Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Splunkによるハニーポット監視.pdf

Avatar for sec-chick sec-chick
September 30, 2018
1.6k
0

 Splunkによるハニーポット監視.pdf

Avatar for sec-chick

sec-chick

September 30, 2018

More Decks by sec-chick

See All by sec-chick
不審なURLの見つけ方
Avatar for sec-chick secchick
1
550
honeypot
Avatar for sec-chick secchick
1
1k
SOCって何_公開用_-圧縮済み.pdf
Avatar for sec-chick secchick
6
2.1k
WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた
Avatar for sec-chick secchick
1
2.1k

Featured

See All Featured
Fireside Chat
Avatar for paigeccino paigeccino
42
4k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
22k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.7k
sira's awesome portfolio website redesign presentation
Avatar for ElsiraPls elsirapls
0
280
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
34k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k
エンジニアに許された特別な時間の終わり
Avatar for watany watany
107
250k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
32k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
170

Transcript

  1. 5   SPLUNK  SEC-CHICK

  2. WHO AM I •  sec-chick@one_sec_chick (('/+#!/) •  )/

    ,-$  PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap)  0".*/1

  3. 

  4.  Splunk (  ) WoWHoneypot Honeytrap PC  VPS

    SSH • Splunk

  5. SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :

      > http://www.intellilink.co.jp/pd/products/package/security/splunk.html

  6.    • WoWHoneypot

  7.    • Honeytrap

  8.   8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705' 

    3. Splunk5' )7- 4. 37/  5. 2"570 .(70 82"570HEX$6(709

  9.   Attack_connection.local_port    10

  10.  Attack_connection.payload.data_hex  Hex  →    

  11.      

  12.   1.  Docker 2.    3.

    Splunk  4. Suricata 

  13. /.10,-%DOCKER • /.10,-&$ $!"' * ( #)  + $*

    (Docker+ • $ Docker+→% $

  14. %"-+( • .# Docker  %"-+(  • %"-+(cron$,* Splunk

    WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.#   Docker  

  15.  Splunk WoWHoneypot Honeytrap   VPS Honeypot  Docker

    

  16. SPLUNK+;N?  • 0 '!0.*Splunk+;N? 1  • @:NB+2EJ9N<IM' DECRYPT

    1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1  - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'

  17. WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)

    |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"

  18. HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"

    | rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |

  19. HONEYTRAP

  20. SURICATA4  • Grep05%72# 9),#1 #  • ;=:><05"68+* 525

    /#2# →  ./ • Suricata3)#&#6),7 !1$/'-(#??

  21.  "!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi

    # • @soji256 • @morihi_soc # -,1.)+  !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ !   2 http://goo.gl/8bLkZA

  22.   #  

  23. /)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$  +

    7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD