amazon-guardduty-tester icon indicating copy to clipboard operation
amazon-guardduty-tester copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Tester script generates only one GuardDuty finding

Open Zero-bot opened this issue 4 years ago • 3 comments

I've used the guardduty-tester.template for creating cloud formation stack and enabled guardduty on the same region. When I run $ ./guardduty_tester.sh from tester instance only Recon:EC2/Portscan finding is generated by guarduty. Is there any reason why other findings are not generated?

PS: I don't see any errors when running the script.

Zero-bot avatar Jun 01 '20 06:06 Zero-bot

When I try to connect tester instance with ssh after setup step done on /.ssh/config I am getting Enter passphrase for key '/root/.ssh/key.pem': I don't have any passphrase setup here.

hirenshah005 avatar Jun 19 '20 12:06 hirenshah005

When I try to connect tester instance with ssh after setup step done on /.ssh/config I am getting Enter passphrase for key '/root/.ssh/key.pem': I don't have any passphrase setup here.

  • Ensure that that key.pem the same ssh key associated with the EC2 instance.
  • If unsure, generate a new EC2 SSH key in the AWS webconsole, save the key on your workstation in a safe place and chmod 600, relaunch the stack while setting the parameter in the cloudformation template to make use of the new key. Login using user ec2-user (since this is an amazon linux image you're logging into).

tonyfruzza avatar Sep 10 '20 20:09 tonyfruzza

I've used the guardduty-tester.template for creating cloud formation stack and enabled guardduty on the same region. When I run $ ./guardduty_tester.sh from tester instance only Recon:EC2/Portscan finding is generated by guarduty. Is there any reason why other findings are not generated?

PS: I don't see any errors when running the script.

My account didn't have guardduty enabled for very long prior to this test and got 7 total. As GuardDuty is running longer it does build up a database of what it considers to be normal traffic and may be trained to believe some traffic is normal behavior.

tonyfruzza avatar Sep 10 '20 20:09 tonyfruzza

Closing this issue as it is nearly three years old and there is no actual issue identified that needs fixing. I will update the readme to indicate that the DNS related findings do take loner to generate and will show later than some of the other findings.

scottbward avatar Aug 29 '23 17:08 scottbward