Splunking_fw_dns

Transcript

1. © 2017 SPLUNK INC. © 2017 SPLUNK INC. © 2017

   SPLUNK INC. © 2017 SPLUNK INC. F D 4QMVOL 4FSWJDFT
   +BQBO
   4BMFT
   &OHJOFFS
   ԣా ૱ 
   WFS 4UFQ
   '8ɺ%/4ϩά෼ੳ

2. © 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ b

   D ylayl y x w y ye xe W rby xe i P N S ▶ Fl y • J R g E T N ( ) ## " %%% !#! !"! 
   &"" !#    • Using Splunk to Detect DNS Tunneling (SANS) ## " %%%""!!
   !%#  !"$"" $
   ##
   "
   #$
     • ## " %%%""!!
   !%#  !""##
   "
   #$
     • L eg D S A P ## " %%% %#!# # C

3. © 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ #"!&2$:8BG!

   D<@=1/ • sT r t e da ▶  /-,0 *(-%,'-%/ • t t pin ( M 2 1 2 -502 6 50 35 %) % ▶ /. 543 • - r M isi I n p />9EF?7 ɾɾɾ'JSF&ZF
   IUUQTXXXGJSFFZFDPNDPOUFOUEBNGJSFFZFXXXQBSUOFSTQEGTTC.BSTI'JSF&ZFQEG ɾɾɾ;%/FU
   +BQBOʢIUUQTKBQBO[EOFUDPNBSUJDMFʣ

4. © 2017 SPLUNK INC. © 2017 SPLUNK INC.  

   ! #"$ ')(+$    Πϯλʔωοτ ಺෦޲͚%.; ಺෦ωοτϫʔΫ ߈ܸऀ ֎෦޲͚%.; ίϚϯυ ίϯτϩʔϧ αʔό ܭըཱҊ ߈ܸ४උ ॳظજೖ ج൫ߏங ಺෦ௐࠪɾ৵ೖ ໨త਱ߦ ࠶৵ೖ           ൃݟతରࡦʹ༗ޮͳϩά෼ੳͷख๏Λ֤εςοϓ͝ͱʹ͝঺հ 
   " IPA      / !https://www.ipa.go.jp/security/vuln/newattack.html ೖޱରࡦ ಺෦ରࡦ ग़ޱରࡦ ग़ޱରࡦ

5. © 2017 SPLUNK INC. © 2017 SPLUNK INC. Πϯλʔωοτ ಺෦޲͚%.;

   ಺෦ωοτϫʔΫ 'JSFXBMM 41". ϑΟϧλ ϝʔϧαʔό %/4 8FC
   1SPYZ ϑΝΠϧ αʔό "DUJWF
   %JSFDUPSZ %#αʔό ߈ܸऀ ֎෦޲͚%.; 8FCΞϓϦ αʔό *%4*14 8"' 8FCΞϓϦ αʔό 4BOECPY 1$ Ξϯν ΢Πϧε %-1 &%3 ίϚϯυ ίϯτϩʔϧ αʔό
      ܭըཱҊ ߈ܸ४උ ॳظજೖ ج൫ߏங ಺෦ௐࠪɾ৵ೖ ໨త਱ߦ ࠶৵ೖ        ग़ޱରࡦ ग़ޱରࡦ 4UFQରԠࡁΈ

6. © 2017 SPLUNK INC. © 2017 SPLUNK INC. DNSFW 

   
    

7. © 2017 SPLUNK INC. © 2017 SPLUNK INC. E S

   e e F D i R i c y w 11 8 v D t aA v N e la T aC w i y vD lt ”o y v P v y w 8 v e a r y w • y Sy v N w eJ P r y w • & C F Sy w

8. © 2017 SPLUNK INC. © 2017 SPLUNK INC. 2 N

   ▶ b N C r e P S ▶ N W o F N D S b e o r e ίϚϯυ ίϯτϩʔϧ αʔό 
   () S S

9. © 2017 SPLUNK INC. © 2017 SPLUNK INC. xc y

   .23 e y ίϚϯυ ίϯτϩʔϧ αʔό D 2 P n C W u F Wy D S Wy D 1 bs o S 3W D ) ( N N 
   

10. © 2017 SPLUNK INC. © 2017 SPLUNK INC. 
    

      ؂ࢹਪ঑ ϩάιʔε ໨త ෼ੳϢʔεέʔε ஫ҙࣄ߲ ڧ͘ਪ঑ '8 Ϛϧ΢ΣΞײછ 1$ͷݕ஌ ֎෦ػ͔ؔΒͷ௨ใ࣌ʹɺ*1ΞυϨεΛݕࡧ͠'8 ϩάͱಥ߹  ڧ͘ਪ঑ %/4 Ϛϧ΢ΣΞײછ 1$ͷݕ஌ ֎෦ػ͔ؔΒͷ௨ใ࣌ʹɺ'2%/Λݕࡧ͠%/4ϩ άͱಥ߹  ڧ͘ਪ঑ '8 Ϛϧ΢ΣΞײછ 1$ͷݕ஌ ୹࣌ؒʹෳ਺ͷ֎෦Ѽઌ1ʹରͯ͠%/4௨৴Λߦ ͏୺຤ΛΞϊϚϦݕ஌ '8ϩάͷग़ྗ಺༰ʹ4VDDFTT΋ؚΊΔඞ ཁ͋Γɻ ڧ͘ਪ঑ '8 σʔλྲྀग़ඃٙ 1$ͷݕ஌ %/4τϥϑΟοΫͷ߹ܭαΠζͷ֎Ε஋ʢඪ४ภ ࠩʹجͮ͘ʣΛݕ஌ʢ4FDVSJUZ
    &TTFOUJBMʣ '8ϩάͷग़ྗ಺༰ʹ4VDDFTT΋ؚΊΔඞ ཁ͋Γɻ ਪ঑ %/4 σʔλྲྀग़ඃٙ 1$ͷݕ஌ %/4ΫΤϦ͕ҟৗʹ௕͍΋ͷΛΞϊϚϦݕ஌ υϝΠϯͷϗϫΠτϦετӡ༻ͱซ༻͢Δ ඞཁ͋Γ Ͱ͖Ε͹ %/4 Ϛϧ΢ΣΞײછ 1$ͷݕ஌ ʮ63-
    5PPM
    #PYʯ"QQΛ࢖ͬͨ%("υϝΠϯͷ ݕ஌ υϝΠϯͷϗϫΠτϦετӡ༻ͱซ༻͢Δ ඞཁ͋Γ F

11. © 2017 SPLUNK INC. © 2017 SPLUNK INC. c n

    s .6a- r qtno y| W _pv cusk a rz| | w | kvteqjohmidb I : F D F ) D I)= M I F NNN I : F 1 -) 5()- N P NNN NNN : D N D F I N I : F D F ) D I)= M I F :A IF D I I I L I I F I 3 0 I : I F I I D: I : F I :> I D: I " I D: se P nu Q S e a iI e E e Di Nil I F e iIW p F e ly tiIW p |

12. © 2017 SPLUNK INC. © 2017 SPLUNK INC. N D

    ) r hE ys c e k : 3 n tu hN h_l h l n ) nDaA 5 4 ( h 5 4 :3 3.5 ik n 5 4/. 5 4 . h b S m lb : 3 h b S m lb

13. © 2017 SPLUNK INC. © 2017 SPLUNK INC.  

       !"# 2D NP ( D34 P 5 )

14. © 2017 SPLUNK INC. © 2017 SPLUNK INC. 
    

15. © 2017 SPLUNK INC. © 2017 SPLUNK INC.  F

     W S D F
     F  F N F

16. © 2017 SPLUNK INC. © 2017 SPLUNK INC. © 2017

    SPLUNK INC. © 2017 SPLUNK INC.