Splunkによるハニーポット監視.pdf

5 SPLUNK SEC-CHICK

WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/
,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1

Splunk ( ) WoWHoneypot Honeytrap PC VPS
SSH • Splunk

SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :
> http://www.intellilink.co.jp/pd/products/package/security/splunk.html

• WoWHoneypot

• Honeytrap

8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'
3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709

Attack_connection.local_port 10

Attack_connection.payload.data_hex Hex →

1. Docker 2. 3.
Splunk 4. Suricata

/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*
(Docker+ • $ Docker+→% $

%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk
WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker

Splunk WoWHoneypot Honeytrap VPS Honeypot Docker

SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT
1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'

WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
|eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"

HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"
| rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |

HONEYTRAP

SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525
/#2# → ./ • Suricata3)#&#6),7 !1$/'-(#??

"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi
# • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA

/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +
7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD

Splunkによるハニーポット監視.pdf

Splunkによるハニーポット監視.pdf

sec-chick

More Decks by sec-chick

Featured

Transcript

5 SPLUNK SEC-CHICK

WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/

Splunk ( ) WoWHoneypot Honeytrap PC VPS

SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;!9,+$()0-"# • IT!905!29-6 7!3 :

• WoWHoneypot

• Honeytrap

8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'

Attack_connection.local_port 10

Attack_connection.payload.data_hex Hex →

1. Docker 2. 3.

/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*

%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk

Splunk WoWHoneypot Honeytrap VPS Honeypot Docker

SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT

WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)

HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"

HONEYTRAP

SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525

"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi

#

/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +