5 SPLUNKSEC-CHICK
View Slide
WHO AM I• sec-chick@one_sec_chick(('/+#!/)• )/ ,-$ PSOC&-%• 2('/+#% (WoW Honeypot, Honeytrap) 0".*/1
Splunk( )WoWHoneypotHoneytrapPCVPSSSH• Splunk
SPLUNK• Splunk<(159$= 16%;'49&;/.+-8;$,;*!9,+$()0-"#• IT!905!29-6 7*!3 : >http://www.intellilink.co.jp/pd/products/package/security/splunk.html
• WoWHoneypot
• Honeytrap
8 91. SSH)71!&+*57%45' ,#65702. Splunk)71,#65705' 3. Splunk5' )7-4. 37/ 5. 2"570 .(7082"570HEX$6(709
Attack_connection.local_port 10
Attack_connection.payload.data_hex Hex →
1. Docker2. 3. Splunk 4. Suricata
/.10,-%DOCKER• /.10,-&$ $!"'* (#) +$* (Docker+• $ Docker+→% $
%"-+(• .#Docker %"-+( • %"-+(cron$,*SplunkWoWHoneypotHoneytrap!/&0)'( VPSHoneypot.# Docker
SplunkWoWHoneypotHoneytrap VPSHoneypotDocker
SPLUNK+;N?• 0 '!0.*Splunk+;N?1• @:NB+2EJ9N• G4MA,+/- "$F4LNB1@:NB"$'D3NKB("&→ Grep '!0*)0- C=/87J1D3NKB("&→ 0 C='#-! 1 - HK562+>5MLNB1%$URL1D3NKB("&→ HK562+>5MLNB1VirusTotal'
WOWHONEYPOT|rex field=_raw"¥"(?[^¥s]+)¥s(?[^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s([^¥s]+)¥s(?.*$)"| decrypt field="base64_wow" atob emit('base64_wow_decrypted’)|eval decode=urldecode(base64_wow_decrypted)| rex field="decode" "wget.+(?https?://[¥w/:¥.¥-]+?)¥s"|rex field="decode" "curl.+(?https?://[¥w/:¥.¥-]+?)¥s"
HONEYTRAP| decrypt field="attack_connection.payload.data_hex" unhexemit('attack_connection.payload.data_decrypted')| rex field="attack_connection.payload.data_decrypted""wget.+(?https?://[¥w/:¥.¥-]+?)¥s"| rex field="attack_connection.payload.data_decrypted""curl.+(?https?://[¥w/:¥.¥-]+?)¥s" |
HONEYTRAP
SURICATA4 • Grep05%72# 9),#1# • ;=:><05"68+* 525/#2#→ ./• Suricata3)#),7 !1$/'-(#??
"!-,1.)(1• @Sec_S_Owl #• @cactus_pots #• @SugitaMuchi #• @soji256• @morihi_soc #-,1.)+!Twitter-)'0(% #-,1.)+Slack!&/0,*$ ! 2http://goo.gl/8bLkZA
#
/)0• Splunk(,A@CB>?, +&'• (5)"6-*5. $2%4+;C= 7$+7!54+%5")• #81A@CB>?7$'7<:9$'/$3DD