5  
 SPLUNK  SEC-CHICK 

WHO AM I •  sec-chick@one_sec_chick (('/+#!/) • 
)/ ,-$
PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap)  0".*/1 




  Splunk (
 ) WoWHoneypot Honeytrap PC  VPS SSH • Splunk 

SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$,;*!9,+$()0-"# • 
IT!905!29-6 7*!3 :  > http://www.intellilink.co.jp/pd/products/package/security/splunk.html 

  
 • WoWHoneypot 

  
 • Honeytrap 

  8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'  3. Splunk5' )7- 4. 
37/  5. 2"570 .(70 82"570HEX$6(709 


 Attack_connection.local_port  
 10 


 Attack_connection.payload.data_hex  Hex  →    

   
 

 1.  Docker 2. 
 3. Splunk  4. Suricata  

/.10,-%DOCKER • /.10,-&$ $!"'* (#)  + $* (Docker+ • $ Docker+
→% $ 

%"-+(
• .#Docker  %"-+(
• %"-+(cron$,* Splunk WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.#   Docker   

 Splunk WoWHoneypot Honeytrap   VPS Honeypot  Docker
 

SPLUNK+;N? • 0 '!0.*Splunk+;N?1 • @:NB+2EJ9N


WOWHONEYPOT |rex field=_raw "¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? .*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’) |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" 


HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s" | rex field="attack_connection.payload.data_decrypted" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" | 


HONEYTRAP 

SURICATA4  • Grep05%72# 9),#1#  • ;=:><05"68+* 525 /#2# → ./
• Suricata3)#),7 !1$/'-(#?? 

 "!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi # • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ !  
2 http://goo.gl/8bLkZA 

 #  


/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$
+7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD