5 SPLUNK SEC-CHICK

WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/ ,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1

Splunk ( ) WoWHoneypot Honeytrap PC VPS SSH • Splunk

SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$,;*!9,+$()0-"# • IT!905!29-6 7*!3 : > http://www.intellilink.co.jp/pd/products/package/security/splunk.html

• WoWHoneypot

• Honeytrap

8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705' 3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709

Attack_connection.local_port 10

Attack_connection.payload.data_hex Hex →

1. Docker 2. 3. Splunk 4. Suricata

/.10,-%DOCKER • /.10,-&$ $!"'* (#) + $* (Docker+ • $ Docker+→% $

%"-+( • .#Docker %"-+( • %"-+(cron$,* Splunk WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker

Splunk WoWHoneypot Honeytrap VPS Honeypot Docker

SPLUNK+;N? • 0 '!0.*Splunk+;N?1 • @:NB+2EJ9N5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'

WOWHONEYPOT |rex field=_raw "¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? .*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’) |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s"

HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s" | rex field="attack_connection.payload.data_decrypted" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" |

HONEYTRAP

SURICATA4 • Grep05%72# 9),#1# • ;=:><05"68+* 525 /#2# → ./ • Suricata3)#),7 !1$/'-(#??

"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi # • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA

#

/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD