【ハニーポット簡易分析】Honeypot簡易分析(338日目:7/23)
Honeypot簡易分析(338日目:7/23)となります。
◾️Honeytrap
※80ポートを除く
<検知数>
<宛先別ポート数>
ポート番号 | サービス | 件数 | 件数差(30日平均) |
---|---|---|---|
445 | smb | 4005 | 271 |
23 | telnet | 1297 | -2 |
2323 | telnet | 593 | 472 |
139 | netbios-ssn | 204 | 178 |
5900 | vnc | 165 | -189 |
3389 | rdp | 149 | 24 |
222 | rsh-spx | 128 | 126 |
9000 | cslistener | 99 | 56 |
8888 |
ddi-tcp-1
ddi-udp-1
|
84 | 42 |
9600 | micromuse-ncpw | 82 | 69 |
<新規マルウェアダウンロード>
hxxp:/\/ch[.]silynigr.xyz/bins/u[.]arm4 | GET /shell? |
hxxp:/\/87[.]120[.]37[.]148/bins/autism[.]arm5 | GET /shell? |
hxxp:/\/195[.]231[.]6[.]216/htp/ab[.]arm4 | GET /shell? |
やはり、IoT系を狙った通信を多く検知していました。
◾️WoWHoneypot
<検知パス>
wow_path_research | target | CVE | reference | count |
---|---|---|---|---|
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 24 |
/ | - | - | - | 18 |
/HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
/manager/html | Tomcat | - | - |
検知数が少なく、日によってWOWHoneypotの検知数の増減が激しいです。。。
<新規パス>
なし
<マルウェア>
なし
◾️参考:Suricata
alert.category | alert.signature | count |
---|---|---|
Generic Protocol Command Decode | SURICATA STREAM Packet with broken ack | 1466 |
Not Suspicious Traffic | ET INFO Potentially unsafe SMBv1 protocol in use | 1178 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYN resend with different seq | 1162 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK | 1146 |
Misc activity | GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited | 910 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED invalid ack | 698 |
Generic Protocol Command Decode | SURICATA STREAM Packet with invalid ack | 698 |
Generic Protocol Command Decode | SURICATA IPv4 padding required | 667 |
Potentially Bad Traffic | GPL SCAN loopback traffic | 667 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYNACK resend with different ack | 588 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYN resend different seq on SYN recv | 454 |
Generic Protocol Command Decode | SURICATA HTTP missing Host header | 106 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYNACK resend | 95 |
Generic Protocol Command Decode | SURICATA STREAM RST recv but no session | 49 |
Misc activity | ET POLICY SSH session in progress on Unusual Port | 48 |
Generic Protocol Command Decode | SURICATA STREAM FIN recv but no session | 36 |
Generic Protocol Command Decode | SURICATA STREAM Packet with invalid timestamp | 36 |
Misc activity | ET POLICY SSH Client Banner Detected on Unusual Port | 32 |
Generic Protocol Command Decode | SURICATA zero length padN option | 24 |
Generic Protocol Command Decode | SURICATA ICMPv4 unknown code | 20 |
Generic Protocol Command Decode | SURICATA TCPv4 invalid checksum | 11 |
Generic Protocol Command Decode | SURICATA SMTP no server welcome message | 10 |
Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction | 7 |
Generic Protocol Command Decode | SURICATA Applayer Wrong direction first Data | 7 |
Potentially Bad Traffic | ET POLICY Tunneled RDP msts Handshake | 7 |
Attempted Administrator Privilege Gain | ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound | 6 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYNACK with wrong ack | 6 |
Generic Protocol Command Decode | SURICATA STREAM bad window update | 4 |
Generic Protocol Command Decode | SURICATA TLS error message encountered | 4 |
Generic Protocol Command Decode | SURICATA TLS handshake invalid length | 4 |
Potentially Bad Traffic | ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested | 4 |
Generic Protocol Command Decode | SURICATA STREAM suspected RST injection | 3 |
Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions | 2 |
Generic Protocol Command Decode | SURICATA ICMPv4 invalid checksum | 2 |
Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions | 2 |
Generic Protocol Command Decode | SURICATA STREAM TIMEWAIT ACK with wrong seq | 1 |
以上となります。