SlideShare una empresa de Scribd logo

[ElasticStack]What happens when you visualize servers exposed to the world?

Masamitsu Maehara
Masamitsu Maehara

Hikarabo Elasticstack Honeypot Dionaea ClamAV

Ingeniería
1 de 50
Descargar para leer sin conexión
Elastic Stack Technology Innovation Group 2017.06.20(Tue) Masamitsu Maehara What happens when you visualize servers exposed to the world?
Self Introduction l Masamitsu Maehara l Future Architect, Inc. l Technology Innovation Group l Messing around with AWS l yurufuwa Engineer @micci184
The Purpose l Get to know the wonders of Elastic Stack l Get to know the fun part of visualizing logs
Elastic Stack??
Elastic Stack Elastic CLoud LogStash Beats Elasticsearch Kibana + Security Alert Monitor Graph l Logstash/Beats:Import Logs l Elasticsearch:Store/Index/Analyze l Kibana:User Interface
Expose to the world?
HoneyPot
??
HoneyPot l High Interactive HoneyPot l Use real OS and applications l Easy access to information l High Risk l Low Interactive Honeypot l Audit by emulating OS and applications l Limited function l Easily noticed by attackers l Safer than high interactive HoneyPot
Dionaea l Low Interactive HoneyPot l Gathers malware l SMB/HTTP/HTTPS/FTP/TFTP/MSSQL/SIP l Will create front-end view(just to make it look real) l Low Interactive HoneyPot l Specialized for SSH l Better than Kippo Cowrie
Configuration l Built on AWS l Install Beats on HoneyPot l Gather data into Elastic Stack Dionaea Region@Virginia HaneyPot VPC Public Subnet Cowrie Elastic Stack Wordpress Client ・ ・ ・ Monitoring Attack Logging
Install Dionaea ### Ubuntu 14.04 $ sudo apt-get update $ sudo apt-get dist-upgrade $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:honeynet/nightly $ sudo apt-get update $ sudo apt-get install dionaea ### Start Dionaea $ sudo service dionaea start
Install Cowrie ### Ubuntu 16.04 $ sudo apt-get install git python-virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind ### adduser Cowrie $ sudo adduser --disabled-password cowrie $ sudo su - cowrie ### Setup Virtual Enviroment $ virtualenv cowrie-env $ source cowrie-env/bin/activate ### Install configuration file $ export PYTHONPATH=/home/cowrie/cowrie ### Start Cowrie $ bin/cowrie start Activating virtualenv “cowrie-env” Starting cowrie: [twistd -l log/cowrie.log --umask 0077 --pidfile var/run/cowrie.pid cowrie ]... $ bin/cowrie status cowrie is running (PID: 5979).
Beats l Data Shipper l The Beats FamBam l Filebeat:Sends log files l Metricbeat:Sends metric data(CPU/Mem..etc) l Packetbeat:Sends packet capture data l Winlogbeat:Sends Windows event logs l Heartbeat:Audits system stats
Data Flow l Store Apache/MySQL for WordPress directly into Elasticsearch l Store logs from HoneyPot to Elasticsearch via Logstash Dionaea Filebeat Ubuntu + Log/dionaea.log /binalies/* Amazon Linux Logstash + Input + Filter + Output Cowrie Filebeat Ubuntu + Log/cowrie.log Elastic search KibanaMetric Beat Filebeat Amazon Linux + Apache Apache WordPress Packetbeat + MySQL
Filebeat Modules l Install Filebeat $ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.0-alpha2-x86_64.rpm $ sudo rpm -vi filebeat-6.0.0-alpha2-x86_64.rpm ### Configuring $ vim /etc/filebeat/filebeat.yml #------------------------------- Apache2 Module ------------------------------ - module: apache2 # Access logs access: enabled: true var.paths: ["/var/log/httpd/access_log"] error: enabled: true var.paths: ["/var/log/httpd/error_log"] #-------------------------- Elasticsearch output ------------------------------- output.elasticsearch: hosts: [“xxx.xxx.xxx.xxx:9200"]
Ingest Plugins l Install Ingest Geoip & Ingest user agent l Ingest Geoip:Maps IP addresses to maps l Ingest user agent:Deals with user agent as it thinks best l Install Ingenst Plugins on the Elastic Stack server ### Ingest Geoip $ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip ### Ingest user agent $ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent
!!Attention #01 l Be mindful of proxy environments l Will receive a timeout error when installing Ingest Plugins l Make sure to define proxy setting on the startup script before installing $ sudo /usr/share/elasticsearch/bin//elasticsearch-plugin install ingest-user-agent -> Downloading ingest-user-agent from elastic Exception in thread "main" java.net.ConnectException: Connection timed out ### Setup Proxy $ export ES_JAVA_OPTS="-Dhttp.proxyHost=xxx -Dhttp.proxyPort=xxx -Dhttps.proxyHost=xxx - Dhttps.proxyPort=xxx" ### Install ingest-user-agent $ /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent -> Downloading ingest-user-agent from elastic [=================================================] 100% ### Ingest Geoip
!!Attention #02 l Be mindful of proxy environments l Handy setting that imports Dashboards when starting Filebeat #Configure dashboard settings on filebeat.yml l However in environments with proxy settings it will not work! :( l In that case, install it manually $ sudo vim /etc/filebeat/filebeat.yml #============================== Dashboards ===================================== - #setup.dashboards.enabled: false + #setup.dashboards.enabled: enable $ sudo /usr/share/filebeat/scripts/import_dashboards -file /tmp/beats-dashboards-x.x.zip -es http://xxx:9200
Visualization♥
Beautiful♥
Until recently… l Send logs to be visualized from Filebeat to Logstash l Normalize received logs with Logstash and store it on Elasticsearch l Create a dashboard on Kibana to make it cool
Sooooo,,, Who needs Logstash?
Wait!
Logstash & Dionaea
Malware l Are these malwares on Dionaea? l They’re all over /opt/dionaea/var/dionaea/binaries… $ ll /opt/dionaea/var/dionaea/binaries -rw------- 1 dionaea dionaea 53 Jun 6 02:59 d41d8cd98f00b204e9800998ecf8427e.gz -rw------- 1 dionaea dionaea 162168 Jun 7 22:56 dc8c32d7f26352c8484bc490b6467843.gz -rw------- 1 dionaea dionaea 153820 Jun 7 02:34 dd0400bed68d272b08d1d0272bc18462.gz -rw------- 1 dionaea dionaea 129803 Jun 5 01:01 de1e602b2452a95ba57ef53347e50094.gz -rw------- 1 dionaea dionaea 22778 Jun 6 17:38 e0ddd8bf8e3b97ad25855721dc75daae.gz -rw------- 1 dionaea dionaea 155154 Jun 7 04:33 e53ed987e82ad7bf076c23d91401cac7.gz -rw------- 1 dionaea dionaea 1189 Jun 8 15:32 ead49a9b7b0c8ad6894be45674cebf77.gz -rw------- 1 dionaea dionaea 22777 Jun 6 17:39 eb18a7d302bbc8c0b3ed2cd1612e8d59.gz … -rw------- 1 dionaea dionaea 21966 Jun 5 16:52 ee0efafc69a13cd57d714ffdc603d8fc.gz -rw------- 1 dionaea dionaea 154329 Jun 4 16:48 f09ee5028fd1b1eaaf22df1538de159b.gz -rw------- 1 dionaea dionaea 156637 Jun 9 08:51 f5f1fd0d093d81a4a769c20aca1d6232.gz -rw------- 1 dionaea dionaea 29643 Jun 8 15:34 fc9b0b8b711e44ce0d4f91b0cedb1c76.gz
ClamScan l What do you do when you suspect a malware? You scan it. l Malware FOUND $ clamscan /opt/dionaea/var/dionaea/binaries/ /opt/dionaea/var/dionaea/binaries/f09ee5028fd1b1eaaf22df1538de159b.gz: Win.Worm.Kido-200 FOUND /opt/dionaea/var/dionaea/binaries/621c0b356c49edc5ce4cf3ee88c30f82.gz: OK /opt/dionaea/var/dionaea/binaries/90e02a26204ade7771acf7e8521bdf09.gz: Win.Worm.Kido-297 FOUND /opt/dionaea/var/dionaea/binaries/02830b424d88664cc3576941dd9841f9.gz: Win.Worm.Kido-307 FOUND /opt/dionaea/var/dionaea/binaries/a7bc14c1bd7271a45391f1e1541afe43.gz: Win.Worm.Downadup-110 FOUND /opt/dionaea/var/dionaea/binaries/87136c488903474630369e232704fa4d.gz: Win.Worm.Kido-113 FOUND /opt/dionaea/var/dionaea/binaries/1195dfde6305980ed050a9751b157f42.gz: Win.Worm.Kido-293 FOUND /opt/dionaea/var/dionaea/binaries/1b4cd56e54d3f9030a153590fb3fa9e5.gz: Win.Worm.Kido-316 FOUND /opt/dionaea/var/dionaea/binaries/fc9b0b8b711e44ce0d4f91b0cedb1c76.gz: OK /opt/dionaea/var/dionaea/binaries/cae8a8524eeb0e7de1fb3704bd14b7ba.gz: Win.Trojan.Ramnit-1847 FOUND /opt/dionaea/var/dionaea/binaries/7bb455ea4a77b24478fba4de145115eb.gz: Win.Worm.Kido-197 FOUND /opt/dionaea/var/dionaea/binaries/eb18a7d302bbc8c0b3ed2cd1612e8d59.gz: OK /opt/dionaea/var/dionaea/binaries/smb-az4poq4s.tmp.gz: OK /opt/dionaea/var/dionaea/binaries/16acf30169d089b8a967f40d9a38d8f7.gz: Win.Trojan.Agent-129152 FOUND
What if we want to surveillance these malwares in realtime?
Data Flow l Regularly runs ClamScan to output logs l Filebeat sends the logs to the Elastic Stack server l Logstash normalizes the logs and stores them into Elasticsearch l Visualize with Kibana Dionaea Filebeat Ubuntu + Log/binalies/* /log/scan.log clamscan.sh Amazon Linux Logstash + Input + Filter + Output Elastic search KibanaMetric Beat
By the way, do you use Logstash?
Logstash vs fluentd l Compared on Google Trend l By country l Blue:Logstash l Red:fluentd
Grok filter
Grok Filter l Below were the ClamScan results l We need to somehow normalize it to get certain Key-Value data l Data we want l OK/FOUND (Key : check) l Malware Name (Key : malware) $ clamscan /opt/dionaea/var/dionaea/binaries/ /opt/dionaea/var/dionaea/binaries/f09ee5028fd1b1eaaf22df1538de159b.gz: Win.Worm.Kido-200 FOUND /opt/dionaea/var/dionaea/binaries/621c0b356c49edc5ce4cf3ee88c30f82.gz: OK /opt/dionaea/var/dionaea/binaries/90e02a26204ade7771acf7e8521bdf09.gz: Win.Worm.Kido-297 FOUND /opt/dionaea/var/dionaea/binaries/02830b424d88664cc3576941dd9841f9.gz: Win.Worm.Kido-307 FOUND
Such a pain in the neck…
Grok Constructorhttp://grokconstructor.appspot.com/do/match
Grok Constructor l Let’s you test on web browsers l You can also check stdout on Logstash l Convenient if you don’t want to rewrite Logstash.conf
Paste log here Grok Filter Click GO! after pasting
Grok Constructor l Results look like this lOK/FOUND is contained in “check” l But, where is the malware name? l Work on that Grok Filter again
use contents detected in data Grok Filter Click GO! after pasting
Grok Constructor l Results look like this l Malware name is matched in malware!
Logstash.conf l Final product looks like this input { beats { port => 5044 } } filter { grok { match => [ "message", "/[^/]+/[^/]+/[^/]+/[^/]+/(?<field>[^/]+)/%{GREEDYDATA:data}%{WORD:check}"] remove_field => [ "host", "message" ] } grok { match => [ "data", "(?:[¥w._/%-]+)%{WORD}(?:[:]*)%{GREEDYDATA:malware}"] remove_field => [ "data" ] } } output { elasticsearch { hosts => "http://xxx.xxx.xxx.xxx:9200/" } }
Looking good
Malware♥
Summary l Let Elastic Stack do everything from input to output l Easy visualization with Beats l Expose your server to expand your log variation l Are you excited to share your server with the public? l Don’t let Logstash beat you!
Thanks

Recomendados

09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 

Recomendados

09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)正貴 小川
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全Tim Hsu
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 OperationsDirk Wallerstorfer
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果Masamitsu Maehara
 
もうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみたもうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみたMasamitsu Maehara
 

Más contenido relacionado

La actualidad más candente

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)正貴 小川
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全Tim Hsu
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 

La actualidad más candente (20)

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)AWSをテラフォーミングする会(Terraformハンズオン)
AWSをテラフォーミングする会(Terraformハンズオン)
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 Operations
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 

Destacado

みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果Masamitsu Maehara
 
もうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみたもうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみたMasamitsu Maehara
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
世界はつながっている!VyOSで実現するマルチリージョン
世界はつながっている!VyOSで実現するマルチリージョン世界はつながっている!VyOSで実現するマルチリージョン
世界はつながっている!VyOSで実現するマルチリージョンMasamitsu Maehara
 
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話Hibino Hisashi
 
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所Hibino Hisashi
 
Elastic{on}オープンな世界へようこそ
Elastic{on}オープンな世界へようこそElastic{on}オープンな世界へようこそ
Elastic{on}オープンな世界へようこそMasamitsu Maehara
 
Elastic stack 世界にさらしたサーバを可視化してみた
Elastic stack 世界にさらしたサーバを可視化してみたElastic stack 世界にさらしたサーバを可視化してみた
Elastic stack 世界にさらしたサーバを可視化してみたMasamitsu Maehara
 
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話Hibino Hisashi
 
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?Masamitsu Maehara
 

Destacado (10)

みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果みんなが安全にクラウドを使うために色々考えた結果
みんなが安全にクラウドを使うために色々考えた結果
 
もうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみたもうすぐ春だしAWSでさくらをやってみた
もうすぐ春だしAWSでさくらをやってみた
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with oss
 
世界はつながっている!VyOSで実現するマルチリージョン
世界はつながっている!VyOSで実現するマルチリージョン世界はつながっている!VyOSで実現するマルチリージョン
世界はつながっている!VyOSで実現するマルチリージョン
 
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話
【DeepSecurityUserNight】我が家の箱入り娘を世間に晒すのは危険なのでDeepSecurityに見守ってもらった話
 
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
 
Elastic{on}オープンな世界へようこそ
Elastic{on}オープンな世界へようこそElastic{on}オープンな世界へようこそ
Elastic{on}オープンな世界へようこそ
 
Elastic stack 世界にさらしたサーバを可視化してみた
Elastic stack 世界にさらしたサーバを可視化してみたElastic stack 世界にさらしたサーバを可視化してみた
Elastic stack 世界にさらしたサーバを可視化してみた
 
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話
【第21回Elasticsearch勉強会】aws環境に合わせてelastic stackをログ分析基盤として構築した話
 
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?
AWS Security JAWS 経済的にハニーポットのログ分析をするためのベストプラクティス?
 

Similar a [ElasticStack]What happens when you visualize servers exposed to the world?

MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGRunweb.me
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...SaltStack
 
Configuration Management with Saltstack
Configuration Management with SaltstackConfiguration Management with Saltstack
Configuration Management with Saltstackinovex GmbH
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Ivan Rossi
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)Soshi Nemoto
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
Puppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionPuppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionJoshua Thijssen
 
Rust & Python : Python WA October meetup
Rust & Python : Python WA October meetupRust & Python : Python WA October meetup
Rust & Python : Python WA October meetupJohn Vandenberg
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesNETWAYS
 

Similar a [ElasticStack]What happens when you visualize servers exposed to the world? (20)

MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGR
 
Understand study
Understand studyUnderstand study
Understand study
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
 
Configuration Management with Saltstack
Configuration Management with SaltstackConfiguration Management with Saltstack
Configuration Management with Saltstack
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
Puppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionPuppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG edition
 
Rust & Python : Python WA October meetup
Rust & Python : Python WA October meetupRust & Python : Python WA October meetup
Rust & Python : Python WA October meetup
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
 

Último

FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfNainaShrivastava14
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfAkritiPradhan2
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsapna80328
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming languageSmritiSharma901052
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 

Último (20)

FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveying
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming language
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 

[ElasticStack]What happens when you visualize servers exposed to the world?

  • 1. Elastic Stack Technology Innovation Group 2017.06.20(Tue) Masamitsu Maehara What happens when you visualize servers exposed to the world?
  • 2. Self Introduction l Masamitsu Maehara l Future Architect, Inc. l Technology Innovation Group l Messing around with AWS l yurufuwa Engineer @micci184
  • 3. The Purpose l Get to know the wonders of Elastic Stack l Get to know the fun part of visualizing logs
  • 5. Elastic Stack Elastic CLoud LogStash Beats Elasticsearch Kibana + Security Alert Monitor Graph l Logstash/Beats:Import Logs l Elasticsearch:Store/Index/Analyze l Kibana:User Interface
  • 6. Expose to the world?
  • 8. ??
  • 9.
  • 10. HoneyPot l High Interactive HoneyPot l Use real OS and applications l Easy access to information l High Risk l Low Interactive Honeypot l Audit by emulating OS and applications l Limited function l Easily noticed by attackers l Safer than high interactive HoneyPot
  • 11. Dionaea l Low Interactive HoneyPot l Gathers malware l SMB/HTTP/HTTPS/FTP/TFTP/MSSQL/SIP l Will create front-end view(just to make it look real) l Low Interactive HoneyPot l Specialized for SSH l Better than Kippo Cowrie
  • 12. Configuration l Built on AWS l Install Beats on HoneyPot l Gather data into Elastic Stack Dionaea Region@Virginia HaneyPot VPC Public Subnet Cowrie Elastic Stack Wordpress Client ・ ・ ・ Monitoring Attack Logging
  • 13. Install Dionaea ### Ubuntu 14.04 $ sudo apt-get update $ sudo apt-get dist-upgrade $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:honeynet/nightly $ sudo apt-get update $ sudo apt-get install dionaea ### Start Dionaea $ sudo service dionaea start
  • 14. Install Cowrie ### Ubuntu 16.04 $ sudo apt-get install git python-virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind ### adduser Cowrie $ sudo adduser --disabled-password cowrie $ sudo su - cowrie ### Setup Virtual Enviroment $ virtualenv cowrie-env $ source cowrie-env/bin/activate ### Install configuration file $ export PYTHONPATH=/home/cowrie/cowrie ### Start Cowrie $ bin/cowrie start Activating virtualenv “cowrie-env” Starting cowrie: [twistd -l log/cowrie.log --umask 0077 --pidfile var/run/cowrie.pid cowrie ]... $ bin/cowrie status cowrie is running (PID: 5979).
  • 15. Beats l Data Shipper l The Beats FamBam l Filebeat:Sends log files l Metricbeat:Sends metric data(CPU/Mem..etc) l Packetbeat:Sends packet capture data l Winlogbeat:Sends Windows event logs l Heartbeat:Audits system stats
  • 16. Data Flow l Store Apache/MySQL for WordPress directly into Elasticsearch l Store logs from HoneyPot to Elasticsearch via Logstash Dionaea Filebeat Ubuntu + Log/dionaea.log /binalies/* Amazon Linux Logstash + Input + Filter + Output Cowrie Filebeat Ubuntu + Log/cowrie.log Elastic search KibanaMetric Beat Filebeat Amazon Linux + Apache Apache WordPress Packetbeat + MySQL
  • 17. Filebeat Modules l Install Filebeat $ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.0-alpha2-x86_64.rpm $ sudo rpm -vi filebeat-6.0.0-alpha2-x86_64.rpm ### Configuring $ vim /etc/filebeat/filebeat.yml #------------------------------- Apache2 Module ------------------------------ - module: apache2 # Access logs access: enabled: true var.paths: ["/var/log/httpd/access_log"] error: enabled: true var.paths: ["/var/log/httpd/error_log"] #-------------------------- Elasticsearch output ------------------------------- output.elasticsearch: hosts: [“xxx.xxx.xxx.xxx:9200"]
  • 18. Ingest Plugins l Install Ingest Geoip & Ingest user agent l Ingest Geoip:Maps IP addresses to maps l Ingest user agent:Deals with user agent as it thinks best l Install Ingenst Plugins on the Elastic Stack server ### Ingest Geoip $ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip ### Ingest user agent $ sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent
  • 19. !!Attention #01 l Be mindful of proxy environments l Will receive a timeout error when installing Ingest Plugins l Make sure to define proxy setting on the startup script before installing $ sudo /usr/share/elasticsearch/bin//elasticsearch-plugin install ingest-user-agent -> Downloading ingest-user-agent from elastic Exception in thread "main" java.net.ConnectException: Connection timed out ### Setup Proxy $ export ES_JAVA_OPTS="-Dhttp.proxyHost=xxx -Dhttp.proxyPort=xxx -Dhttps.proxyHost=xxx - Dhttps.proxyPort=xxx" ### Install ingest-user-agent $ /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent -> Downloading ingest-user-agent from elastic [=================================================] 100% ### Ingest Geoip
  • 20. !!Attention #02 l Be mindful of proxy environments l Handy setting that imports Dashboards when starting Filebeat #Configure dashboard settings on filebeat.yml l However in environments with proxy settings it will not work! :( l In that case, install it manually $ sudo vim /etc/filebeat/filebeat.yml #============================== Dashboards ===================================== - #setup.dashboards.enabled: false + #setup.dashboards.enabled: enable $ sudo /usr/share/filebeat/scripts/import_dashboards -file /tmp/beats-dashboards-x.x.zip -es http://xxx:9200
  • 22.
  • 23.
  • 24.
  • 26. Until recently… l Send logs to be visualized from Filebeat to Logstash l Normalize received logs with Logstash and store it on Elasticsearch l Create a dashboard on Kibana to make it cool
  • 28. Wait!
  • 30. Malware l Are these malwares on Dionaea? l They’re all over /opt/dionaea/var/dionaea/binaries… $ ll /opt/dionaea/var/dionaea/binaries -rw------- 1 dionaea dionaea 53 Jun 6 02:59 d41d8cd98f00b204e9800998ecf8427e.gz -rw------- 1 dionaea dionaea 162168 Jun 7 22:56 dc8c32d7f26352c8484bc490b6467843.gz -rw------- 1 dionaea dionaea 153820 Jun 7 02:34 dd0400bed68d272b08d1d0272bc18462.gz -rw------- 1 dionaea dionaea 129803 Jun 5 01:01 de1e602b2452a95ba57ef53347e50094.gz -rw------- 1 dionaea dionaea 22778 Jun 6 17:38 e0ddd8bf8e3b97ad25855721dc75daae.gz -rw------- 1 dionaea dionaea 155154 Jun 7 04:33 e53ed987e82ad7bf076c23d91401cac7.gz -rw------- 1 dionaea dionaea 1189 Jun 8 15:32 ead49a9b7b0c8ad6894be45674cebf77.gz -rw------- 1 dionaea dionaea 22777 Jun 6 17:39 eb18a7d302bbc8c0b3ed2cd1612e8d59.gz … -rw------- 1 dionaea dionaea 21966 Jun 5 16:52 ee0efafc69a13cd57d714ffdc603d8fc.gz -rw------- 1 dionaea dionaea 154329 Jun 4 16:48 f09ee5028fd1b1eaaf22df1538de159b.gz -rw------- 1 dionaea dionaea 156637 Jun 9 08:51 f5f1fd0d093d81a4a769c20aca1d6232.gz -rw------- 1 dionaea dionaea 29643 Jun 8 15:34 fc9b0b8b711e44ce0d4f91b0cedb1c76.gz
  • 31. ClamScan l What do you do when you suspect a malware? You scan it. l Malware FOUND $ clamscan /opt/dionaea/var/dionaea/binaries/ /opt/dionaea/var/dionaea/binaries/f09ee5028fd1b1eaaf22df1538de159b.gz: Win.Worm.Kido-200 FOUND /opt/dionaea/var/dionaea/binaries/621c0b356c49edc5ce4cf3ee88c30f82.gz: OK /opt/dionaea/var/dionaea/binaries/90e02a26204ade7771acf7e8521bdf09.gz: Win.Worm.Kido-297 FOUND /opt/dionaea/var/dionaea/binaries/02830b424d88664cc3576941dd9841f9.gz: Win.Worm.Kido-307 FOUND /opt/dionaea/var/dionaea/binaries/a7bc14c1bd7271a45391f1e1541afe43.gz: Win.Worm.Downadup-110 FOUND /opt/dionaea/var/dionaea/binaries/87136c488903474630369e232704fa4d.gz: Win.Worm.Kido-113 FOUND /opt/dionaea/var/dionaea/binaries/1195dfde6305980ed050a9751b157f42.gz: Win.Worm.Kido-293 FOUND /opt/dionaea/var/dionaea/binaries/1b4cd56e54d3f9030a153590fb3fa9e5.gz: Win.Worm.Kido-316 FOUND /opt/dionaea/var/dionaea/binaries/fc9b0b8b711e44ce0d4f91b0cedb1c76.gz: OK /opt/dionaea/var/dionaea/binaries/cae8a8524eeb0e7de1fb3704bd14b7ba.gz: Win.Trojan.Ramnit-1847 FOUND /opt/dionaea/var/dionaea/binaries/7bb455ea4a77b24478fba4de145115eb.gz: Win.Worm.Kido-197 FOUND /opt/dionaea/var/dionaea/binaries/eb18a7d302bbc8c0b3ed2cd1612e8d59.gz: OK /opt/dionaea/var/dionaea/binaries/smb-az4poq4s.tmp.gz: OK /opt/dionaea/var/dionaea/binaries/16acf30169d089b8a967f40d9a38d8f7.gz: Win.Trojan.Agent-129152 FOUND
  • 32. What if we want to surveillance these malwares in realtime?
  • 33. Data Flow l Regularly runs ClamScan to output logs l Filebeat sends the logs to the Elastic Stack server l Logstash normalizes the logs and stores them into Elasticsearch l Visualize with Kibana Dionaea Filebeat Ubuntu + Log/binalies/* /log/scan.log clamscan.sh Amazon Linux Logstash + Input + Filter + Output Elastic search KibanaMetric Beat
  • 34. By the way, do you use Logstash?
  • 35. Logstash vs fluentd l Compared on Google Trend l By country l Blue:Logstash l Red:fluentd
  • 37. Grok Filter l Below were the ClamScan results l We need to somehow normalize it to get certain Key-Value data l Data we want l OK/FOUND (Key : check) l Malware Name (Key : malware) $ clamscan /opt/dionaea/var/dionaea/binaries/ /opt/dionaea/var/dionaea/binaries/f09ee5028fd1b1eaaf22df1538de159b.gz: Win.Worm.Kido-200 FOUND /opt/dionaea/var/dionaea/binaries/621c0b356c49edc5ce4cf3ee88c30f82.gz: OK /opt/dionaea/var/dionaea/binaries/90e02a26204ade7771acf7e8521bdf09.gz: Win.Worm.Kido-297 FOUND /opt/dionaea/var/dionaea/binaries/02830b424d88664cc3576941dd9841f9.gz: Win.Worm.Kido-307 FOUND
  • 38. Such a pain in the neck…
  • 40. Grok Constructor l Let’s you test on web browsers l You can also check stdout on Logstash l Convenient if you don’t want to rewrite Logstash.conf
  • 41. Paste log here Grok Filter Click GO! after pasting
  • 42. Grok Constructor l Results look like this lOK/FOUND is contained in “check” l But, where is the malware name? l Work on that Grok Filter again
  • 43. use contents detected in data Grok Filter Click GO! after pasting
  • 44. Grok Constructor l Results look like this l Malware name is matched in malware!
  • 45. Logstash.conf l Final product looks like this input { beats { port => 5044 } } filter { grok { match => [ "message", "/[^/]+/[^/]+/[^/]+/[^/]+/(?<field>[^/]+)/%{GREEDYDATA:data}%{WORD:check}"] remove_field => [ "host", "message" ] } grok { match => [ "data", "(?:[¥w._/%-]+)%{WORD}(?:[:]*)%{GREEDYDATA:malware}"] remove_field => [ "data" ] } } output { elasticsearch { hosts => "http://xxx.xxx.xxx.xxx:9200/" } }
  • 47.
  • 49. Summary l Let Elastic Stack do everything from input to output l Easy visualization with Beats l Expose your server to expand your log variation l Are you excited to share your server with the public? l Don’t let Logstash beat you!