hello everyone welcome back to the blue
team training series brought to you by
linode and hackersploit in this video
we're going to be taking a look at how
to set up or how to perform security
vent monitoring with splunk more
specifically uh splunk enterprise
security right so the objective here
will be to monitor uh intrusions and
threats with splunk and you might be
asking yourself well how are we going to
do this what setup are we using well the
scenario that i've set up for this video
is we're essentially going to
take all the knowledge that we've
learned during the snort video and we
are going to essentially forward all of
the snort logs uh into splunk or have
that done automatically through the
splunk universal folder so that we get
the latest logs when snort is running on
our ubuntu virtual machine
and the objective here is to use splunk
in conjunction with the splunk snort app
to essentially visualize and identify or
monitor network intrusions and any
malicious
network traffic you know within the
network that i'm monitoring
[Music]
at a very high level what will we be
covering well firstly we'll get an
introduction to splunk now before we
move any forward or we actually carry on
i do want to note that this video is not
going to be focused on splunk
fundamentals i'm going to be i'm going
to assume that you already know what
splunk is
and how it can be used you know
and how it's used generally speaking
because splunk is not really a tool uh
that is specific to security for example
that's why they have the splunk
enterprise security version or edition
and i'm just going to assume that you
know how to use splunk at a very basic
level so once we get an introduction to
splunk we'll go over splunk enterprise
uh security at the enterprise the
enterprise security edition and how it
can be used for security event
monitoring especially in our case
because we want to essentially monitor
uh the intrusion detection logs
generated by snort
so we'll then move on to deploying
splunk enterprise security on linux
which is absolutely fantastic because
they have a cloud image
available for it that allows you to spin
it up without going through the process
of installing it and configuring it so
that will set up that'll set it up for
us we'll then take a look at how to
configure splunk and how to set up the
splunk universal folder on the ubuntu
virtual machine that is running snot so
that we can forward those logs into
splunk uh and then of course we'll take
a look at the splunk snot event uh
dashboard that will be provided to us by
the
splunk snot app so if this sounds like a
gibberish to you don't worry it'll make
sense in a couple of uh in a couple of
minutes
with that being said uh given the fact
that we're going to be using uh you know
we're going to be using snort to
generate alerts and monitor those alerts
uh if you have not gone through these uh
the actual snort video please do that as
it will help you set up snot and you can
then run through this demo with that
being said this is not a holistic video
that will cover everything you can do
with splunk enterprise security we are
just focused on
the intrusion detection uh logs produced
by snort and how they can be
imported or forwarded to splunk for uh
you know analysis and monitoring
uh so the prerequisites are the same as
the previous videos the only difference
is uh you know that you need to have a
basic familiarity with splunk and how to
navigate around the various menu
elements and
essentially just how to use it at a very
basic level if you're not familiar with
splunk i'll give you a few resources at
the end of the at the end of these
slides uh that will help you out or help
you get started
all right so let's get an introduction
to splunk so what is splunk that's the
main question if you've never heard of
splunk splunk is an extremely powerful
platform that is used to analyze data
and logs produced by systems or machines
as splunk likes to call them so
what problem is splunk trying to solve
here well let's look at this from the
perspective of web 2.0 or you know the
the interconnected world we live in
today and we're going to be looking at
it from the context of from the
perspective of security
so if we take a simple system let's say
we have a windows operating system or a
system running windows well that windows
system produces a lot of data or logs
uh that you know that contain
information that you know at a first
glance might not seem that important but
once you start getting into specific
sectors like security those logs start
uh you know those logs have uh you know
very important value to organizations
now multiply that by a thousand systems
so let's say we have an organization
they have a thousand computers within
their network or you know distributed
worldwide and all of these systems are
you know need to be secured their
security needs to be monitored so how do
we monitor all of this well this is
where splunk comes into play so splunk
allows you to essentially funnel all of
this data produced by systems or
machines
into splunk and then splunk allows you
to monitor search and analyze this
machine generated data and the logs
through a web interface so in order to
use splunk you'll need to import your
own data or logs alternatively you can
utilize the splunk universal folder to
forward logs and data to splunk for
analysis and of course visualization etc
now splunk does so much more that i
really can't go over all of the features
here but as i said we're looking at this
from the uh lens of a security engineer
all right so splunk collates all the
data and logs from various sources and
provides you with a central index that
you can search through splunk also
provides you with robust visualization
and reporting tools that allow you to
identify the data that interests you
transform the data into results and
visualize the answers in the form of a
report chart graph etc all right so what
i'm saying here is that splunk allows
you to take all of this security related
logs and data and make sense of them and
essentially get the answers that you're
looking for so for example from the
perspective of a security engineer what
do you want from all of this data well
at a very high level you want to know
whether something is going wrong and
what could go wrong in the context of
security a network could be compromised
there could be some malicious network
traffic or activity going on a system
could be compromised etc etc you get the
idea so we need that data to be
displayed to us as a security engineer
and splunk is really one of the best
tools uh you know when it comes down to
you know taking a lot of data
and then identifying the data that
interests you transforming that data
into results and then visualizing that
data in the form of the report chart or
graph right so that's really what we're
going to be doing and as i said going
back to the scenario we're going to be
focusing on how to you know essentially
get in or how to forward
the logs created or the logs and alerts
created by
snort into splunk for analysis and
luckily for us splunk has a snort app or
plug-in if you will that that will
essentially simplify this process
so
let's get an idea as to you know how we
can use splunk for security when
monitoring so splunk enterprise security
also known as splunk es is a security
information and event management
solution also known as a seam
it is used to but is used by security
teams to quickly detect and respond to
internal and external attacks or threats
or intrusions so splunk es can be used
for security when monitoring incident
response and running a sock or security
operations center
in this video we'll be using splunk es
to monitor and visualize the snort
intrusion alerts this will be
facilitated through the help of the snot
app for splunk and the splunk universal
folder now the splunk universal folder
is pretty much the most important
element of what we'll be exploring
because what it does and this is really
cool is it allow it automatically
forwards the latest logs
even when
when snot is running it forwards those
alerts and logs into splunk and you can
see them in real time which is
absolutely fantastic
so as i said if you're new to splunk
then these resources are really helpful
for you so splunk offer really great
tutorials and courses designed for
absolute beginners you can check that
out by clicking on the link within this
slide and you can learn more about the
splunk enterprise security edition from
that particular link
now as i said we're going to be
deploying
uh splunk on linux more specifically
splunk es and this is the lab
environment so we're going to spin up uh
you know splunk yes on linux now again
to follow through with this as uh you
know linux has been absolutely fantastic
with uh you know by providing uh all of
you guys uh with a way to get a hundred
dollars in free linux credit all you
need to do is just click the link in the
description section and sign up and a
hundred dollars will be added to your
account so that you can follow along
with this series um so we're going to
set up splunk yes on linux and then
within my internal network uh we're just
gonna have a very basic infrastructure
we're going to have the ubuntu virtual
machine that is running snot this is the
same virtual machine that we had set up
and used uh to set up snort and set up
suricata and the one we had used with
wazoo
and yeah that's essentially it we're
going to have a very basic
infrastructure where we have an attacker
system that i'm going to be using to
perform
uh a bit of uh you know network
intrusion detection uh emulation whereby
i will essentially perform or run a
couple of commands or uh or scripts to
essentially emulate malicious network
activity so that these logs are uh are
essentially or so so this traffic is
essentially logged and that will provide
us with a good idea as to how helpful
splunk is for security event monitoring
especially in the context of our network
intrusions
so as i said you don't really need to
have a windows workstation you simply
need to have the ubuntu vm and you can
pretty much run everything from it and
of course you can set up the splunk
enterprise
enterprise security server on linux
without any issues
so that's the lab environment we can now
get started with the practical
demonstration so i'm going to switch
over to my ubuntu virtual machine
all right so i'm back on my ubuntu
virtual machine and you can see i have
linux opened up here
i haven't set anything up yet because
we're going to be walking through the
process together
i then have the splunk.com website here
so if you're new to splunk then you need
to create a new account in order to
follow along so uh just head over to
head over to splunk.com and you know
register for an account it's free
once that is done
you'll need to activate your account or
verify your account through the email or
the verification email
they'll send you once that is done
we can then move forward because in
order to access the actual um
splunk universal folder you'll need to
have an account and of course um you
know in this case i'll be going through
everything as we move along in a
structured uh in a structured manner and
then to perform the actual nids
tests
we are going to be using the test
mynids.org
project which is on github so this is
essentially a bash script
that allows you to as you can see here
it allows you to essentially emulate or
simulate malicious network traffic so uh
previously we had used the website uh
the website technique to essentially get
a linux uid and that traffic would be
logged as malicious or
it could be logged as a potential
intrusion and we can run a few other
checks like an http basic authentication
bad certificate authorities
uh an exe or dll download over http so
you know just we can run tests that are
you know will just make our
intrusion detection system uh blow up in
terms of alerts and that's what we want
because we want to see how that data is
presented to us as a security engineer
on splunk with that being said the first
step of course is to set up splunk es on
linux so
just click on uh click on create and a
linux and click on marketplace
and they already have splunk here so
there we are you can click on that there
and if you click on this little info
button here it'll give you an idea as to
how to deploy it on
uh on linux and of course you have more
information regarding splunk so you have
the documentation link there so i'll
just click on splunk
once that is clicked we can then head
over here you'll need to specify the
splunk admin user i recommend using
admin to begin with and then specify a
password
if you're setting up you know splunk on
a domain then you can specify the
lynnode api token to essentially create
the dns records that's if you're using
linux dns
dns service
uh and then of course you need to add
the admin email for the server so in
this case i can just say for example
hackersploit
gmail.com
don't spam me on this email because i
don't respond anyway so we can create
another user
uh so this is the username for the
lynnode admins ssh user please ensure
that the username does not contain any
so we can just call this admin and then
for the admin user we'll just say
provide that there
so the image we're going to set it up on
ubuntu 20.04 the region i'll say london
because that's closest to me
as for the actual linux plan
linux es doesn't require that many
resources especially because you know
the amount of data that we're processing
on the logs that are being forwarded to
splunk are relatively few so less than
100 which if you've used splunk before
for security vent monitoring you know
that that is
like really really small in fl in in
fact splunk will actually tell you that
you know the amount of data
to begin with that you have imported or
you afforded is too little to make any
sense off
but that's where the snort app for
splunk comes into play so i'll just say
splunk
and i'll provide my root password for
the server
and we can click on create
all right now
uh once this is set up and provisioned
the actual installer is going to begin
so it's going to set up because there is
an auto installer setup that will set up
splunk yes for you so uh let it
provision after that's done you can
launch the lish console to avoid logging
in via ssh and of course one thing that
i need to that i don't need to tell you
is if you're setting this up for
production then you need to make sure
you're securing your server so do only
use ssh keys for authentication with the
server
if you're new to hardening and securing
a linux server you can check out the
previous series
that we did with linux the linux server
security series uh that'll give you uh
you know all the information you need to
secure a linux server for production
with that being said i'm just going to
let it provision after which we can
launch the english console to see what's
going on in the background and we can
then get started uh you know officially
with um
with how to set up splunk we then need
to set up the universal folder
so uh this is booting now
all right so the server is booted and
you can see i've just opened up the lish
console here
to essentially view what's going on as
you can see it's begun setting up a
splunk yes so just give this a couple of
minutes
to essentially begin
um and once it's done it'll actually
tell you that it'll provide you with the
login prompt
but it's probably logged in as the root
user already so
uh just let this complete i'm just gonna
wait for this to actually conclude
all right so once uh splunk es is done
uh or the actual uh linode is done here
with the setup you can see it's gonna
tell you installation complete
and you can then log in uh keep this
window open because this is going to be
very important as we'll need to
configure a few firewall rules because
uh by default this linux comes with ufw
which is the uncomplicated firewall for
debian or
it typically comes pre-packaged with
debian-based distributions like ubuntu
in this case it's already added the
firewall rule for the port that we
wanted but just keep it open because
we'll need to run a few checks um so you
can log in there so i'm just going to
log in with the credentials that i
specified as the root user and i can
just say sudo ufw status
um
and you can see these are all the
allowed rules or the actual rules
configured for the firewall which is
looking good uh so far
so we can access the splunk es instance
that we set up by pasting in the ip of
the server and and opening up port 8000
that's going to open up splunk yes for
you so just give this a couple of
seconds there we are and the credentials
that we had used were admin and the
password that i created uh that you know
of course you'll you'll be able to
specify yourself so just sign in
um and once that is done you'll be
brought to splunk enterprise
security here so there we are explore
splunk enterprise
uh and um
in this case what we're going to be
doing what we're going to start off with
is we need to go through a few
configuration uh changes with splunk
itself
so the idea firstly is to configure
uh the actual uh rece the receiving of
data so if you head over into settings
you can click on under data just click
on forwarding and receiving
uh and once that is done once that is
loaded up
um under received data we need to
configure this instance to receive data
forwarded from other instances so we
want to configure receiving
and we just want to set the default
receiving port
so we can say new receiving port
and the port is of course going to be
the default which is 9997 which is why
that firewall rule was added so i'll
click on save
all right so once that is done we can
now install the snot
app for splunk so click on apps and head
over into find more apps
and because the ubuntu server is running
or the ubuntu vm that i'm currently
working on is running snot 2 we'll need
the appropriate uh app here so i'll just
search for snot there and we're not
looking for these note 3 json alerts
although that you know could be quite
useful but we want the snort alert for
splunk all right so this app provides
field extraction so that's really great
because performing your own field
extractions uh you know using rejects
can be quite difficult if you're a
beginner so fast and full
as well as dashboards uh saved searches
reports event types tags and event
search interfaces so we'll install that
now you'll need to log in with the spa
your splunk account credentials that you
uh you know that you actually created on
splunk.com so i'll just fill in my
information really quickly
all right so i've put in my username and
password so i'll just say i'll accept
the terms and conditions there so log in
and install
that's going to install it there we are
so we'll just hit done
now that is done if we head back over
into our dashboard so i'll just click on
splunk enterprise there
and you can now see we have snot alert
force for splunk so that's it already
comes pre-configured with a dashboard
um so we'll just let this uh load up
here and you can see that we don't have
any data yet so uh this will display
your events and sources top source
countries the events this is very
important the sources top 10
classifications so that will classify uh
your alerts uh in in terms of uh the
type which again will make sense uh in a
couple of seconds uh so now that that is
done we actually need to configure
the actual splunk universal folder so
i'll just open that up in a new tab it's
absolutely free to download the debian
client or the uh the splunk universal
ford debian package so universal
forwarders uh provide reliable secure
data collection from remote from remote
sources and forward that data into
splunk software for indexing and
consolidation they can scale to tens of
thousands of remote systems collecting
terabytes of data so
again you can actually see why splunk is
so powerful and why it's widely uh used
and deployed because of the fact that
you can literally uh you know be you can
literally forward a ton of data from a
ton of systems into splunk so because
the uh because snot is running on this
ubuntu vm we need the debian package so
i'll click on linux and we want the
64-bit version again you can choose one
based on your requirements so if you're
running on red at fedora or centos you
can use the rpm package so i'll just
download the debian package here
give that a couple of seconds it's then
going to begin downloading it and then
i'll walk you through the setup process
so there we are
it's begun the setup
and once that is done i'll open up my
terminal so that's saved in the
downloads directory so
if we check if we head over into the
downloads directory you can see we have
the splunk forwarder debian package
there
so what we want to do firstly is we want
to move this package uh into the actual
opt directory on linux uh which will
essentially allow us to uh you know to
to set it up as as optional software and
it's really good to have all that
optional software stored in the opt
directory so uh once that is done uh
once that's downloaded we can say uh
move
splunk forwarder into opt
and we'll need sudo privileges so i'll
say sudo move there we are and i'll just
type in my password fantastic so we'll
now navigate to the opt directory and to
install this we can say sudo apt
and then we can specify install so we
can say sudo apt install
and then we specify the package itself
so splunk folder
and we're just going to hit enter that's
going to install it for you
give that a couple of seconds
all right so once that is installed if
you list out the contents of this
directory you're going to have a splunk
for the directory here so i'll say cd
splunk folder and under the binary
directory we can navigate to that here
we'll need to start
us we'll need to start splunk so we will
say uh sudo
and a binary we want to run is called
splunk and we'll accept the license uh
the reason we're doing this is because
we need to configure it so we need to
specify the username and password or you
know create a username and password
and once that is done uh you'll actually
see what that looks like so i'll just
say accept the license
and
you can see in this case let's see if i
typed that in correctly that should
actually start so splunk start i did not
specify start there
there we are so please enter an
administrator name i'll just say admin
so again splunk software must create an
administrator account during startup
otherwise you cannot log in so create
credentials for the administrator
account
um
so in this case uh you know you can
create whatever you want i'm just going
to fill in my credentials here
all right so i've just entered my
administrator username and then of
course my password so
that is done
uh so it'll go through um
it'll essentially go through and check
the prerequisites uh new certs have been
generated in the following directory
and all the preliminary checks have
passed so starting the splunk server
daemon so that's started you can also
enable it to run on system startup so if
i say you know for example sudo system
ctl
status splunk
let me type that in correctly here so
splunk
sorry systems pseudosystem ctl
and we can say splunk d
uh sorry so we can say splunk i'm not
really sure why that's not loading here
but i do know that the daemon is running
and there should be a an init
an init demon for that but in any case
you can always start it that way
once that is done we will need to add
our ford server so the we need to add
the the address of the server uh the
splunk server that we're forwarding our
logs to we'll go we'll move on to what
logs we want to forward in a second but
let's do that first so again we're going
to use the
the splunk binary and we're going to say
forward
server and we'll just copy the ip
address of your
your splunk server here so there we are
and i'll paste that in there
and then you need to type in the port so
9997 that's the port to connect to hit
enter
um so splunk ford uh
yeah we need to add it i keep forgetting
the the preliminary command so add ford
server splunk username
um so in this case uh let me just uh put
in my credentials here
all right and it's going to then add the
forwarding to that particular address
all right now that that is done
we can actually we actually need to
configure a particular file
and that is going to be the outputs.conf
directory if it's already set up for us
which it should be
then we do not need to go through the
initial setup so
if we head over into the following
directory so i'll just take a step back
we're still in the splunk for the
directory
uh we'll head over into
the etsy directory and under system
we have a file under local i think it is
called outputs right so i'm going to say
sudo vim outputs
dot conf
and really the only thing that is
required here
is of course just leave the default
configuration as is the default group is
fine so tcp out default auto lb group
that's fine so you make sure that the
server option here is configured that's
the most important and the tcp out
server address is also configured in
this format so we don't need to make any
changes there so i'll just say quit and
exit
once that is done we also need to check
uh the actual inputs configuration file
but before we do that
let's take a look so if you revisit the
snort video
you know that all the logs are stored
under var uh log
and snot right so we have the alert log
um and we also have uh so again based on
the type of um
of alerts you want generated so you know
if i say man snort here
uh you can see that we have the alert
mode so you can use the fast mode or the
full mode in this case i'll be using the
fast mode
um
and i'll give you a description of what
what's going on here right so
uh full writes the alert to the alert
file with the full decoded header as
well as the alert message which might be
important so we can also do that as well
so this was from the previous uh from
the from from the snort video where we
had ran uh you know where we had
essentially run snot and uh you know
where we were identifying various alerts
so uh what we can do is uh again we will
go through what needs to be created but
we can run a quick test command just to
see whether
the the actual alerts are being logged
within the alert file because we have
alert dot one ideally we would only want
to forward this file into splunk
so uh in order to do this what i'm going
to do now is i'm just going to run snot
really quickly so i'm going to say sudo
snort
queue
for quiet and then
the actual directory for the logs is var
log snot
and then we can say the interface is
enp0s3
again make sure to replace that with
your own interface uh the alert we can
say full
and the configuration is sc
snort
dot conf
i believe we had another configuration
file yeah we had used the snot.com file
so i'll hit enter
and now let me open up my file explorer
here
we take a look at the var directory
under log and under snort
we have alert there we are so
that has been modified the last was
modified uh
right over there okay so that's 19 yeah
so this is the last modified so i know
this file is not human readable uh we
are not going to be folding this dot log
file so i'll just close that there
so i'm just going to try and uh
i'm just going to try and perform a few
checks on the networks like a few pings
just to see if that's detected
uh so i'll just you know perform a ping
really quickly
again the alerts will not be logged on
our terminal because they're being
logged uh you know into the respective
alert file or the alert log file so i'll
just perform uh you know a few pings as
i was saying which i'm doing right now
on the attacker system
uh once that is done let's see whether
those changes are being highlighted in
alet indeed they are okay so now this is
um
as you can see here
this is the full
these are so to begin with we had used
the fast alert
we had used the fast alert output mode
and right over here we then have the
full
alert mode which i'm not really sure how
we want to
go about doing this but you can see
we can actually make a few changes but
what we can do is we can get rid of this
traffic here
but you can see the messages actually
being logged so
we can get rid of this here
because we don't want to mix fast um we
don't mix fast alerts
with um
we don't want to mix the alerts that
were output in the fast mode uh with the
full mode so we can just get rid of that
there and save that
so once that is done i'll just say
we actually need permissions to modify
that file
but you know what we can do is what i am
going to do actually is close without
saving is i'm just going to stop snort
there
and i'm just going to say
sudo remove var
log
and snort and we're going to remove
alert
all right and we're also going to remove
alert dot one
all right so i'm just going to run this
again just to see if that file is
generated
so there we are we have alert there
so now it's much cleaner so i'll just
run a few pings just to make sure that
the traffic is being locked all those
alerts are being logged
uh so there we are we have a few pings
there
and we can also you know just run a few
checks there okay so there we are we can
see that those are now being logged and
of course we can change the format based
on
you can change it based on your
requirements right
so um
now that that is done
what we can do is we can close that up
and we can actually leave snort running
as is
so what i'll do is i'm just going to
open up another tab
so i'll just you know i can say control
shift d there we are
and we're currently within the following
directory so opt opt splunk forward etsy
system local
so
once that is done we now need to add
uh we now need to add the files that we
would like to monitor or that we would
like to forward right so the log files
so i'll go back into the bin directory
so there we are cd bin because that's
where we have the splunk binary so i'll
say sudo
um
splunk
and we can say add monitor
and the file that we want to forward is
under var log snot and it is just alert
right so that's all that's really all
that we want to do right
and we can also utilize the fast alerts
but let's just do this for now
and we only want the alerts we don't
want the actual log files that contain
the packets themselves so i'll hit enter
all right so it's now going to forward
those alerts into splunk which pretty
much means that on our end we are done
however we still need to check one more
configuration file so i'll just take a
step back here and we'll head over into
the etsy directory under apps
and search
and then into local
when you think we'll need to root
permissions to access this so i'll just
switch to the root user and head over
into local
and we're looking for the inputs dot
conf file
uh right so we need to actually
configure this because this is very
important so
uh the first thing we want to do is let
us
add a new line here and within the
square brackets i'll just say splunk
uh tcp
and we then want to specify the port so
9997
let me make sure i type that in
correctly
we then need to actually put in the
connection
um so the connection host so connection
host is going to be equal to the ip
address of the splunk
server
so i'll just copy that there paste that
in there
once that is done
this is fine here disabled is set to
false we want index is going to be equal
to main
and then the source type
is going to be equal to snot
alert
full
and we can then say the source is equal
to snort all right so this is a very
important configuration so let me just
go through those options or
configurations again we have the splunk
tcp option
uh we then have the actual connection
host the monitor is set correctly to
that file
uh it's enabled index equals main source
type equals snorter that full source is
equal to snot fantastic so we'll write
in quit
uh once this is done
we'll need to restart splunk so i'll
switch back to my user lexis here and
we'll navigate back to the bin directory
so i'll say cd bin
and we'll say sudo
let me say splunk and we can then say
restart
all right hit enter
it's going to stop the splunk daemon
shutting it down
restart it and it's done successfully so
all the checks were completed without
any issue all right so
now that this is done we can actually go
back into splunk here and we'll navigate
to the dashboard
uh this is your splunk server right
and let's take a look at the messages
here that's just uh a few updates we
don't need to do anything there so if we
click on
search and reporting just to verify that
that data has indeed been for that i'll
just skip through this if we click on
data summary
under sources you should see that we
have the host and in my case the name of
the system is black box so that should
be reflected there so there we are black
box we have 42
logs or alerts if you will sources 42 we
can click on that there to just see the
data that has been logged indeed we can
see that has been done correctly so
source type is alert
uh we can see that it's imported you
know pretty much all the data or the you
know these are the this is the full log
whereby we have the reference to that
there
uh that's weird i didn't actually run
anything weird uh but uh there you go
um so now that this is done uh you can
use splunk to essentially visualize this
data you know however you want so you
know i can go into visualization
uh and we can click on maybe we can
create a um
we can select a few fields so if i go
back into the events here i can select a
few fields that i want displayed here
and i can you know essentially extract
the fields that i want with rejects
but
i don't think this is necessary in this
point because if we actually go back to
the dashboard
and we click on
let's see splunk snot alert for splunk
let's see if this is actually whether
this automates that process for us
uh there we are actually it looks like
it does so um classification bad traffic
so it looks like that is working
so what we can do now
is run a few
uh we can actually utilize this script
here the
uh the test my nids script here so all
you need to do to run it is just copy
this one liner script here or this
command that will download it into your
tmp directory and will then execute it
so you know to execute it within your
temp directory you can just uh execute
the actual
um
you know the actual binary there it is a
binary not a script
and uh once that is done you can then
select the option here so let me just do
that on my attacker system
i'm just gonna run it one more time so
um just going to say ls here and
if i uh open up the documentation so
firstly i will
i will run
a quick linux uid check so
i'll just hit enter
okay that is done i'll then perform a
http basic authentication
and a malware user agent so i'm doing
that right now
okay and we can run one more here so
uh let's see let's see let's see uh we
can try exe or dll download over http
that is surely going to be um
logged
or that's going to trigger an alert
so
uh do we have uh that is running all
right so snot is running that's great
uh so we know that the log is being uh
the actual alerts are being forwarded
absolutely fantastic so let's go back in
here i've already run those
uh those particular checks
so let me just refresh this i know it
usually takes a couple of seconds to a
couple of minutes but that data should
start should actually be reflected there
we are fantastic so
uh we can see that uh you know firstly
i'll just explain the dashboard here
because
uh this dashboard is automatically you
know set up for you by the snort app
which is really awesome as i said you
don't need to go through that process
yourself
so the first graph here essentially
tells you your events
uh and and it also displays uh you know
the total number of sources so you can
see that there you also have the time
uh and you saw you have your events and
then the timeline here and you can
essentially you know view a trend or the
trend of uh of events there you then
have the top uh the top source countries
right over here and if i just run
another check really quickly here
through the nids website
so uh let me just run the curl command
uh you should actually see that because
we are reaching out to uh you know a
connection made to an external server
that it should reflect that info under
the top countries the top source
countries
so uh we then have the events here which
uh you know you can click on um and then
of course you have the sources
so these are the uh snort event types
and these are actually the
classification so we can see potentially
bad traffic attempted information leak
and you know you can just refresh your
dashboard to get the latest
so we'll give that a couple of seconds
and you can also specify the actual uh
interval period
so uh i'll just wait for this uh let's
see if it's actually being logged or
whether we can see all of that so i'll
just go back into the dashboard here
and
we'll go into search and reporting and
if we click on the actual
data summary and the sources uh we can
see we have snort there and then vast
not alert so we click on snot there
okay so this is bad traffic that's
really weird because
the source is not we had added two
sources there
so data summary
let me just click on that there and if
we click on these sources there this is
the one that we want ideally
yeah so that looks like uh the correct
one there
yeah that's the correct traffic um uh i
think that's why uh the actual uh let me
see if i can find so snot alert for
splunk let me click on the app there
show filters it should be displaying
much more than that because i know yeah
they're not just four
so
uh if we actually head over into the
uh snot event search here
we can actually search for uh you know
we can utilize uh yeah so these are only
this is only monitoring the pings so
that's weird i'm not really sure why we
have two data sources i think it's to do
with the fact
uh that uh you know we had so let me
just go back here
apps search and sudo root
let me just check that here so cd local
vim
inputs dot look so there we are so the
source is snort
we already specified the source as not
there
but it's all it's adding
this particular you know the alert as uh
as a source as well
and then this the source type is not
alert full index main yeah that that
should be working that should be working
without any issues i'm not really sure
why that is the case but
we can actually customize what data set
we want to use
so uh
i think let me actually showcase how to
do that right now
um so apologies about that i actually
figured out what the issue was it was
because the system i was running
uh this particular
attacks from wasn't even connected to
the local network
and even though i was running these
these attacks i did realize that of
course they weren't working so i'm just
gonna i've just reconnected it
and what i'm gonna do is i'm just gonna
run this one more time
so just give me a second here and i'll
be able to do that one more time so
let me just navigate to that particular
directory
and
we'll actually see whether this will
work so
you can actually see there's much more
uh that's been captured in regards to
events and i'll be explaining this
dashboard in a couple of seconds
so
let me just uh
launch that first attack there so that
you know let me just launch that first
uh type of check and of course i'm using
test my nids here so uh unfortunately
that wasn't even being logged which is
why i was a bit confused as to why those
logs are not being displayed here
so i'll give that a couple of seconds
and
we'll be able to see this happen
in real time as well
all right so that is done so i've
essentially launched a couple of those
tests and uh
this as i said this is your default uh
dashboard that you're provided with here
so
um you know you can actually refresh uh
all of these um all of these panels here
if you will so that'll display the
latest and as i said here because i'd
had performed the actual
uh you know i'd perform the actual check
and then connected to an external server
you can see that you know the top source
countries are highlighted there
you can also refresh the number of
events as you can see here
and the number of sources so
uh you can also do that for the rest of
the panel so these are the top 10
classifications
in terms of events if you will and then
the snort event types as you can see
here
so for example in this case we have the
attack response id check which if we
click on
right over here
you can see that it actually displays
that and you can then uh you can then
click on the signature itself and this
is for statistics now if you click on
the snort event search tab right over
here
you can see that this allows you to
search based on the source ip the source
port the destination ip destination port
and the event type so i can check for
attack responses based on the rule set
that we had used previously
and i can also specify the timing right
so that's really fantastic there
so you can see that right over here we
have that logged
which is fantastic and
if we click on the snort world map
that'll essentially as you'll see in a
couple of seconds this will essentially
display the countries by the source ips
in this case it should display the
united states which makes sense
uh and there we are so again this is
extremely helpful especially if you work
in a sock and as i said there's multiple
uh you know security tools you can
integrate with uh with splunk
now one thing that i wanted to highlight
is you can if you click on edit i'll
just go back to the
event summary here because this is very
important
you can set this as your main dashboard
so if you right click here you can set
this as your home dashboard
so i'll just click on that there
and now you'll see on your dashboard
here if i just close that top menu
that will actually be displayed there so
give it a couple of seconds
and of course you can click on the cog
wheel here
and essentially display whatever
you know you can specify your default
dashboard now there are a couple of
other ones that are created by default
uh but yeah you can have that on your
dashboard
uh and uh you know if you actually click
on snot the snot alert for splunk here
and we'll just go back into that snot
event summary tab
uh you can actually edit the way these
um these particular panels are tiled so
uh you know you can convert it to a
pre-built panel or you know
you can you can actually convert it to a
pre-built panel you can get rid of it
uh you can also move them around based
on your own requirements and uh in this
case you can actually let's see if i can
show you can actually select the
visualization
uh so in this case i think the default
one is fine and you can then view the
report here so
um
if we click on this one here for example
we could actually use the bar graph to
display the you know the number of the
actual um
the top source countries uh and have
them displayed in a bar graph style but
we can just take it back into the pie
chart there and you can also change this
for the events as well
so uh you know if we wanted to view a
trend we can click on the bar graph
there
uh in this case i don't think that's
formatted correctly so uh if we just use
the the default one
uh which i believe was i think it was no
that wasn't the one i believe it was uh
let's see if i can identify it here it
was the number there we are so 26 uh so
as i said you can customize this based
on your own
uh you know
your own requirements so for example
this one might do well if it was in the
form of a bar graph so you know
you can utilize that if you feel that
that is appropriate
uh in this case uh you know we can also
specify uh the actual um you know we can
actually list the events themselves
uh let's see which other ones look
really good here
uh and uh yeah once you're done with the
customization you can then cancel or
save based on your requirements and you
can also filter on this particular tab
here you know through the source ip
destination ip etc
um let's see what else did i wanted to
did i want to highlight let me just
refresh this once more
and you know to essentially get the
latest data
and uh you can see uh in terms of the
fan the in terms of the panels this will
display the last 100 attempts
uh and uh you know you can go through
them like so
uh you can also view i think we've gone
through all of them but you have the
persistent sources so two or more days
of activity in the last 30 days so you
actually need a lot of data for that to
be displayed or to give you anything
useful
um
yeah so that is
what i wanted to highlight in regards to
the snot alert for splunk app and the
actual dashboards which i said it
already does for you
now you can create your own dashboard as
i said if i go back into apps and search
and reporting
based on your own sources so i'll just
click on data summary there and if i
click on sources
you can click on the
this source here for example and
you know in this case we can actually uh
just click on that there and i can click
on extract fields
and you can extract the fields with
rejects so i'll click on next there
and you can then select the fields that
you want so for example in this case we
would want the date and time
so i can just highlight that there so i
can say
time for example add the extraction
and then of course we have the source ip
and the port but i'll just highlight
them together but i think it's actually
recommended just to highlight the source
ip there
so source we can say crc src
underscore
ip
add that extraction and we then have the
destination ip which in this case uh
because this is uh
an sm snmp broadcast
request we can we know that that's the
destination ip so i'll say dst
underscore ip
add the extraction let's see what else
we can do um
in this case it's saying the extraction
field you're extracting if you're
extracting multiple fields try removing
one or more fields start with the
extractions that are embedded within
longer strings okay so let's try and use
another alert here
that was kind of interesting um let's
see
it's not displaying all of them here but
you get the idea once you're done
uh you know for example i can remove
that field here i'm just giving you an
example of that so remove that field
uh there we are i can then say next and
i can click on validate and save based
on those fields there hit finish
and then you know i can go back to
uh you know search and reporting
and if i wanted to create a very simple
visualization which i'll show you right
now
even though i don't really need those
extracted fields although they might be
useful so
i can click on those extracted fields
now i believe they should have been
added
i'm not really sure why they aren't
being highlighted here there we are so
source ip
uh we can also specify the source port
uh we all there there they are so i had
actually they took a while to be
displayed there so
uh so support that why why not we can
yeah i think that's pretty much it so
uh based on those we can actually build
an event type however if we go to
visualization and click on pivot here
selected fields is five hit ok
we can actually you know visualize this
however we want so for example if i
wanted a column chart here
number one will display the count
i can just add the
events
because that's the count and we should
have at the bottom the time which i did
specify uh we believe within that range
there
but that's not being highlighted here so
the number of events and you know you
can go ahead and click as you can
essentially save it
so you get the idea you don't really
need to do this because we have the
snort app here
which pretty much gives you the
summaries that are useful to you or for
you
and there we are so fantastic so that's
going to conclude the practical
demonstration side of this video
so uh thank you very much for watching
this video if you have any questions or
suggestions leave them in the comments
section
if you want to reach out to me you can
do so via
twitter or the discord server the links
to both of those are in the description
section furthermore we are now moving on
to part two so this will conclude part
one so part two will be available on the
lynnodes on 24 platform so uh the videos
are available uh on demand so all you
need to do just click uh click the link
in the description register for part two
after which an email will be sent to you
and you'll be given uh you know
immediate access to to the videos uh
within part two so uh thank you very
much uh for watching part one uh in the
next video in part two we'll get started
or we'll take a look at host intrusion
detection with os sec so i'll be seeing
you in the next video
[Music]
you