熊本高等専門学校八代キャンパスにおける侵入検知システムの構築と運用

⇃ᮏ㧗➼ᑓ㛛Ꮫᰯඵ௦࢟ࣕࣥࣃࢫ࡟࠾ࡅࡿ

౵ධ᳨▱ࢩࢫࢸ࣒ࡢᵓ⠏࡜㐠⏝

ᑠᓥ ಇ㍜

1,*

_{ ⸨ᮏ ὒ୍}

1

_{ ᒾᮏ ⯙}

2

Construction and Operation of Intrusion Detection System

at National Institute of Technology, Kumamoto College, Yatsushiro Campus

Shunsuke Oshima1,*_{, Yoichi Fujimoto}1_{, Mai Iwamoto}2

In order to detect cyber security threat at NIT Kumamoto, Yatsushiro Campus, we construct and operate an Intrusion Detection System (IDS) in our computer network since December, 2017. IDS has based on a predetermined signature and it can detect intrusions, attacks and other signs by monitoring packet-flow through the computer network. In this paper, we report introduction, construction and operation of this system.

࣮࣮࢟࣡ࢻ㸸౵ධ᳨▱ࠊࢿࢵࢺ࣮࣡ࢡ࢖ࣥࣇࣛࠊࢧ࢖ࣂ࣮ࢭ࢟ࣗࣜࢸ࢕ࠊSnortࠊSecurity Onion

.H\ZRUGV㸸Intrusion Detection, Network Infrastructure, Cyber Security, Snort, Security Onion

㸯㸬ࡲ࠼ࡀࡁ

⇃ᮏ㧗➼ᑓ㛛Ꮫᰯඵ௦࢟ࣕࣥࣃࢫ࡛ࡣࠊᏛෆࢿࢵࢺ࣮࣡ ࢡ࡟࠾ࡅࡿࢧ࢖ࣂ࣮ࢭ࢟ࣗࣜࢸ࢕ࡢ⬣ጾࢆ᳨ฟࡍࡿࡓࡵࠊ 2017 ᖺ ᗘ ࡼ ࡾ ౵ ධ ᳨ ▱ ࢩ ࢫ ࢸ ࣒ 㸦 Intrusion Detection Systemࠊ௨ᚋ IDS ࡜␎㸧ࡢ㸯✀࡛࠶ࡿ Snort(1)_{ࢆᑟධࡋ࡚࠸} ࡿࠋࡲࡓࠊ2018 ᖺᗘࡼࡾ Snort ࢆᇶᖿ࡜ࡋ࡚ࠊࢭ࢟ࣗࣜࢸ ࢕࢖࣋ࣥࢺࡢྍど໬ࡸࣟࢢࡢ཰㞟᳨࣭⣴ᶵ⬟࡞࡝ከࡃࡢࢿ ࢵࢺ࣮࣡ࢡࢭ࢟ࣗࣜࢸ࢕㛵ಀࢶ࣮ࣝࢆ㞟⣙ࡋࡓLinux ࢹ࢕ ࢫࢺࣜࣅ࣮ࣗࢩ࡛ࣙࣥ࠶ࡿ Security Onion(2)_{ࢆᑟධࡋᐇ⦼} ࢆᣲࡆ࡚࠸ࡿࠋᮏ✏࡛ࡣࠊ⇃ᮏ㧗ᑓෆࡢࢿࢵࢺ࣮࣡ࢡ࡟࠾ ࡅࡿࡇࢀࡽ౵ධ᳨▱ࢩࢫࢸ࣒ࡢලయⓗ࡞ᑟධ࡜ᵓ⠏࡟ࡘ࠸ ࡚⤂௓ࡍࡿ࡜࡜ࡶ࡟ࠊᐇ㝿࡟IDS ࢆ㐠⏝ࡋࡓࡇ࡜࡛ᚓࡽࢀ ࡓ▱ぢ࡟ࡘ࠸࡚ࡶేࡏ࡚グ㍕ࡋ࡚࠾ࡃࠋ

㸰㸬,'6

,'6 ࡢ

ศ㢮

IDS ࡜ࡣࠊࢿࢵࢺ࣮࣡ࢡࢆὶࢀࡿࣃࢣࢵࢺࡸ࣍ࢫࢺࡢࣟࢢ ࡞࡝ࢆ┘どࡋࠊ࠶ࡽ࠿ࡌࡵỴࡵࡽࢀࡓ࠶ࡿࣃࢱ࣮ࣥ࡟࣐ࢵ ࢳࡍࡿ≉ᚩࢆ᳨ฟࡍࡿࡇ࡜࡛୙ṇ౵ධࢆ᳨▱ࡍࡿࢩࢫࢸ࣒ ࡛࠶ࡿࠋ᭷ྡ࡞IDS ࡜ࡋ࡚ࡣ Snort ࡸ Suricata(3)_{ࡀᣲࡆࡽࢀ} ࡿࠋ IDS ࡣࠊ᳨▱ࡍࡿሙᡤ࡟ࡼࡗ࡚኱ࡁࡃ 2 ࡘ࡟ศ㢮ࡍࡿࡇ࡜ ࡀ࡛ࡁࡿࠋ୍ࡘࡣࠊ࣍ࢫࢺࢥࣥࣆ࣮ࣗࢱ࡞࡝࡟ᖖ㥔ࡋࠊࣜ ࢯ࣮ࢫࡸࣟࢢࢆ┘どࡍࡿ࣍ࢫࢺ࣮࣋ࢫᆺࠊࡶ࠺୍ࡘࡣࠊࢿ ࢵࢺ࣮࣡ࢡࢆὶࢀࡿࣃࢣࢵࢺࢆ┘どࡋࠊ␗ᖖࢆ᳨▱ࡍࡿࢿ ࢵࢺ࣮࣡ࢡᆺ࡛࠶ࡿࠋ ௒ᅇᑟධࡍࡿ IDS ࡟ࡣࢿࢵࢺ࣮࣡ࢡᆺࢆ㑅ᢥࡍࡿࠋࢿࢵ ࢺ࣮࣡ࢡᆺ࡜ࡍࡿ⌮⏤ࡣࠊ1) OS ࢱ࢖ࣉࡀ Windows, Linux, MacOS, Android ࡢሙྜࡣ࣐࢙ࣝ࢘࢔ᑐ⟇ᑓ⏝ࡢࢯࣇࢺ࢙࢘ ࢔ࡀᏑᅾࡍࡿࡀࠊࣉࣜࣥࢱࠊࢫ࢟ࣕࢼࠊ࣐࢖ࢥࣥࡸྛ✀IoT ᶵჾ࡛ࡣᑓ⏝ࡢ࣐࢙ࣝ࢘࢔ᑐ⟇ࢯࣇࢺ࢙࢘࢔ࡀ࡞ࡃࠊࡇࢀ ࡽᶵჾ࡬ࡢᑐ⟇ࡀᛴົ࡛࠶ࡿࡇ࡜ࠊ2) BYOD (Bring Your Own Device) ࡟ࡼࡿࢹࣂ࢖ࢫࡢᣢࡕ㎸ࡳࡸಶேᡤ᭷ࡢ USB ࣓ࣔࣜࡢ᥋⥆࡟ࡼࡾࠊ࣐࢙ࣝ࢘࢔ᑐ⟇ࡀ༑ศ࡛ࡣ࡞࠸ᶵჾ ࠿ࡽ୙ṇ࡞ࢥ࣮ࢻࡀ౵ධࡋ࡚ࡃࡿྍ⬟ᛶࡀ࠶ࡿࡇ࡜ࠊࡀᣲ ࡆࡽࢀࡿࠋ ࢿࢵࢺ࣮࣡ࢡᆺIDS ࡛࠶ࢀࡤࠊOS ࡸࢹࣂ࢖ࢫ࡟౫Ꮡࡏࡎࠊ ࢹࣂ࢖ࢫࡀ୙ṇ࢔ࢡࢭࢫࢆཷࡅࡓࡾࠊࢹࣂ࢖ࢫ࠿ࡽ௚ࡢࢿ ࢵࢺ࣮࣡ࢡᶵჾ࡟ᑐࡍࡿ␗ᖖ࡞ືࡁࡀ࠶ࡗࡓሙྜ࡟ࠊ᪩ᮇ ࡟᳨▱࡛ࡁࡿྍ⬟ᛶࡀ㧗࠸ࠋ 6QRUW ࡢᴫせ Snort ࡣ࣮࢜ࣉࣥࢯ࣮ࢫࡢࢿࢵࢺ࣮࣡ࢡᆺ IDS ࡛࠶ࡿࠋ 1998 ᖺ࡟㛤Ⓨࡉࢀ Sourcefire ♫࠿ࡽ࣮࢜ࣉࣥࢯ࣮ࢫ࡜ࡋ࡚ 㓄ᕸࡉࢀ࡚࠸ࡓࡀࠊ2013 ᖺ࡟ Cisco Systems ♫ࡀ㈙཰ࠊࡑ ࡢᚋࡶ࣮࢜ࣉࣥࢯ࣮ࢫ࡜ࡋ࡚Snort 3 ࡀ㓄ᕸࡉࢀ࡚࠸ࡿࠋ  1 _{ᣐⅬ໬ࣉࣟࢪ࢙ࢡࢺ⣔㸦᝟ሗࢭ࢟ࣗࣜࢸ࢕ࢭࣥࢱ࣮㸧} ࠛ866-8501 ⇃ᮏ┴ඵ௦ᕷᖹᒣ᪂⏫ 2627 Center for Information Security,

2627 Hirayama-Shinmachi, Yatsushiro-shi, Kumamoto, Japan 866-8501

 2 _{ᢏ⾡࣭ᩍ⫱ᨭ᥼ࢭࣥࢱ࣮}

ࠛ866-8501 ⇃ᮏ┴ඵ௦ᕷᖹᒣ᪂⏫ 2627 Center for Technical and Educational Support,

2627 Hirayama-Shinmachi, Yatsushiro-shi, Kumamoto, Japan 866-8501

 * Corresponding author:

E-mail address: oshima kumamoto-nct.ac.jp (S. Oshima).

ඵ௦࢟ࣕࣥࣃࢫ࡟࠾ࡅࡿ౵ධ᳨▱ࢩࢫࢸ࣒ࡢᵓ⠏㸦ᑠᓥಇ㍜㸧  Snort ࡣࣃࢣࢵࢺࢆᖖ᫬┘どࡋࠊSnort ࣮ࣝࣝ࡜࿧ࡤࢀࡿࠊ ࠶ࡽ࠿ࡌࡵᐃ⩏ࡋࡓࣃࢱ࣮ࣥ࡟࣐ࢵࢳࡍࡿ㐪཯ࣃࢣࢵࢺࢆ ᳨ฟࡋࡓሙྜ࡟ࠊ㆙࿌࡞࡝ࡢ࢔ࢡࢩࣙࣥࢆᐇ⾜ࡍࡿࠋᅗ 1 ࡟Snort ࣮ࣝࣝࡢ⡆༢࡞౛ࢆ♧ࡍࠋࡇࡢ࣮ࣝࣝࡣ࣮ࣘࢨࡀ ಶู࡟グ㏙ࡋࠊ⤌⧊⊂⮬ࡢ࣮ࣝࣝࢭࢵࢺࢆసᡂࡍࡿࡇ࡜ࡀ ࡛ࡁࡿࡀࠊ࣮ࣝࣝࢭࢵࢺࡀ౵ධ᳨▱ࡢᛶ⬟࡟┤⤖ࡍࡿࡓࡵࠊ ㏻ᖖࡣ↓ᩱࡢCommunity ࣮ࣝࣝࢭࢵࢺࢆ⏝࠸ࡿ࠿ Personal ࡸBusiness ࡜࠸ࡗࡓ Cisco Systems ♫ࡀᥦ౪ࡍࡿ᭷ᩱࡢࣉࣛ ࣥࢆ㑅ᢥࡋࠊ⤌⧊ࡈ࡜ࡢ࢝ࢫࢱ࣐࢖ࢬࢆຍ࠼ࡿࠋ



Snort ࣮ࣝࣝࢆ᭱᪂࡟ಖࡘࡓࡵࡢ௙⤌ࡳ࡜ࡋ࡚ࠊPulled Pork ࡜࿧ࡤࢀࡿ࢔ࢵࣉࢹ࣮ࢱࠊ࠾ࡼࡧ Snort ࣮ࣝࣝࢆࢲ࢘ ࣮ࣥࣟࢻࡍࡿ㝿ࡢㄆドࢥ࣮ࢻ࡛࠶ࡿ Oinkcode ࡀᚲせ࡜࡞ ࡿࠋ࠸ࡎࢀࡶᑓ⏝ࢧ࢖ࢺ࠿ࡽྲྀᚓࡍࡿࡇ࡜ࡀ࡛ࡁࡿࠋࢧ࢖ ࢺ࠿ࡽྲྀᚓࡋࡓOinkcode ࡣ Pulled Pork ࡢタᐃࣇ࢓࢖ࣝ࡟ ᇙࡵ㎸ࡴ࠿ࠊᚋ㏙ࡍࡿSecurity Onion ࡢ࢖ࣥࢫࢺ࣮ࣝ᫬࡟ ᣦᐃࡍࡿࠋ

6HFXULW\2QLRQ ࡢᴫせ

Security Onion ࡣ Ubuntu Linux ࢆᇶᮏ OS ࡜ࡋࠊࡑࡢୖ࡟ ౵ධ᳨▱ࡸࣃࢣࢵࢺゎᯒࠊࣟࢢࡢ⵳✚࣭ྍど໬࡞࡝ከࡃࡢ ࢭ࢟ࣗࣜࢸ࢕ࢶ࣮ࣝࢆ୍ࡘࡢࣃࢵࢣ࣮ࢪ࡟ࡋࡓ Linux ࢹ࢕ ࢫࢺࣜࣅ࣮ࣗࢩ࡛ࣙࣥ࠶ࡿࠋ᭱᪂ࣂ࣮ࢪࣙࣥࡣUbuntu 16.04 LTS ࢆ࣮࣋ࢫ࡜ࡍࡿ Security Onion 16.04.6.1 (2019/8/1 ⌧ᅾ) ࡛࠶ࡾࠊᮏᐙࡢUbuntu ྠᵝࠊ2021 ᖺ 4 ᭶ࡲ࡛ࢧ࣏࣮ࢺࡉࢀ ࡿࠋOS ࡢ ISO ࢖࣓࣮ࢪࡀ㓄ᕸࡉࢀ࡚࠾ࡾ࣓ࢽ࣮ࣗ࡟ᚑࡗ࡚ ࢖ࣥࢫࢺ࣮ࣝࡍࡿࡇ࡜ࡀ࡛ࡁࡿ࡯࠿ࠊLinux ࢆ࢖ࣥࢫࢺ࣮ࣝ ࡋࡓᚋࠊSecurity Onion ࡢࣃࢵࢣ࣮ࢪࢆᒎ㛤ࡋ࡚ᵓ⠏ࡍࡿࡇ ࡜ࡶ࡛ࡁࡿࠋࡓࡔࡋࠊࣃࢵࢣ࣮ࢪᒎ㛤࡛ṇᘧ࡟ࢧ࣏࣮ࢺࡉ ࢀࡿOS ࡣ Ubuntu16.04 ࡢࡳ࡛࠶ࡿࠋ

Security Onion ࡣࠊ࢖ࣥࢫࢺ࣮ࣝ᫬࡟ Snort ࡲࡓࡣ Suricata ࡢ࡝ࡕࡽ࠿୍᪉ࢆ IDS ࡜ࡋ࡚㑅ᢥࡍࡿࡇ࡜ࡀ࡛ࡁࡿࠋIDS ௨እ࡟௨ୗࡢࡼ࠺࡞ࢶ࣮ࣝࡀᶆ‽࡛࢖ࣥࢫࢺ࣮ࣝࡉࢀࡿࠋ  Erasticsearch(4) _{඲ᩥ᳨⣴࢚ࣥࢪࣥ}  Logstash ࣟࢢ࢖࣋ࣥࢺࡢ┘ど࡜ಖ⟶  Kibana ࣈࣛ࢘ࢨ࣮࣋ࢫࡢࣟࢢྍど໬ࢶ࣮ࣝ  Sguil/ Squert(5) _{ࢹ࣮ࢱศᯒࢶ࣮ࣝ}  Bro(6)_{ ᣺ࡿ⯙࠸ᣦྥࣇ࢛ࣞࣥࢪࢵࢡࢶ࣮ࣝ}  Wireshark(7) _{ࣃࢣࢵࢺᣦྥࣇ࢛ࣞࣥࢪࢵࢡࢶ࣮ࣝ}  netsniff-ng(8) _{௵ពࣃࢣࢵࢺ⏕ᡂࢶ࣮ࣝ} ࡇࢀࡽࡢࢶ࣮ࣝࡣ༢⊂࡛㉳ືࡋ࡚౑⏝ࡍࡿሙྜࡶ࠶ࡿ ࡀࠊSguil ࡸ Squert ࡞࡝ࡢࢹ࣮ࢱศᯒࢶ࣮ࣝࢆධࡾཱྀ࡜ࡋ࡚ࠊ ┦஫࡟㐃ᦠࡋ⿵᏶ࡍࡿࡇ࡜࡛ᵝࠎ࡞ࢧ࢖ࣂ࣮ࢭ࢟ࣗࣜࢸ࢕ ࡢ⬣ጾࢆࢩ࣮࣒ࣞࢫ࡟ゎᯒ࡛ࡁࡿࡼ࠺タィࡉࢀ࡚࠸ࡿࠋ 

㸱㸬6QRUW ࡢᑟධ࡜ᵓ⠏

6QRUW ᑟධ᫬ࡢ᳨ウ஦㡯  ⇃ᮏ㧗ᑓඵ௦࢟ࣕࣥࣃࢫ࡛ࡣࠊ2017 ᖺᗘ࡟Ꮫෆእࡢ㏻ಙ ࡢ␗ᖖࢆ᳨▱ࡍࡿ┠ⓗ࡛ࠊProxy ࢧ࣮ࣂࢆ㏻㐣ࡍࡿࣃࢣࢵࢺ ࡢ┘どࢆࡍࡿSnort ࢆᑟධࡋࡓࠋᑟධ࡟㝿ࡋ࡚ࡣࠊSnort ࡢ Business ࣉࣛࣥࡢ㈝⏝ࢆ 2017 ᖺᗘࡢண⟬࡛☜ಖࡋ࡚࠸ࡿࠋ Snort ࡣࢿࢵࢺ࣮࣡ࢡᆺ IDS ࡛࠶ࡾࠊࢭࣥࢧࣀ࣮ࢻࢆ」ᩘಶ ᡤ࡟タ⨨ࡍࡿࡇ࡜ࡶ࡛ࡁࡿࡀࠊ┘どᑐ㇟ࡢᩘࡀከ࠸࡜ࣛࣥ ࢽࣥࢢࢥࢫࢺࡶ㧗㢠࡟࡞ࡿࡢ࡛ࠊ௒ᅇࡣ⇃ᮏ㧗ᑓඵ௦࢟ࣕ ࣥࣃࢫࡢProxy ࢧ࣮ࣂ 1 ྎࡢࡳ࡟タ⨨ࡋࡓࠋ  ḟ࡟ᚲせ࡜࡞ࡿࡢࡣSnort ࢆ✌ാࡍࡿࢧ࣮ࣂ࡛࠶ࡿࠋඛࡢ Proxy ࢧ࣮ࣂࡣ HTTP Proxy ௨እ࡟ࠊᏛෆ㸦LAN㸧࡜Ꮫእ 㸦WAN㸧ࢆ᥋⥆ࡍࡿࢤ࣮ࢺ࢙࢘࢖࡜ࡋ࡚ືసࡋ࡚࠾ࡾࠊᏛ ෆእࡢ඲ࣃࢣࢵࢺࡀ㏻㐣ࡍࡿࠋ2017 ᖺᗘࡣࢧ࣮ࣂ㈝⏝ࡀ᤬ ฟ࡛ࡁ࡞࠿ࡗࡓࡓࡵࠊSnort ࢆูࢧ࣮ࣂ࡛ࡣ࡞ࡃ Proxy ࢧ࣮ ࣂୖ࡟ᦚ㍕ࡍࡿࡇ࡜࡜ࡋࡓࠋ඲యࡢᵓᡂࢆᅗ 2 ࡟♧ࡍࠋࡇ ࡢᅗ࠿ࡽࡶࢃ࠿ࡿࡼ࠺࡟ࠊSnort ഃࡢタᐃࡣ┘どᑐ㇟ࡢࢿࢵ ࢺ࣮࣡ࢡ࢖ࣥࢱࣇ࢙࣮ࢫࢆᣦᐃࡍࡿ᪉ᘧ࡛࠶ࡾࠊProxy ࢧ࣮ ࣂෆ࡛ᵓ⠏ࡍࡿࡇ࡜࡛Proxy ࡸ Default Gateway ࡢタᐃኚ᭦ ࡣᚲせ࡞࠸ࠋDefault Gateway ࡢタᐃኚ᭦ࡀᚲせ࡞࠸࡜࠸࠺ ࡇ࡜ࡣࠊࡓ࡜࠼ࡤSnort ࡢ฼⏝⋡ࡀୖ᪼ࡋࠊࢧ࣮ࣂࡀ㧗㈇Ⲵ ࡟࡞ࡗࡓࡇ࡜࡛≀⌮ⓗ࡞ࣃࢣࢵࢺ㐜ᘏࡸࢻࣟࢵࣉࡀⓎ⏕ࡋ ࡓሙྜ࡛ࡶࠊSnort ࣉࣟࢭࢫࢆ⥭ᛴ೵Ṇࡍࢀࡤࡍࡄඖ࡟ᡠࡿ ࡜࠸࠺኱ࡁ࡞࣓ࣜࢵࢺࡀ࠶ࡿࠋ



ࢧ࣮ࣂࢫ࣌ࢵࢡࡢỴᐃ

 Proxy ࢧ࣮ࣂࡣࠊIntel Xeon 4Core 3.0GHz ࡢ Linux ࢆ࣍ࢫ ࢺOS ࡜ࡍࡿࠊ2CPU 12000BogoMipsࠊ Mem4GB ࡢ KVM ௬ ᝿ ࣐ ࢩ ࣥ ࡜ ࡋ ࡚ ᵓ ⠏ ࡋ ࡚ ࠸ ࡿ ࠋ ᪥ ୰ ࡢ ㏻ ಙ 㔞 ࡣ ࠾ ࡼ ࡑ 100Gbps ࡛࠶ࡾࠊProxy ࡢࡳࡢ≧ែ࡛ CPU ㈇Ⲵࡣᩘࣃ࣮ࢭࣥ ࢺ࡛࠶ࡿࠋࡇࡢProxy ࢧ࣮ࣂෆ࡟ Snort ࢆᑟධࡍࡿ࡜ CPU ㈇Ⲵࡀ㧗ࡃ࡞ࡿࡇ࡜ࡀண᝿ࡉࢀࡿࡀࠊProxy ࢧ࣮ࣂࡣ௬᝿࣐ ࢩ࡛ࣥ࠶ࡾࠊ㧗㈇Ⲵࡢ㝿࡟ࡣ௬᝿࣐ࢩࣥࡢࢫ࣌ࢵࢡࢆୖࡆ ࡿࡇ࡜ࢆ᳨ウࡍࢀࡤࡼ࠸ࠋ  ⤖ᯝࠊSnort ࢆ✌ാࡋࡓ㝿ࡢ CPU ㈇Ⲵࡣ 10㹼30%⛬ᗘ࡜࡞ ࡾࠊእ㒊࡜ࡢ᥋⥆ᛶ࡟ᙳ㡪ࢆཬࡰࡍࢺࣛࣈࣝࡣ☜ㄆ࡛ࡁ࡞ ࠿ࡗࡓࠋࡑࡢࡓࡵࠊ௒ᅇࡣ௬᝿࣐ࢩࣥࡢࢫ࣌ࢵࢡࢆࡑࡢࡲ ࡲኚ᭦ࡍࡿࡇ࡜࡞ࡃᮏ✌ാ࡟⛣⾜ࡍࡿࡇ࡜ࡀ࡛ࡁࡓࠋ FireWall ΢ϱνʖϋρφ

಼ָLANProxyγʖώ ݋ Gateway Snort ؄ࢻ ಃգܗ HTTP Proxy  ᅗ 6QRUW ࡢタ⨨ሙᡤ࡜඲యࡢᵓᡂ ᭩ᘧ㸸DFWLRQSURWRVUF,3VUF3RUW!GVW,3GVW3RUW NH\ZRUGDUJ>NH\ZRUGDUJ@ ౛㸸DOHUWWFSDQ\DQ\! IODJV6PVJ66+&RQQHFWLRQDWWHPSW  ᅗ 6QRUW ࣮ࣝࣝࡢ᭩ᘧ࡜౛

 ␗ᖖ᳨▱ࡢ౛ ✌ാࡋࡓSnort ࡀ᳨▱ࡋࡓ␗ᖖࡢ౛ࢆᅗ 3 ࡟♧ࡍࠋࢭ࢟ࣗ ࣜࢸ࢕ୖࡢ⌮⏤࡟ࡼࡾࠊIP ࢔ࢻࣞࢫࡣ୍㒊ຍᕤࡋ࡚࠶ࡿࠋ Snort ࡢ␗ᖖ᳨▱ࡣࠊࡇࡢᅗࡢࡼ࠺࡟㐪཯ࣃࢣࢵࢺ 1 ಶ࡟ࡘ ࡁ 1 ⾜ࡢࣟࢢࠊ࠾ࡼࡧࣃࢣࢵࢺࢲࣥࣉࢆฟຊࡍࡿࠋࡇࡇ࡛ ≉➹ࡍ࡭ࡁࡣࠊpcap ᙧᘧ࡜ࡋ࡚ฟຊࡉࢀࡓࣃࢣࢵࢺࢲࣥࣉ ࡣ㐪཯ࡋࡓࣃࢣࢵࢺࡢࡳ࡛࠶ࡿ࡜࠸࠺ࡇ࡜ࡔࠋ⟶⌮⪅ࡀ␗ ᖖࢆ▱ࡿ࡟ࡣࠊࡲࡎSnort ࡢࣟࢢࢆ┠ど࡟ࡼࡾ᳨ᰝࡋࠊ᛹ࡋ ࠸࡜ᛮࢃࢀࡿࣃࢣࢵࢺࢲࣥࣉࢆWireshark ࡞࡝ࡢࣃࢣࢵࢺゎ ᯒࢶ᳨࣮࡛ࣝᰝࡍࡿᚲせࡀ࠶ࡿࠋ㏻ᖖࠊ୍ࡘࡢ㏻ಙࢭࢵࢩ ࣙࣥࡣ」ᩘࡢࣃࢣࢵࢺ࠿ࡽᵓᡂࡉࢀ࡚࠾ࡾࠊಖᏑࡉࢀࡓ 1 ࣃࢣࢵࢺࡢࡳ࠿ࡽ␗ᖖ࠿ྰ࠿ࢆุ᩿ࡍࡿࡇ࡜ࡣ㞴ࡋ࠸ࡀࠊ Snort ࡢࡳ࡛ࡣ㐪཯ࣃࢣࢵࢺࡢ࿘ᅖࡢࣃࢣࢵࢺࡲ࡛ྵࡵࡓㄪ ᰝࢆࡍࡿࡇ࡜ࡣ࡛ࡁ࡞࠸ࠋ ࡲࡓࠊᮏᰯ࡛Snort ࢆ✌ാࡋ࡚ࢃ࠿ࡗࡓࡇ࡜ࡣࠊ㐪཯ࣃࢣ ࢵࢺࡢࣟࢢࡢಶᩘࡀពእ࡜ከ࠸࡜࠸࠺ࡇ࡜࡛࠶ࡿࠋᅗ 3 ࡢ ౛࡛ࡣ⣙ 1 ศ࠾ࡁ࡟ࣟࢢࡀฟຊࡉࢀ࡚࠾ࡾࠊ㐪཯ࣃࢣࢵࢺ ࡣࡇࡢࡼ࠺࡟㢖⦾࡟Ⓨ⏕ࡋ࡚࠸ࡿࠋࡑࡢࡓࡵࠊෆᐜࢆࡍ࡭ ࡚ㄪᰝࡍࡿࡇ࡜ࡣ᫬㛫ⓗ࡟↓⌮ࡀ࠶ࡿ࡜ุ᩿ࡋࠊ࣓࣮ࣝ࡟ ࡼࡾࣟࢢࢆ⮬ື㏻▱ࡍࡿ௙⤌ࡳࢆᵓ⠏ࡋࡓࠋࡲࡓࠊSnort ࡀ Prioriry 3 ௨ୖࢆ௜୚ࡋࡓࣟࢢࡸࣃࢣࢵࢺࢲࣥࣉ࡟⤠ࡗ࡚ヲ ⣽࡟ㄪᰝࡍࡿ࡞࡝ᐇാࣞ࣋ࣝࡢᕤኵࢆࡋࡓࠋ

㸲㸬6HFXULW\2QLRQ ࡢᑟධ࡜ᵓ⠏

6HFXULW\2QLRQ ᑟධ᫬ࡢ᳨ウ஦㡯  ๓❶࡛㏙࡭ࡓ㏻ࡾࠊSnort ࡟࠾࠸࡚㐪཯ࣃࢣࢵࢺࡢࣟࢢ࡜ pcap ᙧᘧࡢࣃࢣࢵࢺࢲࣥࣉ 1 ಶ 1 ಶࢆᡭసᴗ࡛ゎᯒࡍࡿࡢ ࡣ㝈⏺ࡀ࠶ࡿࠋࡑࡇ࡛ࠊ2018 ᖺᗘ࡟ࢿࢵࢺ࣮࣡ࢡࡢ┘ど⏝ PC ࢆᑟධࡍࡿࡓࡵࡢண⟬ᥐ⨨ࢆ⾜࠸ࠊ2019 ᖺ 3 ᭶࡟ Snort ࢆIDS ࡜ࡋࡓ Security Onion ࢆ✌ാࡋࡓࠋ࡞࠾ࠊSnort ࡣ 2017 ᖺᗘࡢ Business ࣉࣛࣥࢆ⥅⥆ࡍࡿࡇ࡜࡜ࡋࠊOinkcode ࡣ Security Onion ࡟ࡑࡢࡲࡲᘬࡁ⥅ࡄࡇ࡜࡜ࡋࡓࠋ ࢧ࣮ࣂࢫ࣌ࢵࢡ  ௒ᅇᑟධࡋࡓᑓ⏝PC ࡢ࣐ࢩࣥࢫ࣌ࢵࢡࢆ⾲ 1 ࡟♧ࡍࠋ ᑟධࡋࡓ PC ࡣᑗ᮶ⓗ࡞ᣑᙇࢆ⪃៖ࡋ࡚࣑ࢻࣝࢱ࣮࣡ᆺࡢ ࢹࢫࢡࢺࢵࣉPC ࡜ࡋࡓࠋHDD ᐜ㔞ࡣᑟධண⟬࡜ࡢවࡡྜ ࠸࡛᭱ᑠ㝈ࡢ2TB ࡜ࡋࡓࡀࠊᐜ㔞ࡀ኱ࡁࡅࢀࡤࡑࢀࡔࡅࣟ ࢢࡸࣃࢣࢵࢺࢲࣥࣉࡢ㛗ᮇಖᏑࡀྍ⬟࡜࡞ࡿࠋ⇃ᮏ㧗ᑓඵ ௦࢟ࣕࣥࣃࢫࡢࢿࢵࢺ࣮࣡ࢡࡢ฼⏝≧ἣࢆㄪᰝࡋࡓ࡜ࡇ ࢁࠊ2TB ࡢᐜ㔞ࡣࠊኟఇࡳ࡞࡝ࡢ㛗ᮇఇᬤ୰࡛ 1 㐌㛫⛬ᗘࠊ ᖹ᪥࡛࠶ࢀࡤ0.5㹼1 ᪥࡛౑࠸ࡁࡿࡇ࡜ࡀศ࠿ࡗࡓࠋࡑࡢࡓ ࡵࠊ10 ᪥ࡢࣃࢣࢵࢺࢲࣥࣉࢆಖ⟶ࡍࡿሙྜࡣ༢⣧ィ⟬࡛ 20 㹼40TB ࡢᐜ㔞ࡀᚲせ࡜࡞ࡿࠋࡇࡢࡇ࡜࠿ࡽࠊࣟࢢ⏝ HDD ࡢቑタ࡟ഛ࠼࡚SATA ࣏࣮ࢺࡸ㟁※ᐜ㔞ࠊࢣ࣮ࢫࡢ✵ࡁࢫࣟ ࢵࢺࡣ࡛ࡁࡿ㝈ࡾవ⿱ࢆࡶࡗ࡚☜ಖࡋ࡚࠾࠸ࡓ࡯࠺ࡀⰋ ࠸ࠋ  ࡲࡓࠊ௒ᅇࡣCPU ࡢࢥ࢔ᩘࢆ㸴࡜ࡋࡓࠋࢥ࢔ᩘࢆከࡃࡋ ࡓ⌮⏤ࡣࠊSecurity Onion ࡛ࡣࠊSnort ࡸ Bro ࡜࠸ࡗࡓฎ⌮ࡀ 㔜࠸ࣉࣟࢭࢫࡢ࡯࠿࡟ࠊ௬᝿࣐ࢩࣥࢆ」ᩘືసࡉࡏ࡞ࡅࢀ ࡤ࡞ࡽ࡞࠸࠿ࡽ࡛࠶ࡿࠋ௒ᅇࠊ6 ࢥ࢔ࢆ☜ಖ࡛ࡁࡓࡓࡵࠊSnort ࡢࣉࣟࢭࢫࢆSecurity Onion ෆ㒊࡛ 2 ࡘ㉳ືࡋࡓࠋࡇࢀ࡟ࡼ ࡾࣃࢣࢵࢺゎᯒࢆ 2 ࡘࡢࢥ࢔࡛ศᩓฎ⌮࡛ࡁࠊࣃࢣࢵࢺゎ ᯒࡢྲྀࡾࡇࡰࡋせᅉࢆῶࡽࡍࡇ࡜ࡀ࡛ࡁࡿࠋࡲࡓࠊSecurity Onion ࡛ࡣࡑࢀ௨እ࡟ Docker(9) _{࡜࿧ࡤࢀࡿࢥࣥࢸࢼᆺ௬᝿} ໬⎔ቃࡀᚲせ࡛࠶ࡿࠋ㏻ᖖࡢLinux ࢹ࢕ࢫࢺࣜࣅ࣮ࣗࢩࣙࣥ ࡛ࡣ୍㒊ࡢࣇ࢓࣮࣒࢙࢘࢔ࢆࣂ࣮ࢪࣙࣥ࢔ࢵࣉࡋࡓࡇ࡜࡛ ືస୙ⰋࡀⓎ⏕ࡍࡿࡇ࡜ࡀࡓࡧࡓࡧ࠶ࡿࡀࠊDocker ࡛ࡣࢥ ࣥࢸࢼ࡜࿧ࡤࢀࡿ୍ᥞ࠸ࡢࣇ࢓࣮࣒࢙࢘࢔ࣜࢯ࣮ࢫࡀᥦ౪ ࡉࢀࡿࡓࡵࠊ࠸ࢃࡺࡿࣇ࢓࣮࣒࢙࢘࢔ࣂ࣮ࢪࣙࣥ࡟ࡼࡿ┦ ᛶ ၥ 㢟 ࡀ Ⓨ ⏕ ࡋ ࡞ ࠸ ࠋ ࡇ ࡢ Docker ࡢ ≉ ᚩ ࢆ ฼ ⏝ ࡋ ࡚ ElasticStack(4) _{ࡢ࡯ࡰࡍ࡭࡚ࡢࢧ࣮ࣅࢫࡀᥦ౪ࡉࢀࡿࠋᡭඖ} ࡢ⎔ቃ࡛ࡣࠊSecurity Onion ࡀ㉳ືࡍࡿ࡜ containerd-shim ࡀ 5 ࡘࠊdocker-proxy ࡀ 9 ࡘ⮬ືⓗ࡟㉳ືࡋ࡚࠸ࡿࠋ

 ᵓ⠏ᚋ࡟ࠊSecurity Onion ࡢ CPU ౑⏝⋡ࢆㄪᰝࡋࡓࠋලయ ⓗ࡟ࡣࠊࢩ࢙ࣝ࡟࡚ࣟࢢ࢖ࣥᚋࠊtop ࢥ࣐ࣥࢻᐇ⾜୰࡟'1'ࢆ ᢲୗࡍࡿ࡜ࢥ࢔ࡈ࡜ࡢࣜ࢔ࣝࢱ࢖࣒࡞౑⏝⋡ࡀ⾲♧ࡉࢀ ࡿࠋᅗ4 ࡟⤖ᯝࢆ♧ࡍࠋ%Cpu ࡢᚋ࡟⥆ࡃ us ࡀ࣮ࣘࢨࣉࣟ ࢭࢫࠊsy ࡀࢩࢫࢸ࣒ࣉࣟࢭࢫࠊid ࡀ࢔࢖ࢻࣝ᫬㛫࡛࠶ࡾࠊ ࡑࢀࡒࢀࡢ๭ྜ(%)ࡀ⾲♧ࡉࢀ࡚࠸ࡿࠋᅗ࠿ࡽࡶࢃ࠿ࡿ࡜࠾ ࡾࠊ6 ࢥ࢔ࡑࢀࡒࢀࡀᆒ➼࡟㈇Ⲵศᩓࡉࢀ࡚࠾ࡾࠊᖹᆒࡋ࡚ 20.0%ࡢ CPU ࢥ࢔౑⏝⋡࡛࠶ࡿࡇ࡜ࡀࢃ࠿ࡗࡓࠋCPU ౑⏝ ⋡࡟వ⿱ࡀ࠶ࡿࡼ࠺࡟ᛮ࠼ࡿࡀࠊ✺Ⓨⓗ࡞㧗㈇Ⲵ࡟ᑐᛂࡍ ࡿࡓࡵ࡟ࡣࡇࡢ⛬ᗘ࡛␃ࡵ࡚࠾࠸ࡓ᪉ࡀⰋ࠸ࠋࡲࡓᅗ 4 ࡢ ୗ㒊࡟CPU ౑⏝⋡ࡢ㧗࠸㡰࡟ࣉࣟࢭࢫࡀ⾲♧ࡉࢀ࡚࠸ࡿࠋ ᅗ࠿ࡽࡶࢃ࠿ࡿࡼ࠺࡟ࠊjava, Bro, Snort ࡀ CPU ᫬㛫ࢆᾘ㈝ ࡍࡿୖ఩ࣉࣟࢭࢫ࡛࠶ࡗࡓࠋ࡞࠾ࠊࡇࡢ࠺ࡕjava ࡀ Docker ࡛฼⏝ࡋ࡚࠸ࡿࣉࣟࢭࢫ࡛࠶ࡿࠋࡇࡢࡇ࡜࠿ࡽࠊࢿࢵࢺ࣡ ࣮ࢡࡢᇶᖿ㒊ศ࡟タ⨨ࡍࡿSecurity Onion ࡣࢥ࢔ᩘࢆ࡛ࡁࡿ ࡔࡅከࡃ☜ಖࡋ࡚࠾࠸ࡓ᪉ࡀⰋ࠸࡜⪃࠼ࡿࠋ

12/18-11:27:57.684574 [**] [129:12:1] Consecutive TCP small segments exceeding threshold [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.*.*.*:41714 -> *.217.*.110:443 12/18-11:28:01.117007 [**] [129:5:1] Bad segment, adjusted size <= 0 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.*.*.*:51521 -> *.52.*.18:80

12/18-11:28:02.986880 [**] [129:15:1] Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.*.*.*:50098 -> *.58.*.227:443

12/18-11:28:03.332611 [**] [129:14:1] TCP Timestamp is missing [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.*.*.*:52261 -> *.13.*.3:443  ᅗ 6QRUW ࡟ࡼࡿ␗ᖖ᳨▱ࡢ౛  ⾲ 6HFXULW\2QLRQᑓ⏝ 3& ࡢ࣐ࢩࣥࢫ࣌ࢵࢡ &38 ,QWHO5&RUH70L&38#*+]&RUH 0(0 *% +'' 7%㸦ྍ⬟࡞ࡽ 㹼7%㸧 1HWZRUN ,QWHUIDFH %DVH7;™㸰 6$7$  ࣏࣮ࢺ㸦࡛ࡁࡿࡔࡅከ࠸᪉ࡀⰋ࠸㸧 ࢣ࣮ࢫ ࣑ࢻࣝࢱ࣮࣡ᆺ LQFK ࣋࢖  ࢫࣟࢵࢺ 㟁※ :㸦࡛ࡁࡿࡔࡅ኱ࡁ࠸᪉ࡀⰋ࠸㸧

ඵ௦࢟ࣕࣥࣃࢫ࡟࠾ࡅࡿ౵ධ᳨▱ࢩࢫࢸ࣒ࡢᵓ⠏㸦ᑠᓥಇ㍜㸧  ඲యᵓᡂ  ௒ᅇタ⨨ࡋࡓSecurity Onion ࡢタ⨨ሙᡤ࠾ࡼࡧ඲యᵓᡂࢆ ᅗ5 ࡟♧ࡍࠋSecurity Onion ⏝ࡢࢧ࣮ࣂ࡟ࡣࠊ㸰ࡘࡢࢿࢵࢺ ࣮࣡ࢡ࢖ࣥࢱࣇ࢙࣮ࢫࢆ⏝ពࡋࡓࠋ୍᪉ࡣᏛෆࢿࢵࢺ࣮࣡ ࢡ࡟᥋⥆ࡍࡿࡓࡵࠊࡶ࠺୍᪉ࡣ⭾኱࡞㏻ಙࢆ┘どࡍࡿࡓࡵ ࡢࡶࡢ࡛࠶ࡾࠊᚋ⪅ࡣࣉ࣑ࣟࢫ࢟ࣕࢫ࣮ࣔࢻ࡛ືసࡉࡏࡿ ࡇ࡜࡜ࡋࡓࠋࣃࢣࢵࢺ┘どᑓ⏝ࡢ࣏࣮ࢺࢆ⏝ពࡋࡓࡇ࡜࡛ࠊ ㏻ᖖࡢࢧ࣮ࣂ࡜ࡢ㛫ࡢ㏻ಙࣃࢣࢵࢺࡀศ㞳࡛ࡁࠊ┘どࣃࢣ ࢵࢺࡢḞᦆࢆῶࡽࡍࡇ࡜ࡀྍ⬟࡜࡞ࡿࠋ ␗ᖖ᳨▱ࡢ౛  ࡇࡇ࡛ࡣࠊSecurity Onion ᳨࡛▱ࡋࡓලయⓗ࡞㐪཯ࣃࢣࢵ ࢺࡸྍど໬ࡉࢀࡓࣟࢢࡢ౛ࢆ♧ࡋ࡚࠾ࡃࠋᅗ 6 ࡣࠊSquert ࡜࿧ࡤࢀࡿࢹ࣮ࢱࡢศᯒ࡟౑⏝ࡍࡿࢶ࣮ࣝࡢࢫࢡ࣮ࣜࣥࢩ ࣙࢵࢺ࡛࠶ࡿࠋSnort ࡀ㐪཯ࣃࢣࢵࢺ࡜ࡋุ࡚ᐃࡋࡓ᝟ሗࢆ ᇶ࡟ࠊᶓ㍈࡟᫬㛫ࠊ⦪㍈࡟Ⓨ⏕௳ᩘࢆ♧ࡋࡓࢢࣛࣇࡀᥥ⏬ ࡉࢀࠊ㐪཯ࣃࢣࢵࢺࡢ᫬㛫ኚ໬ࢆ☜ㄆࡍࡿࡇ࡜ࡀ࡛ࡁࡿࠋ ࡲࡓࠊᅗࡢୗ㒊࡟ࡣࠊほ ࡉࢀࡓ㐪཯ࣃࢣࢵࢺࡀ✀㢮ࡈ࡜ ࡟ศ㢮ࡉࢀ⾲♧ࡉࢀ࡚࠸ࡿࠋࡇࢀ࡟ࡼࡾࠊ㐪཯ࣃࢣࢵࢺࡢ ⥲ᩘࡸഴྥࡀ୍┠࡛ࢃ࠿ࡿࠋ  ᅗ7 ࡟ࡣ Kibana ࡜࿧ࡤࢀࡿࣃࢣࢵࢺྍど໬ࢶ࣮ࣝࡢࢫࢡ ࣮ࣜࣥࢩࣙࢵࢺࢆ♧ࡋࡓࠋᅗࡣࠊᖹ᪥୍᪥ࡢDNS ࢡ࢚ࣜ࡟ ࡘ࠸࡚ࠊᶓ㍈ࢆ᫬㛫ࠊ⦪㍈ࢆᅇᩘ࡜ࡋ࡚ࢢࣛࣇ⾲♧ࡋ࡚࠸ ࡿᵝᏊ࡛࠶ࡿࠋᑵᴗ᫬㛫࡛࠶ࡿ༗๓8 ᫬༙ࡈࢁ࠿ࡽୖ᪼ࡋࠊ 17 ᫬ࢆ㐣ࡂࡿ࡜ᚎࠎ࡟ୗ㝆ࡋ࡚࠸ࡃࠋ␗ᖖࡀⓎ⏕ࡋࡓ࡜ࡁ ࡣDNS ࢡ࢚ࣜ࡟ኚ໬ࢆ᮶ࡓࡍࡇ࡜ࡀከࡃࠊࡇࡢࡼ࠺࡟᪥㡭 ࠿ࡽᖹᖖ᫬ࡢDNS ࢡ࢚ࣜࡢᵝᏊࢆほ ࡋ࡚࠾ࡃ࡜ࡼ࠸ࠋ ᅗ 6TXHUW ࡟ࡼࡿ᳨ฟ⤖ᯝࡢศ㢮࡜᫬㛫ศᕸ 3UR[\γʖώ ݋ *: )LUH:DOO ΢ϱνʖϋρφ ಼ָ/$1 6QRUW ϕϫϝηΫϡηϠʖχ 6: 6HFXULW\ 2QLRQ ϛʖφ ϝϧʖϨϱή  ᅗ 6HFXULW\2QLRQ ࡢタ⨨ሙᡤ࡜඲యࡢᵓᡂ ᅗ ྛࢥ࢔࠾ࡼࡧࣉࣟࢭࢫࡈ࡜ࡢ &38 ౑⏝⋡

 ᅗ8 ࡟ࡣ Security Onion ࡢࡶ࠺୍ࡘࡢ௦⾲ⓗ࡞ศᯒࢶ࣮ ࡛ࣝ࠶ࡿSquil ࡢࢫࢡ࣮ࣜࣥࢩࣙࢵࢺࢆ♧ࡋ࡚࠾࠸ࡓࠋࢭ࢟ ࣗࣜࢸ࢕ୖࡢ⌮⏤࡟ࡼࡾᅗࡢ୍㒊ࡣຍᕤࡋ࡚࠶ࡿࠋ  ࡇࡢࢶ࣮ࣝࡣࠊSnort ࡟ࡼࡾほ ࡉࢀࡓ㐪཯ࣃࢣࢵࢺࢆ᫬ 㛫㡰ࡸIP ࢔ࢻࣞࢫ㡰࡞࡝┠ⓗ࡟ᛂࡌ࡚▐᫬࡟୪࡭ኚ࠼ࡿࡇ ࡜ࡀ࡛ࡁࡿࠋࡲࡓࠊఝࡓࡼ࠺࡞㐪཯ࣃࢣࢵࢺࡣ 1 ⾜࡟ࡲ࡜ ࡵࡽࢀಶᩘࡀ⾲♧ࡉࢀࡿࡓࡵࠊ඲యⓗ࡞ぢ㏻ࡋࡀ㠀ᖖ࡟Ⰻ ࠸ࠋ㐪཯ࣃࢣࢵࢺࢆྑࢡࣜࢵࢡࡍࡿࡇ࡜࡛ࠊIP ࢔ࢻࣞࢫࢆ VirusTotal(10)_{ࡸwhois ࡛ㄪᰝࡋࡓࡾࠊ௦⾲ⓗ࡞ࣃࢣࢵࢺゎᯒ} ࢶ࣮࡛ࣝ࠶ࡿWireshark ࢆ㉳ືࡋࠊࢩ࣮࣒ࣞࢫ࡟ヲ⣽࡟ゎᯒ ࡍࡿࡇ࡜ࡀྍ⬟࡛࠶ࡿࠋ  ࡇࡢSguil ࢆ 5 ࠿᭶㛫౑⏝ࡋࡓ⤖ᯝࠊ⇃ᮏ㧗ᑓඵ௦࢟ࣕࣥ ࣃࢫ࡛ࡣᖹᆒࡋ୍࡚᪥࡟ᩘ௳㹼10 ௳⛬ᗘࡢ㐪཯ࣃࢣࢵࢺࡀ ᳨ฟࡉࢀࡿࡇ࡜ࡀࢃ࠿ࡗࡓࠋࡇࡢ㐪཯ࣃࢣࢵࢺࡢከࡃࡣᏛ ⏕VLAN ࠿ࡽࡢ᥋⥆࡛࠶ࡿࠋᗈ࿌ࢧ࢖ࢺࡸࣈࣛࢵࢡࣜࢫࢺ IP ࢔ࢻࣞࢫ࡜ࡢ㏻ಙࠊࢭ࢟ࣗࣜࢸ࢕⬤ᙅᛶࢆࡘ࠸ࡓ PDF ࣇ ࢓࢖ࣝࢲ࣮࢘ࣥࣟࢻ࡞࡝ከᒱ࡟ཬࢇ࡛࠸ࡿࡀࠊヲ⣽࡞ㄪᰝ ࡢ⤖ᯝࠊ࣐࢙ࣝ࢘࢔ᑐ⟇ࢯࣇࢺࡢࣃࢱ࣮ࣥࣇ࢓࢖ࣝࡸ࢔ࣉ ࣜࢣ࣮ࢩࣙࣥࡢ࢔ࢵࣉࢹ࣮ࢺࣃࢵࢳࡀᥦ౪ࡉࢀࡿ࡞࡝ࠊᑐ ⟇ࡀ᪋ࡉࢀ࡚࠸ࡿࡶࡢࡀ኱༙ࢆ༨ࡵ࡚࠸ࡿࡇ࡜ࡀࢃ࠿ࡗ ࡓࠋ  ࡲࡓࠊࡇࢀࡲ࡛࡟ࠊᏛ⏕ࡀᏛෆ࡟ᣢࡕ㎸ࢇࡔ➃ᮎࡀ࢔ࢻ ࢙࢘࢔࡟ឤᰁࡋ࡚࠸ࡓࡾࠊࣈࣛࢵࢡࣜࢫࢺ࡜ࡋ࡚Ⓩ㘓ࡉࢀ ࡚࠸ࡿIP ࢔ࢻࣞࢫ࡜㏻ಙࡋࡓࡾࡋ࡚࠸ࡓࢣ࣮ࢫࡀ 5 ௳࠶ࡗ ࡓࠋ࠸ࡎࢀࡶᏛෆ࡬ࡢ࣐࢙ࣝ࢘࢔ᣑᩓࡸ᝟ሗ₃ὤ࡞࡝ࡢ࢖ ࣥࢩࢹࣥࢺ࡟ࡣ⮳ࡗ࡚࠸࡞࠸ࠋⓎぢᚋࡢᑐᛂ࡜ࡋ࡚ࠊ㐪཯ ࣃࢣࢵࢺࡢIP ࢔ࢻࣞࢫ᝟ሗ࡜Ꮫෆ Wi-Fi ࡢ౑⏝グ㘓ࠊIP ࢔ ࢻࣞࢫᡶ࠸ฟࡋ᝟ሗࢆ✺ࡁྜࢃࡏࡿࡇ࡜࡛Ꮫ⏕ࢆ≉ᐃࡍࡿ ࡇ࡜ࡀ࡛ࡁࡓࡓࡵࠊᮏே࡟ὀពႏ㉳ࡋ࣐࢙ࣝ࢘࢔ᑐ⟇ࡸ HDD ࣇࣝࢫ࢟ࣕࣥࢆồࡵࡓࠋࡲࡓࠊ୍㒊ࡢᏛ⏕࡟ࡣ 1 ᫬㛫 ⛬ᗘࡢ㠃ㄯࢆᐇ᪋ࡋ࡚ヲ⣽ࡢ☜ㄆ࡞࡝ࢆ⾜ࡗࡓࠋ ✌ാ≧ἣࡢㄪᰝ Security Onion ࡢ✌ാ≧ἣࢆㄪᰝࡋࡓ⤖ᯝࢆᅗ 9 ࡟♧ࡍࠋ Security Onion ࡣ 5 ศ࠾ࡁ࡟ࣟࢢࢆฟຊࡋ࡚࠾ࡾࠊࢢࣛࣇࡢ ⦪㍈ࡣࡍ࡭࡚ 5 ศ㛫࠶ࡓࡾࡢᖹᆒ್࡜ࡋ࡚♧ࡋ࡚࠶ࡿࠋᅗ 9(a)ࡢ㏻㐣ࣃࢣࢵࢺᩘࡣࠊ5-20[kPackets/sec]࡛࠶ࡾࠊከࡃࡢ ࣃࢣࢵࢺࢆฎ⌮ࡋ࡚࠸ࡿᵝᏊࡀࢃ࠿ࡿࠋࡲࡓࠊᅗ9(b) ࡢ CPU ౑⏝⋡ࡢㄪᰝ࡛ࡣ20-40%⛬ᗘࢆ♧ࡋ࡚࠾ࡾࠊ࠸ࡎࢀࡢ᫬㛫 ᖏ࡟࠾࠸࡚ࡶCPU100%࡜࡞ࡽ࡞࠸ࡇ࡜ࡀࢃ࠿ࡗࡓࠋ ୍᪉ࠊᅗ9(c) ࡢ㐪཯ࣃࢣࢵࢺࡢ࢔࣮ࣛࢺᩘ࡟ࡘ࠸࡚ࡣὀ ពࡀᚲせ࡛࠶ࡿࠋࢢࣛࣇࡢ᭱኱್0.93 [௳/sec]ࡣ 5 ศ㛫࠶ࡓ ࡾࡢᖹᆒ್࡜ࡋ࡚ࡢ⾲グ࡛࠶ࡾࠊࡘࡲࡾ 5 ศ㛫࡟Ⓨ⏕ࡋࡓ 㐪཯ࣃࢣࢵࢺࡢ࢔࣮ࣛࢺᩘࢆ300 ⛊࡛๭ࡗࡓ 1 ⛊࠶ࡓࡾࡢ ௳ᩘ࡜ࡋ࡚⾲♧ࡋ࡚࠸ࡿࠋࡑࡢࡓࡵࠊࢢࣛࣇ್࡟ 300 ࢆ஌ ࡌࡓࡶࡢࡀᐇ㝿ࡢ 5 ศ㛫ᙜࡓࡾࡢ࢔࣮ࣛࢺ௳ᩘ࡜࡞ࡾࠊ᭱ ኱࡛5 ศ㛫࠶ࡓࡾ࠾ࡼࡑ 280 ௳ࡢ࢔࣮ࣛࢺࡀሗ࿌ࡉࢀ࡚࠸ ࡿࡇ࡜ࡀࢃ࠿ࡿࠋࡕ࡞ࡳ࡟ࡇࡢ࢔࣮ࣛࢺ᭱኱௳ᩘࡣࢺࢵࣉ ࣞ࣋ࣝࢻ࣓࢖ࣥ㸦TLD㸧ࡢ DNS ᳨⣴࡟㛵ࡍࡿࡶࡢ࡛࠶ࡗࡓࠋ ࡑࢀ௨እ࡟ࡶከࡃࡢ㐪཯ࣃࢣࢵࢺࡢ࢔࣮ࣛࢺࡀᣲࡀࡗ࡚࠸ ࡿࠋ ᅗ10 ࡛ࡣࠊ2019 ᖺ 8 ᭶ 8 ᪥㸦ᮌ㸧୍᪥ᙜࡓࡾࡢฎ⌮ࣃࢣ ࢵࢺᩘࢆ♧ࡋ࡚࠸ࡿࠋࡇࡢ᪥ࡣᮏᰯ࡛ࡣ㏻ᖖᤵᴗ㸦ヨ㦂㏉ ༷➼㸧ࡀᐇ᪋ࡉࢀ࡚࠸ࡿࠋᅗ࠿ࡽࠊᑵᴗ㛤ጞᛴ⃭࡟ୖ᪼ࡋࠊ ᑵᴗ⤊஢ᚋ࡟ᚎࠎ࡟ῶᑡࡍࡿ࡜࠸࠺୍᪥ࡢฎ⌮ࣃࢣࢵࢺࡢ ࠾࠾ࡼࡑࡢኚ໬ࡀㄞࡳྲྀࢀࡿࠋ

㸳㸬ࡲ࡜ࡵ

 ௒ᅇࠊSnort ࡜ Security Onion ࢆᑟධࡋࡓࠋᑟධ᫬ࡢࢥࢫ ࢺࡣࡑࢀ࡯࡝㧗ࡃࡣ࡞࠸ࡶࡢࡢࠊᑟධᚋࡢࢥࢫࢺࡀ㠀ᖖ࡟ 㧗ࡃࠊ1 ௳ࡢ㐪཯ࣃࢣࢵࢺࢆㄪᰝࡍࡿࡔࡅ࡛ከࡃࡢ᫬㛫ࢆᚲ せ࡜ࡍࡿࡇ࡜ࡀࢃ࠿ࡗࡓࠋ㐪཯ࣃࢣࢵࢺࡢㄪᰝࢆ㐍ࡵ࡚࠸ ࡃ୰࡛ࠊ㐪཯ࣃࢣࢵࢺࡢከࡃࡀㄗ᳨▱࡛༨ࡵࡽࢀ࡚࠸ࡿࡇ ࡜ࡀศ࠿ࡗ࡚ࡁࡓࠋᑟධᙜึࡣ㐪཯ࣃࢣࢵࢺࡢࡍ࡭࡚࡟ࡘ ࠸࡚㏣㊧ㄪᰝࢆࡋ࡚࠸ࡓࡀࠊ㠀ᖖ࡟ከࡃࡢ᫬㛫ࢆᾉ㈝ࡋ࡚ ࡋࡲ࠺ࡇ࡜࠿ࡽࠊ㐣ཤ࡟ㄪᰝࡋࡓࡶࡢ࡜ࡼࡃఝࡓ㐪཯ࣃࢣ ࢵࢺ࡟ࡘ࠸࡚ࡣㄪᰝࡋ࡞࠸࡞࡝ࡢᕤኵࡶᚲせ࡛࠶ࡾࠊ࠶ࡿ ⛬ᗘࡢ⤒㦂ࡀᚲせ࡛࠶ࡿࠋࡲࡓࠊᑗ᮶ⓗ࡟ࡣㄗ᳨▱ࢆῶࡽ ࡍࡼ࠺ Snort ࣮ࣝࣝࡢ඲యⓗ࡞ぢ┤ࡋࡶᚲせ࡜࡞ࢁ࠺ࠋ ᅗ 6JXLO ࡟ࡼࡿ᳨ฟ⤖ᯝࡢศ㢮࡜ྍど໬  ᅗ .LEDQD ࡟ࡼࡿ '16 ࣃࢣࢵࢺࡢศ㢮࡜᫬㛫ኚ໬ 

ඵ௦࢟ࣕࣥࣃࢫ࡟࠾ࡅࡿ౵ධ᳨▱ࢩࢫࢸ࣒ࡢᵓ⠏㸦ᑠᓥಇ㍜㸧  ୍᪉ࠊㄗ᳨▱ࡢ୰࡟ࡣࠊSSL ࡞࡝ᬯྕ໬ࡉࢀࡓ㏻ಙࡶྵ ࡲࢀ࡚࠾ࡾࠊᬯྕ໬ࡉࢀࡓࣛࣥࢲ࣒࡞ࣃࢣࢵࢺࡀ㐪཯ࣃࢣ ࢵࢺࡢࣃࢱ࣮ࣥ࡜അ↛୍⮴ࡋࡓࡼ࠺࡞ࡶࡢࡶぢཷࡅࡽࢀ ࡓࠋ1 ᪥࠶ࡓࡾ 2TB ࡢ㏻ಙࡀⓎ⏕ࡍࡿ Proxy ࢧ࣮ࣂࡢ⎔ቃୗ ࡛ࡣࡇࡢࡼ࠺࡞അ↛ࡀᩘከࡃⓎ⏕ࡍࡿࡀࠊࡇࡢㄗ᳨▱ࢆῶ ࡽࡍᢤᮏⓗ࡞ゎỴ⟇ࡣ࡞࠸ࠋ  ௒ᚋࡢ᳨ウ஦㡯࡜ࡋ࡚ࠊᬯྕ໬ࣃࢣࢵࢺࡢ㏣㊧ࡀ࠶ࡿࠋ ⌧ᅾࠊ⇃ᮏ㧗ᑓඵ௦࢟ࣕࣥࣃࢫࡢProxy ࢧ࣮ࣂ࡛ࡣ SSL ࡞ ࡝ࡢᬯྕ໬㏻ಙࡀࣃࢣࢵࢺ඲యࡢ 5 ๭ࢆ༨ࡵ࡚࠸ࡿࠋ⌧ᅾ ᑟධࡋ࡚࠸ࡿSecurity Onion ࡣࠊᬯྕ໬㏻ಙࡢ୰࡛ࡲ࡛ㄪᰝ ࡍࡿᡭẁࡀ࡞࠸ࡓࡵࠊ༢⣧ィ⟬࡛㐪཯ࣃࢣࢵࢺࡢ༙ᩘࡀぢ 㐣ࡈࡉࢀ࡚࠸ࡿࡇ࡜࡟࡞ࡿࠋ௒ᚋࠊᬯྕ໬㏻ಙࡢ๭ྜࡣࡲ ࡍࡲࡍከࡃ࡞ࡿࡇ࡜ࡀண᝿ࡉࢀ࡚࠾ࡾࠊSSL ࢖ࣥࢫ࣌ࢡࢩ ࣙࣥ࡞࡝ᬯྕࣃࢣࢵࢺࢆᖹᩥࣃࢣࢵࢺ࡟ࡍࡿ᪂ࡓ࡞௙⤌ࡳ ࡀᚲせ࡜࡞ࡿࠋࡇࡢᐇ⌧࡟ࡣᢏ⾡ⓗ࡞ㄢ㢟ࡶࡉࡿࡇ࡜࡞ࡀ ࡽࠊ೔⌮ⓗ࡞ၥ㢟ࡶ࠶ࡿࠋࡓ࡜࠼ࡤࠊࣟࢢ࢖ࣥࡀᚲせ࡞ࢧ ࢖ ࢺ ࡢ ࢔ ࢝ ࢘ ࣥ ࢺ ࡸ ࣃ ࢫ ࣡ ࣮ ࢻ ࡞ ࡝ ࢆ ྵ ࡵ ࡍ ࡭ ࡚ ࡀ Security Onion ୖ࡛ᖹᩥ࡟ᡠࡉࢀ࡚ࡋࡲ࠺ࡓࡵࠊࣃࢫ࣮࣡ࢻ ࢆ┐⫈ࡋ࡚࠸ࡿࡇ࡜࡜ఱࡽኚࢃࡽ࡞࠸ࠋᐇ⌧࡟ࡣᏛෆࡢࢥ ࣥࢭࣥࢧࢫࢆᚓࡿᚲせࡀ࠶ࡿࡀ㠀ᖖ࡟ᅔ㞴࡛࠶ࡿ࡜⪃࠼ ࡿࠋ  ᭱ᚋ࡟ࠊSecurity Onion ࡣከᶵ⬟࡛࠶ࡾࠊ౑࠸ࡇ࡞ࡍ࡟ࡣ ᭦࡞ࡿ័ࢀ࡜⤒㦂ࡀᚲせ࡛࠶ࡿࡇ࡜ࢆ③ឤࡋ࡚࠸ࡿࠋࢭ࢟ ࣗࣜࢸ࢕࡟㛵㐃ࡍࡿᩍ⫋ဨ࡛ຮᙉ఍࡞࡝ࢆ㛤ദࡍࡿ࡞࡝ࡋ ࡚࠸ࡁࡓ࠸ࠋ 㸦௧࿴ඖᖺ9 ᭶ 25 ᪥ཷ௜㸧 㸦௧࿴ඖᖺ12 ᭶ 5 ᪥ཷ⌮㸧 ཧ⪃ᩥ⊩

(1) Cisco : Snort - Network Intrusion Detection & Prevention System㸪https://snort.org/, 2019/9/21

(2) Security Onion Solutions : Security Onion, https:// securityonion.net/, 2019/9/21

(3) OISF : Suricata, Open Source IDS / IPS / NSM engine, https://suricata-ids.org/, 2019/9/21

(4) Elastic : ࣮࢜ࣉࣥࢯ࣮ࢫࡢ Elastic Stack㸦Elasticsearchࠊ KibanaࠊBeatsࠊLogstash㸧࡛ࣜ࢔ࣝࢱ࢖࣒࡞᳨⣴࡜ศ ᯒ, https://www.elastic.co/jp/, 2019/9/21

(5) Squert Proejct : The squert project, http://www. squertproject.org/, 2019/9/21

(6) Bro Project : The Zeek Network Security Monitor, https: //www.zeek.org/, 2019/9/ 21

(7) Wireshark Foundations : Wireshark - Go Deep, https:// www.wireshark.org/, 2019/9/21

(8) The netsniff-ng Proejct : netsniff-ng toolkit, http://netsniff -ng.org/, 2019/9/21

(9) Docker Inc. : Enterprise Container Platform | Docker, https://www.docker.com/, 2019 /9/21

(10) VirusTotal Community : VirusTotal, https://www. virustotal.com/, 2019/9/21  ᅗ ୍᪥࠶ࡓࡾࡢฎ⌮ࣃࢣࢵࢺᩘࡢ᥎⛣  (a) 5 ࠿᭶㛫ࡢฎ⌮ࣃࢣࢵࢺᩘ㸦5 ศ㛫࠶ࡓࡾࡢᖹᆒ㸧 (b) 5 ࠿᭶㛫ࡢ CPU ౑⏝⋡㸦5 ศ㛫࠶ࡓࡾࡢᖹᆒ㸧 (c) 5 ࠿᭶㛫ࡢ㐪཯ࣃࢣࢵࢺ࢔࣮ࣛࢺᩘ㸦5 ศ㛫࠶ࡓࡾࡢᖹᆒ㸧 ᅗ 6HFXULW\2QLRQ ࡢ✌ാ≧ἣㄪᰝ