Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Splunkによるハニーポット監視.pdf
Search
sec-chick
September 30, 2018
0
1.5k
Splunkによるハニーポット監視.pdf
sec-chick
September 30, 2018
Tweet
Share
More Decks by sec-chick
See All by sec-chick
不審なURLの見つけ方
secchick
1
460
honeypot
secchick
1
850
SOCって何_公開用_-圧縮済み.pdf
secchick
6
2k
WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた
secchick
1
1.8k
Featured
See All Featured
A Tale of Four Properties
chriscoyier
156
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
The Pragmatic Product Professional
lauravandoore
31
6.3k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Into the Great Unknown - MozCon
thekraken
31
1.5k
Become a Pro
speakerdeck
PRO
24
5k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Documentation Writing (for coders)
carmenintech
65
4.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Transcript
5 SPLUNK SEC-CHICK
WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/
,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Splunk ( ) WoWHoneypot Honeytrap PC VPS
SSH • Splunk
SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :
> http://www.intellilink.co.jp/pd/products/package/security/splunk.html
• WoWHoneypot
• Honeytrap
8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'
3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709
Attack_connection.local_port 10
Attack_connection.payload.data_hex Hex →
1. Docker 2. 3.
Splunk 4. Suricata
/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*
(Docker+ • $ Docker+→% $
%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk
WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker
Splunk WoWHoneypot Honeytrap VPS Honeypot Docker
SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT
1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
|eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"
| rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |
HONEYTRAP
SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525
/#2# → ./ • Suricata3)#),7 !1$/'-(#??
"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi
# • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA
#
/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +
7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD