【ハニーポット簡易分析】Honeypot簡易分析(338日目:7/23)

Honeypot簡易分析(338日目:7/23)となります。
◾️Honeytrap
※80ポートを除く

＜検知数＞

f:id:one-chick-sec:20190724210602p:plain

＜宛先別ポート数＞

ポート番号	サービス	件数	件数差(30日平均)
445	smb	4005	271
23	telnet	1297	-2
2323	telnet	593	472
139	netbios-ssn	204	178
5900	vnc	165	-189
3389	rdp	149	24
222	rsh-spx	128	126
9000	cslistener	99	56
8888	ddi-tcp-1 ddi-udp-1	84	42
9600	micromuse-ncpw	82	69

＜新規マルウェアダウンロード＞

hxxp:/\/ch[.]silynigr.xyz/bins/u[.]arm4	GET /shell?
hxxp:/\/87[.]120[.]37[.]148/bins/autism[.]arm5	GET /shell?
hxxp:/\/195[.]231[.]6[.]216/htp/ab[.]arm4	GET /shell?

やはり、IoT系を狙った通信を多く検知していました。

◾️WoWHoneypot

f:id:one-chick-sec:20190724210659p:plain

＜検知パス＞

wow_path_research	target	CVE	reference	count
/admin/assets/js/views/login.js	FreePBX	-	https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743	24
/	-	-	-	18
/HNAP1/	D-Link DIR-850L	CVE-2015-2051	https://www.morihi-soc.net/?p=981	1
/manager/html	Tomcat	-	-

検知数が少なく、日によってWOWHoneypotの検知数の増減が激しいです。。。

＜新規パス＞
なし

＜マルウェア＞
なし

◾️参考：Suricata

alert.category	alert.signature	count
Generic Protocol Command Decode	SURICATA STREAM Packet with broken ack	1466
Not Suspicious Traffic	ET INFO Potentially unsafe SMBv1 protocol in use	1178
Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED SYN resend with different seq	1162
Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED SYNACK resend with different ACK	1146
Misc activity	GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited	910
Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED invalid ack	698
Generic Protocol Command Decode	SURICATA STREAM Packet with invalid ack	698
Generic Protocol Command Decode	SURICATA IPv4 padding required	667
Potentially Bad Traffic	GPL SCAN loopback traffic	667
Generic Protocol Command Decode	SURICATA STREAM 3way handshake SYNACK resend with different ack	588
Generic Protocol Command Decode	SURICATA STREAM 3way handshake SYN resend different seq on SYN recv	454
Generic Protocol Command Decode	SURICATA HTTP missing Host header	106
Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED SYNACK resend	95
Generic Protocol Command Decode	SURICATA STREAM RST recv but no session	49
Misc activity	ET POLICY SSH session in progress on Unusual Port	48
Generic Protocol Command Decode	SURICATA STREAM FIN recv but no session	36
Generic Protocol Command Decode	SURICATA STREAM Packet with invalid timestamp	36
Misc activity	ET POLICY SSH Client Banner Detected on Unusual Port	32
Generic Protocol Command Decode	SURICATA zero length padN option	24
Generic Protocol Command Decode	SURICATA ICMPv4 unknown code	20
Generic Protocol Command Decode	SURICATA TCPv4 invalid checksum	11
Generic Protocol Command Decode	SURICATA SMTP no server welcome message	10
Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction	7
Generic Protocol Command Decode	SURICATA Applayer Wrong direction first Data	7
Potentially Bad Traffic	ET POLICY Tunneled RDP msts Handshake	7
Attempted Administrator Privilege Gain	ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound	6
Generic Protocol Command Decode	SURICATA STREAM 3way handshake SYNACK with wrong ack	6
Generic Protocol Command Decode	SURICATA STREAM bad window update	4
Generic Protocol Command Decode	SURICATA TLS error message encountered	4
Generic Protocol Command Decode	SURICATA TLS handshake invalid length	4
Potentially Bad Traffic	ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested	4
Generic Protocol Command Decode	SURICATA STREAM suspected RST injection	3
Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions	2
Generic Protocol Command Decode	SURICATA ICMPv4 invalid checksum	2
Generic Protocol Command Decode	SURICATA STREAM excessive retransmissions	2
Generic Protocol Command Decode	SURICATA STREAM TIMEWAIT ACK with wrong seq	1

以上となります。

sec-chick Blog

サイバーセキュリティブログ

【ハニーポット簡易分析】Honeypot簡易分析(338日目:7/23)