.py has been added to the dev branch. We are testing but would welcome any feedback if your also able to test. Once validated, we will update master,
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aws-samples/amazon-guardduty-waf-acl/issues/5?email_source=notifications&email_token=AHFTFJORAEGCUBS22WLHGODP6SHONA5CNFSM4H5OKZS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZQIW6A#issuecomment-509643640, or mute the thread https://github.com/notifications/unsubscribe-auth/AHFTFJKHY5YZRE6FAI3OWPLP6SHONANCNFSM4H5OKZSQ .
Thanks for the feedback. This has been merged.
Hi Guys,
I believe there is a bug in the script. When it receives the IP's for a scan they come in as an array. But the script only seems to be blocking the first IP in the array.
This is the offending line:
HostIp = event["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["ipAddressV4"]
portProbeDetails is actually an array of remoteIpDetails that contains more than just one entry. You probably need to loop through this array to block all of the offending IPs. Otherwise you are going to miss a whole bunch of IPs that are attacking you.
I'll attach a patch that I've made but you will probably find a more elegant way to do it with better error handling than my code.
Cheers!
Amazon_GuardDuty_NACL.patch.txt