While playing around with AWS CloudWatch Log Insights to analyze VPC flow logs, I thought of a couple of fun ways to identify (probably) malicious traffic.
Finding Vulnerability Scanners
These are the guys that hammer your box looking for anything from silly SQL injection attacks (so 2005) to CSRF vulnerabilities. The tell: look for hosts that reuse the same source port.
filter (srcPort > 1024 and srcAddr != "private-IP") | stats count(*) as records by srcAddr,srcPort | sort records desc | limit 5
Finding Port Scanners
They just want to know if anybody’s listening. The tell: sending packets to a bunch of closed ports.
filter (action="REJECT") | stats count_distinct(dstPort) as portcount by srcAddr | sort portcount desc | limit 5