Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-vpc-flow-log-detections
Overview
4Dashboards
6Benchmarks
18Queries
1Variables
GitHub

Detection: Traffic With Unusual Protocols

Overview

Detect unusual protocol usage in VPC Flow Logs. Unusual protocol usage may indicate potential tunneling techniques, covert communication channels, or command and control traffic attempting to evade security controls. Monitoring for uncommon protocols helps identify adversaries using non-standard communication methods to maintain persistence, exfiltrate data, or control compromised systems while bypassing traditional detection mechanisms focused on common protocols.

This detection monitors only accepted traffic for protocols other than TCP (6), UDP (17), and ICMP (1).

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_vpc_flow_log_detections.detection.traffic_with_unusual_protocols

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_vpc_flow_log_detections.detection.traffic_with_unusual_protocols --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
interface_id as resource,
src_addr as source_ip,
src_port::varchar as source_port,
dst_addr as destination_ip,
dst_port::varchar as destination_port,
case
  when protocol = 1 then 'ICMP (1)'
  when protocol = 6 then 'TCP (6)'
  when protocol = 17 then 'UDP (17)'
  else 'Other (' || protocol || ')'
end as protocol,
account_id,
region,
vpc_id,
tp_id as source_id,
 -- Create new aliases to preserve original row data
protocol as protocol_src,
*
exclude (account_id, protocol, region, vpc_id)


from
  aws_vpc_flow_log
where
  protocol not in (6, 17, 1) -- Not TCP, UDP, or ICMP
  and action = 'ACCEPT'
order by
  tp_timestamp desc;

Tags

category = Detections
mitre_attack_ids = TA0011:T1071.001
plugin = aws
service = AWS/VPC