0:00:01.120,0:00:03.520
hello everyone welcome back to the blue

0:00:03.520,0:00:05.440
team training series brought to you by

0:00:05.440,0:00:08.160
linode and hackersploit in this video

0:00:08.160,0:00:10.160
we're going to be taking a look at how

0:00:10.160,0:00:12.160
to set up or how to perform security

0:00:12.160,0:00:14.400
vent monitoring with splunk more

0:00:14.400,0:00:16.800
specifically uh splunk enterprise

0:00:16.800,0:00:18.640
security right so the objective here

0:00:18.640,0:00:21.439
will be to monitor uh intrusions and

0:00:21.439,0:00:23.519
threats with splunk and you might be

0:00:23.519,0:00:25.119
asking yourself well how are we going to

0:00:25.119,0:00:28.400
do this what setup are we using well the

0:00:28.400,0:00:30.480
scenario that i've set up for this video

0:00:30.480,0:00:32.559
is we're essentially going to

0:00:32.559,0:00:34.320
take all the knowledge that we've

0:00:34.320,0:00:37.680
learned during the snort video and we

0:00:37.680,0:00:39.360
are going to essentially forward all of

0:00:39.360,0:00:42.719
the snort logs uh into splunk or have

0:00:42.719,0:00:44.480
that done automatically through the

0:00:44.480,0:00:47.680
splunk universal folder so that we get

0:00:47.680,0:00:50.320
the latest logs when snort is running on

0:00:50.320,0:00:52.399
our ubuntu virtual machine

0:00:52.399,0:00:55.039
and the objective here is to use splunk

0:00:55.039,0:00:58.000
in conjunction with the splunk snort app

0:00:58.000,0:01:01.039
to essentially visualize and identify or

0:01:01.039,0:01:03.359
monitor network intrusions and any

0:01:03.359,0:01:04.479
malicious

0:01:04.479,0:01:06.720
network traffic you know within the

0:01:06.720,0:01:08.980
network that i'm monitoring

0:01:08.980,0:01:19.360
[Music]

0:01:19.360,0:01:21.680
at a very high level what will we be

0:01:21.680,0:01:23.280
covering well firstly we'll get an

0:01:23.280,0:01:25.439
introduction to splunk now before we

0:01:25.439,0:01:28.400
move any forward or we actually carry on

0:01:28.400,0:01:30.720
i do want to note that this video is not

0:01:30.720,0:01:32.400
going to be focused on splunk

0:01:32.400,0:01:34.640
fundamentals i'm going to be i'm going

0:01:34.640,0:01:36.400
to assume that you already know what

0:01:36.400,0:01:37.759
splunk is

0:01:37.759,0:01:40.400
and how it can be used you know

0:01:40.400,0:01:42.079
and how it's used generally speaking

0:01:42.079,0:01:44.720
because splunk is not really a tool uh

0:01:44.720,0:01:48.320
that is specific to security for example

0:01:48.320,0:01:49.759
that's why they have the splunk

0:01:49.759,0:01:52.720
enterprise security version or edition

0:01:52.720,0:01:54.320
and i'm just going to assume that you

0:01:54.320,0:01:56.079
know how to use splunk at a very basic

0:01:56.079,0:01:58.320
level so once we get an introduction to

0:01:58.320,0:02:00.960
splunk we'll go over splunk enterprise

0:02:00.960,0:02:02.960
uh security at the enterprise the

0:02:02.960,0:02:05.119
enterprise security edition and how it

0:02:05.119,0:02:06.640
can be used for security event

0:02:06.640,0:02:08.399
monitoring especially in our case

0:02:08.399,0:02:10.879
because we want to essentially monitor

0:02:10.879,0:02:13.280
uh the intrusion detection logs

0:02:13.280,0:02:15.360
generated by snort

0:02:15.360,0:02:16.800
so we'll then move on to deploying

0:02:16.800,0:02:18.720
splunk enterprise security on linux

0:02:18.720,0:02:20.640
which is absolutely fantastic because

0:02:20.640,0:02:22.560
they have a cloud image

0:02:22.560,0:02:24.560
available for it that allows you to spin

0:02:24.560,0:02:26.400
it up without going through the process

0:02:26.400,0:02:28.720
of installing it and configuring it so

0:02:28.720,0:02:30.720
that will set up that'll set it up for

0:02:30.720,0:02:32.800
us we'll then take a look at how to

0:02:32.800,0:02:35.280
configure splunk and how to set up the

0:02:35.280,0:02:38.239
splunk universal folder on the ubuntu

0:02:38.239,0:02:40.480
virtual machine that is running snot so

0:02:40.480,0:02:42.319
that we can forward those logs into

0:02:42.319,0:02:44.560
splunk uh and then of course we'll take

0:02:44.560,0:02:46.720
a look at the splunk snot event uh

0:02:46.720,0:02:49.519
dashboard that will be provided to us by

0:02:49.519,0:02:50.400
the

0:02:50.400,0:02:52.879
splunk snot app so if this sounds like a

0:02:52.879,0:02:55.360
gibberish to you don't worry it'll make

0:02:55.360,0:02:57.599
sense in a couple of uh in a couple of

0:02:57.599,0:02:58.879
minutes

0:02:58.879,0:03:00.959
with that being said uh given the fact

0:03:00.959,0:03:02.800
that we're going to be using uh you know

0:03:02.800,0:03:04.400
we're going to be using snort to

0:03:04.400,0:03:06.959
generate alerts and monitor those alerts

0:03:06.959,0:03:09.040
uh if you have not gone through these uh

0:03:09.040,0:03:11.519
the actual snort video please do that as

0:03:11.519,0:03:14.239
it will help you set up snot and you can

0:03:14.239,0:03:16.400
then run through this demo with that

0:03:16.400,0:03:19.280
being said this is not a holistic video

0:03:19.280,0:03:20.800
that will cover everything you can do

0:03:20.800,0:03:23.440
with splunk enterprise security we are

0:03:23.440,0:03:25.120
just focused on

0:03:25.120,0:03:27.760
the intrusion detection uh logs produced

0:03:27.760,0:03:30.000
by snort and how they can be

0:03:30.000,0:03:32.879
imported or forwarded to splunk for uh

0:03:32.879,0:03:35.680
you know analysis and monitoring

0:03:35.680,0:03:38.159
uh so the prerequisites are the same as

0:03:38.159,0:03:39.760
the previous videos the only difference

0:03:39.760,0:03:41.680
is uh you know that you need to have a

0:03:41.680,0:03:43.840
basic familiarity with splunk and how to

0:03:43.840,0:03:46.080
navigate around the various menu

0:03:46.080,0:03:47.760
elements and

0:03:47.760,0:03:49.680
essentially just how to use it at a very

0:03:49.680,0:03:51.360
basic level if you're not familiar with

0:03:51.360,0:03:54.239
splunk i'll give you a few resources at

0:03:54.239,0:03:56.000
the end of the at the end of these

0:03:56.000,0:03:58.159
slides uh that will help you out or help

0:03:58.159,0:04:00.159
you get started

0:04:00.159,0:04:01.760
all right so let's get an introduction

0:04:01.760,0:04:04.239
to splunk so what is splunk that's the

0:04:04.239,0:04:05.680
main question if you've never heard of

0:04:05.680,0:04:08.480
splunk splunk is an extremely powerful

0:04:08.480,0:04:10.400
platform that is used to analyze data

0:04:10.400,0:04:13.360
and logs produced by systems or machines

0:04:13.360,0:04:15.920
as splunk likes to call them so

0:04:15.920,0:04:18.639
what problem is splunk trying to solve

0:04:18.639,0:04:20.880
here well let's look at this from the

0:04:20.880,0:04:24.880
perspective of web 2.0 or you know the

0:04:24.880,0:04:26.720
the interconnected world we live in

0:04:26.720,0:04:29.199
today and we're going to be looking at

0:04:29.199,0:04:31.199
it from the context of from the

0:04:31.199,0:04:33.360
perspective of security

0:04:33.360,0:04:35.759
so if we take a simple system let's say

0:04:35.759,0:04:38.720
we have a windows operating system or a

0:04:38.720,0:04:41.360
system running windows well that windows

0:04:41.360,0:04:44.880
system produces a lot of data or logs

0:04:44.880,0:04:47.040
uh that you know that contain

0:04:47.040,0:04:48.800
information that you know at a first

0:04:48.800,0:04:51.600
glance might not seem that important but

0:04:51.600,0:04:53.919
once you start getting into specific

0:04:53.919,0:04:57.360
sectors like security those logs start

0:04:57.360,0:04:59.680
uh you know those logs have uh you know

0:04:59.680,0:05:02.080
very important value to organizations

0:05:02.080,0:05:04.880
now multiply that by a thousand systems

0:05:04.880,0:05:06.800
so let's say we have an organization

0:05:06.800,0:05:08.560
they have a thousand computers within

0:05:08.560,0:05:10.479
their network or you know distributed

0:05:10.479,0:05:13.520
worldwide and all of these systems are

0:05:13.520,0:05:14.960
you know need to be secured their

0:05:14.960,0:05:17.919
security needs to be monitored so how do

0:05:17.919,0:05:20.560
we monitor all of this well this is

0:05:20.560,0:05:22.639
where splunk comes into play so splunk

0:05:22.639,0:05:25.280
allows you to essentially funnel all of

0:05:25.280,0:05:27.360
this data produced by systems or

0:05:27.360,0:05:28.800
machines

0:05:28.800,0:05:30.720
into splunk and then splunk allows you

0:05:30.720,0:05:32.560
to monitor search and analyze this

0:05:32.560,0:05:35.280
machine generated data and the logs

0:05:35.280,0:05:37.840
through a web interface so in order to

0:05:37.840,0:05:39.680
use splunk you'll need to import your

0:05:39.680,0:05:42.479
own data or logs alternatively you can

0:05:42.479,0:05:45.280
utilize the splunk universal folder to

0:05:45.280,0:05:47.759
forward logs and data to splunk for

0:05:47.759,0:05:51.360
analysis and of course visualization etc

0:05:51.360,0:05:53.280
now splunk does so much more that i

0:05:53.280,0:05:55.199
really can't go over all of the features

0:05:55.199,0:05:56.880
here but as i said we're looking at this

0:05:56.880,0:06:00.400
from the uh lens of a security engineer

0:06:00.400,0:06:02.240
all right so splunk collates all the

0:06:02.240,0:06:04.800
data and logs from various sources and

0:06:04.800,0:06:06.720
provides you with a central index that

0:06:06.720,0:06:08.800
you can search through splunk also

0:06:08.800,0:06:11.039
provides you with robust visualization

0:06:11.039,0:06:12.720
and reporting tools that allow you to

0:06:12.720,0:06:15.360
identify the data that interests you

0:06:15.360,0:06:17.440
transform the data into results and

0:06:17.440,0:06:19.840
visualize the answers in the form of a

0:06:19.840,0:06:23.280
report chart graph etc all right so what

0:06:23.280,0:06:25.360
i'm saying here is that splunk allows

0:06:25.360,0:06:28.080
you to take all of this security related

0:06:28.080,0:06:31.600
logs and data and make sense of them and

0:06:31.600,0:06:33.520
essentially get the answers that you're

0:06:33.520,0:06:35.520
looking for so for example from the

0:06:35.520,0:06:37.680
perspective of a security engineer what

0:06:37.680,0:06:40.240
do you want from all of this data well

0:06:40.240,0:06:42.160
at a very high level you want to know

0:06:42.160,0:06:44.080
whether something is going wrong and

0:06:44.080,0:06:46.400
what could go wrong in the context of

0:06:46.400,0:06:48.800
security a network could be compromised

0:06:48.800,0:06:50.560
there could be some malicious network

0:06:50.560,0:06:53.120
traffic or activity going on a system

0:06:53.120,0:06:55.919
could be compromised etc etc you get the

0:06:55.919,0:06:58.160
idea so we need that data to be

0:06:58.160,0:07:00.560
displayed to us as a security engineer

0:07:00.560,0:07:02.560
and splunk is really one of the best

0:07:02.560,0:07:04.960
tools uh you know when it comes down to

0:07:04.960,0:07:08.000
you know taking a lot of data

0:07:08.000,0:07:09.840
and then identifying the data that

0:07:09.840,0:07:11.840
interests you transforming that data

0:07:11.840,0:07:14.960
into results and then visualizing that

0:07:14.960,0:07:17.360
data in the form of the report chart or

0:07:17.360,0:07:19.759
graph right so that's really what we're

0:07:19.759,0:07:21.599
going to be doing and as i said going

0:07:21.599,0:07:23.520
back to the scenario we're going to be

0:07:23.520,0:07:26.080
focusing on how to you know essentially

0:07:26.080,0:07:28.800
get in or how to forward

0:07:28.800,0:07:31.919
the logs created or the logs and alerts

0:07:31.919,0:07:33.360
created by

0:07:33.360,0:07:36.000
snort into splunk for analysis and

0:07:36.000,0:07:39.280
luckily for us splunk has a snort app or

0:07:39.280,0:07:40.960
plug-in if you will that that will

0:07:40.960,0:07:43.680
essentially simplify this process

0:07:43.680,0:07:44.800
so

0:07:44.800,0:07:47.360
let's get an idea as to you know how we

0:07:47.360,0:07:49.120
can use splunk for security when

0:07:49.120,0:07:51.759
monitoring so splunk enterprise security

0:07:51.759,0:07:54.800
also known as splunk es is a security

0:07:54.800,0:07:56.800
information and event management

0:07:56.800,0:07:59.199
solution also known as a seam

0:07:59.199,0:08:01.360
it is used to but is used by security

0:08:01.360,0:08:03.680
teams to quickly detect and respond to

0:08:03.680,0:08:06.160
internal and external attacks or threats

0:08:06.160,0:08:09.680
or intrusions so splunk es can be used

0:08:09.680,0:08:11.759
for security when monitoring incident

0:08:11.759,0:08:14.240
response and running a sock or security

0:08:14.240,0:08:15.919
operations center

0:08:15.919,0:08:18.080
in this video we'll be using splunk es

0:08:18.080,0:08:20.000
to monitor and visualize the snort

0:08:20.000,0:08:22.240
intrusion alerts this will be

0:08:22.240,0:08:24.400
facilitated through the help of the snot

0:08:24.400,0:08:26.639
app for splunk and the splunk universal

0:08:26.639,0:08:29.280
folder now the splunk universal folder

0:08:29.280,0:08:31.199
is pretty much the most important

0:08:31.199,0:08:33.039
element of what we'll be exploring

0:08:33.039,0:08:35.200
because what it does and this is really

0:08:35.200,0:08:37.200
cool is it allow it automatically

0:08:37.200,0:08:39.279
forwards the latest logs

0:08:39.279,0:08:40.479
even when

0:08:40.479,0:08:42.479
when snot is running it forwards those

0:08:42.479,0:08:45.040
alerts and logs into splunk and you can

0:08:45.040,0:08:46.560
see them in real time which is

0:08:46.560,0:08:49.440
absolutely fantastic

0:08:49.440,0:08:52.320
so as i said if you're new to splunk

0:08:52.320,0:08:54.800
then these resources are really helpful

0:08:54.800,0:08:57.120
for you so splunk offer really great

0:08:57.120,0:08:59.040
tutorials and courses designed for

0:08:59.040,0:09:00.720
absolute beginners you can check that

0:09:00.720,0:09:02.959
out by clicking on the link within this

0:09:02.959,0:09:05.600
slide and you can learn more about the

0:09:05.600,0:09:08.160
splunk enterprise security edition from

0:09:08.160,0:09:09.760
that particular link

0:09:09.760,0:09:11.040
now as i said we're going to be

0:09:11.040,0:09:12.240
deploying

0:09:12.240,0:09:15.200
uh splunk on linux more specifically

0:09:15.200,0:09:17.120
splunk es and this is the lab

0:09:17.120,0:09:19.200
environment so we're going to spin up uh

0:09:19.200,0:09:21.519
you know splunk yes on linux now again

0:09:21.519,0:09:23.279
to follow through with this as uh you

0:09:23.279,0:09:25.760
know linux has been absolutely fantastic

0:09:25.760,0:09:28.320
with uh you know by providing uh all of

0:09:28.320,0:09:30.959
you guys uh with a way to get a hundred

0:09:30.959,0:09:33.279
dollars in free linux credit all you

0:09:33.279,0:09:35.120
need to do is just click the link in the

0:09:35.120,0:09:37.440
description section and sign up and a

0:09:37.440,0:09:39.040
hundred dollars will be added to your

0:09:39.040,0:09:40.959
account so that you can follow along

0:09:40.959,0:09:43.279
with this series um so we're going to

0:09:43.279,0:09:45.200
set up splunk yes on linux and then

0:09:45.200,0:09:47.279
within my internal network uh we're just

0:09:47.279,0:09:49.040
gonna have a very basic infrastructure

0:09:49.040,0:09:50.399
we're going to have the ubuntu virtual

0:09:50.399,0:09:52.880
machine that is running snot this is the

0:09:52.880,0:09:54.880
same virtual machine that we had set up

0:09:54.880,0:09:57.680
and used uh to set up snort and set up

0:09:57.680,0:09:59.839
suricata and the one we had used with

0:09:59.839,0:10:01.360
wazoo

0:10:01.360,0:10:03.519
and yeah that's essentially it we're

0:10:03.519,0:10:04.720
going to have a very basic

0:10:04.720,0:10:06.399
infrastructure where we have an attacker

0:10:06.399,0:10:08.560
system that i'm going to be using to

0:10:08.560,0:10:09.519
perform

0:10:09.519,0:10:11.600
uh a bit of uh you know network

0:10:11.600,0:10:15.040
intrusion detection uh emulation whereby

0:10:15.040,0:10:17.519
i will essentially perform or run a

0:10:17.519,0:10:20.880
couple of commands or uh or scripts to

0:10:20.880,0:10:23.279
essentially emulate malicious network

0:10:23.279,0:10:26.160
activity so that these logs are uh are

0:10:26.160,0:10:28.320
essentially or so so this traffic is

0:10:28.320,0:10:29.839
essentially logged and that will provide

0:10:29.839,0:10:32.800
us with a good idea as to how helpful

0:10:32.800,0:10:35.279
splunk is for security event monitoring

0:10:35.279,0:10:37.760
especially in the context of our network

0:10:37.760,0:10:40.320
intrusions

0:10:40.320,0:10:41.920
so as i said you don't really need to

0:10:41.920,0:10:44.240
have a windows workstation you simply

0:10:44.240,0:10:46.000
need to have the ubuntu vm and you can

0:10:46.000,0:10:48.800
pretty much run everything from it and

0:10:48.800,0:10:50.560
of course you can set up the splunk

0:10:50.560,0:10:52.000
enterprise

0:10:52.000,0:10:54.240
enterprise security server on linux

0:10:54.240,0:10:56.480
without any issues

0:10:56.480,0:10:58.399
so that's the lab environment we can now

0:10:58.399,0:11:00.000
get started with the practical

0:11:00.000,0:11:01.440
demonstration so i'm going to switch

0:11:01.440,0:11:05.040
over to my ubuntu virtual machine

0:11:05.040,0:11:07.600
all right so i'm back on my ubuntu

0:11:07.600,0:11:09.360
virtual machine and you can see i have

0:11:09.360,0:11:11.279
linux opened up here

0:11:11.279,0:11:13.279
i haven't set anything up yet because

0:11:13.279,0:11:14.640
we're going to be walking through the

0:11:14.640,0:11:16.079
process together

0:11:16.079,0:11:18.959
i then have the splunk.com website here

0:11:18.959,0:11:21.040
so if you're new to splunk then you need

0:11:21.040,0:11:22.640
to create a new account in order to

0:11:22.640,0:11:25.040
follow along so uh just head over to

0:11:25.040,0:11:27.279
head over to splunk.com and you know

0:11:27.279,0:11:29.519
register for an account it's free

0:11:29.519,0:11:31.120
once that is done

0:11:31.120,0:11:33.120
you'll need to activate your account or

0:11:33.120,0:11:35.120
verify your account through the email or

0:11:35.120,0:11:36.880
the verification email

0:11:36.880,0:11:39.680
they'll send you once that is done

0:11:39.680,0:11:41.279
we can then move forward because in

0:11:41.279,0:11:44.320
order to access the actual um

0:11:44.320,0:11:46.800
splunk universal folder you'll need to

0:11:46.800,0:11:48.720
have an account and of course um you

0:11:48.720,0:11:50.639
know in this case i'll be going through

0:11:50.639,0:11:52.800
everything as we move along in a

0:11:52.800,0:11:55.519
structured uh in a structured manner and

0:11:55.519,0:11:59.120
then to perform the actual nids

0:11:59.120,0:12:00.160
tests

0:12:00.160,0:12:01.920
we are going to be using the test

0:12:01.920,0:12:03.839
mynids.org

0:12:03.839,0:12:06.480
project which is on github so this is

0:12:06.480,0:12:08.880
essentially a bash script

0:12:08.880,0:12:11.440
that allows you to as you can see here

0:12:11.440,0:12:13.279
it allows you to essentially emulate or

0:12:13.279,0:12:16.800
simulate malicious network traffic so uh

0:12:16.800,0:12:19.440
previously we had used the website uh

0:12:19.440,0:12:21.279
the website technique to essentially get

0:12:21.279,0:12:23.760
a linux uid and that traffic would be

0:12:23.760,0:12:26.240
logged as malicious or

0:12:26.240,0:12:27.760
it could be logged as a potential

0:12:27.760,0:12:30.000
intrusion and we can run a few other

0:12:30.000,0:12:33.360
checks like an http basic authentication

0:12:33.360,0:12:35.519
bad certificate authorities

0:12:35.519,0:12:38.639
uh an exe or dll download over http so

0:12:38.639,0:12:40.720
you know just we can run tests that are

0:12:40.720,0:12:42.959
you know will just make our

0:12:42.959,0:12:45.440
intrusion detection system uh blow up in

0:12:45.440,0:12:47.600
terms of alerts and that's what we want

0:12:47.600,0:12:49.519
because we want to see how that data is

0:12:49.519,0:12:52.160
presented to us as a security engineer

0:12:52.160,0:12:55.040
on splunk with that being said the first

0:12:55.040,0:12:57.680
step of course is to set up splunk es on

0:12:57.680,0:12:58.880
linux so

0:12:58.880,0:13:01.680
just click on uh click on create and a

0:13:01.680,0:13:04.079
linux and click on marketplace

0:13:04.079,0:13:06.399
and they already have splunk here so

0:13:06.399,0:13:08.480
there we are you can click on that there

0:13:08.480,0:13:10.240
and if you click on this little info

0:13:10.240,0:13:12.399
button here it'll give you an idea as to

0:13:12.399,0:13:14.320
how to deploy it on

0:13:14.320,0:13:16.480
uh on linux and of course you have more

0:13:16.480,0:13:18.399
information regarding splunk so you have

0:13:18.399,0:13:20.480
the documentation link there so i'll

0:13:20.480,0:13:22.959
just click on splunk

0:13:22.959,0:13:24.639
once that is clicked we can then head

0:13:24.639,0:13:26.720
over here you'll need to specify the

0:13:26.720,0:13:28.959
splunk admin user i recommend using

0:13:28.959,0:13:31.600
admin to begin with and then specify a

0:13:31.600,0:13:33.440
password

0:13:33.440,0:13:35.519
if you're setting up you know splunk on

0:13:35.519,0:13:37.600
a domain then you can specify the

0:13:37.600,0:13:39.839
lynnode api token to essentially create

0:13:39.839,0:13:42.320
the dns records that's if you're using

0:13:42.320,0:13:43.839
linux dns

0:13:43.839,0:13:45.839
dns service

0:13:45.839,0:13:47.519
uh and then of course you need to add

0:13:47.519,0:13:49.519
the admin email for the server so in

0:13:49.519,0:13:52.000
this case i can just say for example

0:13:52.000,0:13:54.000
hackersploit

0:13:54.000,0:13:55.519
gmail.com

0:13:55.519,0:13:57.360
don't spam me on this email because i

0:13:57.360,0:13:59.519
don't respond anyway so we can create

0:13:59.519,0:14:01.040
another user

0:14:01.040,0:14:02.480
uh so this is the username for the

0:14:02.480,0:14:04.720
lynnode admins ssh user please ensure

0:14:04.720,0:14:06.480
that the username does not contain any

0:14:06.480,0:14:08.880
so we can just call this admin and then

0:14:08.880,0:14:11.360
for the admin user we'll just say

0:14:11.360,0:14:13.199
provide that there

0:14:13.199,0:14:14.800
so the image we're going to set it up on

0:14:14.800,0:14:18.079
ubuntu 20.04 the region i'll say london

0:14:18.079,0:14:19.920
because that's closest to me

0:14:19.920,0:14:22.240
as for the actual linux plan

0:14:22.240,0:14:24.720
linux es doesn't require that many

0:14:24.720,0:14:26.480
resources especially because you know

0:14:26.480,0:14:28.720
the amount of data that we're processing

0:14:28.720,0:14:30.959
on the logs that are being forwarded to

0:14:30.959,0:14:34.320
splunk are relatively few so less than

0:14:34.320,0:14:36.160
100 which if you've used splunk before

0:14:36.160,0:14:37.920
for security vent monitoring you know

0:14:37.920,0:14:39.040
that that is

0:14:39.040,0:14:41.199
like really really small in fl in in

0:14:41.199,0:14:43.199
fact splunk will actually tell you that

0:14:43.199,0:14:44.959
you know the amount of data

0:14:44.959,0:14:47.519
to begin with that you have imported or

0:14:47.519,0:14:49.680
you afforded is too little to make any

0:14:49.680,0:14:50.880
sense off

0:14:50.880,0:14:52.480
but that's where the snort app for

0:14:52.480,0:14:54.800
splunk comes into play so i'll just say

0:14:54.800,0:14:56.000
splunk

0:14:56.000,0:14:58.160
and i'll provide my root password for

0:14:58.160,0:14:59.360
the server

0:14:59.360,0:15:02.079
and we can click on create

0:15:02.079,0:15:03.360
all right now

0:15:03.360,0:15:06.079
uh once this is set up and provisioned

0:15:06.079,0:15:08.079
the actual installer is going to begin

0:15:08.079,0:15:10.079
so it's going to set up because there is

0:15:10.079,0:15:12.800
an auto installer setup that will set up

0:15:12.800,0:15:15.199
splunk yes for you so uh let it

0:15:15.199,0:15:16.880
provision after that's done you can

0:15:16.880,0:15:19.199
launch the lish console to avoid logging

0:15:19.199,0:15:22.160
in via ssh and of course one thing that

0:15:22.160,0:15:24.000
i need to that i don't need to tell you

0:15:24.000,0:15:25.680
is if you're setting this up for

0:15:25.680,0:15:27.680
production then you need to make sure

0:15:27.680,0:15:29.759
you're securing your server so do only

0:15:29.759,0:15:32.720
use ssh keys for authentication with the

0:15:32.720,0:15:33.759
server

0:15:33.759,0:15:35.920
if you're new to hardening and securing

0:15:35.920,0:15:37.759
a linux server you can check out the

0:15:37.759,0:15:39.360
previous series

0:15:39.360,0:15:41.920
that we did with linux the linux server

0:15:41.920,0:15:44.800
security series uh that'll give you uh

0:15:44.800,0:15:46.959
you know all the information you need to

0:15:46.959,0:15:49.759
secure a linux server for production

0:15:49.759,0:15:50.959
with that being said i'm just going to

0:15:50.959,0:15:52.800
let it provision after which we can

0:15:52.800,0:15:54.560
launch the english console to see what's

0:15:54.560,0:15:56.639
going on in the background and we can

0:15:56.639,0:15:58.800
then get started uh you know officially

0:15:58.800,0:16:00.000
with um

0:16:00.000,0:16:01.839
with how to set up splunk we then need

0:16:01.839,0:16:04.720
to set up the universal folder

0:16:04.720,0:16:08.639
so uh this is booting now

0:16:08.639,0:16:11.120
all right so the server is booted and

0:16:11.120,0:16:12.800
you can see i've just opened up the lish

0:16:12.800,0:16:14.320
console here

0:16:14.320,0:16:15.920
to essentially view what's going on as

0:16:15.920,0:16:18.000
you can see it's begun setting up a

0:16:18.000,0:16:20.399
splunk yes so just give this a couple of

0:16:20.399,0:16:21.519
minutes

0:16:21.519,0:16:23.279
to essentially begin

0:16:23.279,0:16:25.600
um and once it's done it'll actually

0:16:25.600,0:16:27.360
tell you that it'll provide you with the

0:16:27.360,0:16:28.800
login prompt

0:16:28.800,0:16:30.399
but it's probably logged in as the root

0:16:30.399,0:16:32.000
user already so

0:16:32.000,0:16:33.759
uh just let this complete i'm just gonna

0:16:33.759,0:16:36.880
wait for this to actually conclude

0:16:36.880,0:16:40.000
all right so once uh splunk es is done

0:16:40.000,0:16:42.880
uh or the actual uh linode is done here

0:16:42.880,0:16:44.320
with the setup you can see it's gonna

0:16:44.320,0:16:46.240
tell you installation complete

0:16:46.240,0:16:48.160
and you can then log in uh keep this

0:16:48.160,0:16:49.519
window open because this is going to be

0:16:49.519,0:16:50.880
very important as we'll need to

0:16:50.880,0:16:53.440
configure a few firewall rules because

0:16:53.440,0:16:56.320
uh by default this linux comes with ufw

0:16:56.320,0:16:58.720
which is the uncomplicated firewall for

0:16:58.720,0:17:00.079
debian or

0:17:00.079,0:17:02.000
it typically comes pre-packaged with

0:17:02.000,0:17:04.959
debian-based distributions like ubuntu

0:17:04.959,0:17:06.559
in this case it's already added the

0:17:06.559,0:17:08.400
firewall rule for the port that we

0:17:08.400,0:17:10.000
wanted but just keep it open because

0:17:10.000,0:17:12.559
we'll need to run a few checks um so you

0:17:12.559,0:17:14.000
can log in there so i'm just going to

0:17:14.000,0:17:15.679
log in with the credentials that i

0:17:15.679,0:17:18.720
specified as the root user and i can

0:17:18.720,0:17:22.160
just say sudo ufw status

0:17:22.160,0:17:23.839
um

0:17:23.839,0:17:25.439
and you can see these are all the

0:17:25.439,0:17:28.160
allowed rules or the actual rules

0:17:28.160,0:17:30.400
configured for the firewall which is

0:17:30.400,0:17:32.400
looking good uh so far

0:17:32.400,0:17:35.679
so we can access the splunk es instance

0:17:35.679,0:17:37.840
that we set up by pasting in the ip of

0:17:37.840,0:17:42.080
the server and and opening up port 8000

0:17:42.080,0:17:44.080
that's going to open up splunk yes for

0:17:44.080,0:17:45.760
you so just give this a couple of

0:17:45.760,0:17:48.240
seconds there we are and the credentials

0:17:48.240,0:17:50.880
that we had used were admin and the

0:17:50.880,0:17:53.280
password that i created uh that you know

0:17:53.280,0:17:54.559
of course you'll you'll be able to

0:17:54.559,0:17:57.200
specify yourself so just sign in

0:17:57.200,0:17:59.919
um and once that is done you'll be

0:17:59.919,0:18:03.360
brought to splunk enterprise

0:18:03.360,0:18:05.360
security here so there we are explore

0:18:05.360,0:18:07.200
splunk enterprise

0:18:07.200,0:18:10.000
uh and um

0:18:10.000,0:18:11.360
in this case what we're going to be

0:18:11.360,0:18:14.080
doing what we're going to start off with

0:18:14.080,0:18:16.240
is we need to go through a few

0:18:16.240,0:18:18.720
configuration uh changes with splunk

0:18:18.720,0:18:19.760
itself

0:18:19.760,0:18:22.880
so the idea firstly is to configure

0:18:22.880,0:18:25.600
uh the actual uh rece the receiving of

0:18:25.600,0:18:27.360
data so if you head over into settings

0:18:27.360,0:18:29.440
you can click on under data just click

0:18:29.440,0:18:31.840
on forwarding and receiving

0:18:31.840,0:18:34.400
uh and once that is done once that is

0:18:34.400,0:18:35.760
loaded up

0:18:35.760,0:18:38.080
um under received data we need to

0:18:38.080,0:18:40.000
configure this instance to receive data

0:18:40.000,0:18:41.600
forwarded from other instances so we

0:18:41.600,0:18:43.520
want to configure receiving

0:18:43.520,0:18:45.120
and we just want to set the default

0:18:45.120,0:18:46.799
receiving port

0:18:46.799,0:18:50.400
so we can say new receiving port

0:18:50.400,0:18:52.160
and the port is of course going to be

0:18:52.160,0:18:54.799
the default which is 9997 which is why

0:18:54.799,0:18:56.640
that firewall rule was added so i'll

0:18:56.640,0:18:58.880
click on save

0:18:58.880,0:19:01.200
all right so once that is done we can

0:19:01.200,0:19:03.520
now install the snot

0:19:03.520,0:19:06.240
app for splunk so click on apps and head

0:19:06.240,0:19:08.480
over into find more apps

0:19:08.480,0:19:11.360
and because the ubuntu server is running

0:19:11.360,0:19:13.120
or the ubuntu vm that i'm currently

0:19:13.120,0:19:15.919
working on is running snot 2 we'll need

0:19:15.919,0:19:18.160
the appropriate uh app here so i'll just

0:19:18.160,0:19:20.160
search for snot there and we're not

0:19:20.160,0:19:22.320
looking for these note 3 json alerts

0:19:22.320,0:19:24.320
although that you know could be quite

0:19:24.320,0:19:26.480
useful but we want the snort alert for

0:19:26.480,0:19:28.720
splunk all right so this app provides

0:19:28.720,0:19:30.880
field extraction so that's really great

0:19:30.880,0:19:32.400
because performing your own field

0:19:32.400,0:19:34.960
extractions uh you know using rejects

0:19:34.960,0:19:36.400
can be quite difficult if you're a

0:19:36.400,0:19:39.360
beginner so fast and full

0:19:39.360,0:19:42.400
as well as dashboards uh saved searches

0:19:42.400,0:19:45.600
reports event types tags and event

0:19:45.600,0:19:48.080
search interfaces so we'll install that

0:19:48.080,0:19:50.240
now you'll need to log in with the spa

0:19:50.240,0:19:52.400
your splunk account credentials that you

0:19:52.400,0:19:55.120
uh you know that you actually created on

0:19:55.120,0:19:57.760
splunk.com so i'll just fill in my

0:19:57.760,0:20:00.400
information really quickly

0:20:00.400,0:20:02.240
all right so i've put in my username and

0:20:02.240,0:20:04.240
password so i'll just say i'll accept

0:20:04.240,0:20:06.320
the terms and conditions there so log in

0:20:06.320,0:20:07.600
and install

0:20:07.600,0:20:09.280
that's going to install it there we are

0:20:09.280,0:20:10.880
so we'll just hit done

0:20:10.880,0:20:13.360
now that is done if we head back over

0:20:13.360,0:20:16.400
into our dashboard so i'll just click on

0:20:16.400,0:20:18.400
splunk enterprise there

0:20:18.400,0:20:20.720
and you can now see we have snot alert

0:20:20.720,0:20:23.039
force for splunk so that's it already

0:20:23.039,0:20:25.600
comes pre-configured with a dashboard

0:20:25.600,0:20:28.000
um so we'll just let this uh load up

0:20:28.000,0:20:30.000
here and you can see that we don't have

0:20:30.000,0:20:32.480
any data yet so uh this will display

0:20:32.480,0:20:34.559
your events and sources top source

0:20:34.559,0:20:36.480
countries the events this is very

0:20:36.480,0:20:38.480
important the sources top 10

0:20:38.480,0:20:41.039
classifications so that will classify uh

0:20:41.039,0:20:44.400
your alerts uh in in terms of uh the

0:20:44.400,0:20:46.640
type which again will make sense uh in a

0:20:46.640,0:20:49.280
couple of seconds uh so now that that is

0:20:49.280,0:20:51.600
done we actually need to configure

0:20:51.600,0:20:54.480
the actual splunk universal folder so

0:20:54.480,0:20:56.480
i'll just open that up in a new tab it's

0:20:56.480,0:20:59.120
absolutely free to download the debian

0:20:59.120,0:21:01.840
client or the uh the splunk universal

0:21:01.840,0:21:04.159
ford debian package so universal

0:21:04.159,0:21:06.960
forwarders uh provide reliable secure

0:21:06.960,0:21:09.440
data collection from remote from remote

0:21:09.440,0:21:11.520
sources and forward that data into

0:21:11.520,0:21:14.159
splunk software for indexing and

0:21:14.159,0:21:16.880
consolidation they can scale to tens of

0:21:16.880,0:21:18.799
thousands of remote systems collecting

0:21:18.799,0:21:20.720
terabytes of data so

0:21:20.720,0:21:23.039
again you can actually see why splunk is

0:21:23.039,0:21:25.360
so powerful and why it's widely uh used

0:21:25.360,0:21:27.440
and deployed because of the fact that

0:21:27.440,0:21:30.480
you can literally uh you know be you can

0:21:30.480,0:21:32.640
literally forward a ton of data from a

0:21:32.640,0:21:35.840
ton of systems into splunk so because

0:21:35.840,0:21:38.480
the uh because snot is running on this

0:21:38.480,0:21:40.480
ubuntu vm we need the debian package so

0:21:40.480,0:21:41.919
i'll click on linux and we want the

0:21:41.919,0:21:45.039
64-bit version again you can choose one

0:21:45.039,0:21:46.559
based on your requirements so if you're

0:21:46.559,0:21:49.840
running on red at fedora or centos you

0:21:49.840,0:21:51.520
can use the rpm package so i'll just

0:21:51.520,0:21:54.559
download the debian package here

0:21:54.559,0:21:56.080
give that a couple of seconds it's then

0:21:56.080,0:21:58.240
going to begin downloading it and then

0:21:58.240,0:22:00.000
i'll walk you through the setup process

0:22:00.000,0:22:01.840
so there we are

0:22:01.840,0:22:05.120
it's begun the setup

0:22:07.360,0:22:09.440
and once that is done i'll open up my

0:22:09.440,0:22:10.799
terminal so that's saved in the

0:22:10.799,0:22:12.960
downloads directory so

0:22:12.960,0:22:14.320
if we check if we head over into the

0:22:14.320,0:22:15.840
downloads directory you can see we have

0:22:15.840,0:22:17.919
the splunk forwarder debian package

0:22:17.919,0:22:19.200
there

0:22:19.200,0:22:21.679
so what we want to do firstly is we want

0:22:21.679,0:22:25.120
to move this package uh into the actual

0:22:25.120,0:22:28.080
opt directory on linux uh which will

0:22:28.080,0:22:30.880
essentially allow us to uh you know to

0:22:30.880,0:22:33.360
to set it up as as optional software and

0:22:33.360,0:22:35.280
it's really good to have all that

0:22:35.280,0:22:38.240
optional software stored in the opt

0:22:38.240,0:22:42.240
directory so uh once that is done uh

0:22:42.240,0:22:44.320
once that's downloaded we can say uh

0:22:44.320,0:22:45.600
move

0:22:45.600,0:22:48.480
splunk forwarder into opt

0:22:48.480,0:22:50.400
and we'll need sudo privileges so i'll

0:22:50.400,0:22:52.559
say sudo move there we are and i'll just

0:22:52.559,0:22:55.120
type in my password fantastic so we'll

0:22:55.120,0:22:57.360
now navigate to the opt directory and to

0:22:57.360,0:23:00.320
install this we can say sudo apt

0:23:00.320,0:23:02.960
and then we can specify install so we

0:23:02.960,0:23:05.120
can say sudo apt install

0:23:05.120,0:23:06.960
and then we specify the package itself

0:23:06.960,0:23:09.440
so splunk folder

0:23:09.440,0:23:11.440
and we're just going to hit enter that's

0:23:11.440,0:23:13.520
going to install it for you

0:23:13.520,0:23:16.880
give that a couple of seconds

0:23:19.440,0:23:21.520
all right so once that is installed if

0:23:21.520,0:23:23.039
you list out the contents of this

0:23:23.039,0:23:24.559
directory you're going to have a splunk

0:23:24.559,0:23:26.559
for the directory here so i'll say cd

0:23:26.559,0:23:29.200
splunk folder and under the binary

0:23:29.200,0:23:31.200
directory we can navigate to that here

0:23:31.200,0:23:32.720
we'll need to start

0:23:32.720,0:23:35.600
us we'll need to start splunk so we will

0:23:35.600,0:23:37.280
say uh sudo

0:23:37.280,0:23:39.039
and a binary we want to run is called

0:23:39.039,0:23:41.279
splunk and we'll accept the license uh

0:23:41.279,0:23:42.799
the reason we're doing this is because

0:23:42.799,0:23:44.799
we need to configure it so we need to

0:23:44.799,0:23:46.799
specify the username and password or you

0:23:46.799,0:23:49.279
know create a username and password

0:23:49.279,0:23:52.000
and once that is done uh you'll actually

0:23:52.000,0:23:53.360
see what that looks like so i'll just

0:23:53.360,0:23:55.679
say accept the license

0:23:55.679,0:23:56.640
and

0:23:56.640,0:23:59.200
you can see in this case let's see if i

0:23:59.200,0:24:01.200
typed that in correctly that should

0:24:01.200,0:24:03.600
actually start so splunk start i did not

0:24:03.600,0:24:05.440
specify start there

0:24:05.440,0:24:06.799
there we are so please enter an

0:24:06.799,0:24:09.679
administrator name i'll just say admin

0:24:09.679,0:24:12.000
so again splunk software must create an

0:24:12.000,0:24:14.320
administrator account during startup

0:24:14.320,0:24:16.559
otherwise you cannot log in so create

0:24:16.559,0:24:18.159
credentials for the administrator

0:24:18.159,0:24:19.279
account

0:24:19.279,0:24:20.640
um

0:24:20.640,0:24:22.320
so in this case uh you know you can

0:24:22.320,0:24:23.600
create whatever you want i'm just going

0:24:23.600,0:24:26.000
to fill in my credentials here

0:24:26.000,0:24:28.640
all right so i've just entered my

0:24:28.640,0:24:30.320
administrator username and then of

0:24:30.320,0:24:32.400
course my password so

0:24:32.400,0:24:33.840
that is done

0:24:33.840,0:24:36.240
uh so it'll go through um

0:24:36.240,0:24:37.760
it'll essentially go through and check

0:24:37.760,0:24:40.400
the prerequisites uh new certs have been

0:24:40.400,0:24:42.960
generated in the following directory

0:24:42.960,0:24:45.200
and all the preliminary checks have

0:24:45.200,0:24:47.520
passed so starting the splunk server

0:24:47.520,0:24:49.440
daemon so that's started you can also

0:24:49.440,0:24:52.159
enable it to run on system startup so if

0:24:52.159,0:24:55.440
i say you know for example sudo system

0:24:55.440,0:24:56.720
ctl

0:24:56.720,0:24:59.520
status splunk

0:24:59.520,0:25:01.840
let me type that in correctly here so

0:25:01.840,0:25:03.360
splunk

0:25:03.360,0:25:07.520
sorry systems pseudosystem ctl

0:25:07.520,0:25:10.240
and we can say splunk d

0:25:10.240,0:25:12.880
uh sorry so we can say splunk i'm not

0:25:12.880,0:25:15.039
really sure why that's not loading here

0:25:15.039,0:25:17.520
but i do know that the daemon is running

0:25:17.520,0:25:21.440
and there should be a an init

0:25:21.440,0:25:24.799
an init demon for that but in any case

0:25:24.799,0:25:27.360
you can always start it that way

0:25:27.360,0:25:29.840
once that is done we will need to add

0:25:29.840,0:25:32.320
our ford server so the we need to add

0:25:32.320,0:25:34.960
the the address of the server uh the

0:25:34.960,0:25:37.039
splunk server that we're forwarding our

0:25:37.039,0:25:39.600
logs to we'll go we'll move on to what

0:25:39.600,0:25:42.480
logs we want to forward in a second but

0:25:42.480,0:25:44.159
let's do that first so again we're going

0:25:44.159,0:25:46.720
to use the

0:25:47.520,0:25:49.360
the splunk binary and we're going to say

0:25:49.360,0:25:50.480
forward

0:25:50.480,0:25:52.559
server and we'll just copy the ip

0:25:52.559,0:25:54.799
address of your

0:25:54.799,0:25:57.600
your splunk server here so there we are

0:25:57.600,0:26:00.640
and i'll paste that in there

0:26:00.640,0:26:03.320
and then you need to type in the port so

0:26:03.320,0:26:07.200
9997 that's the port to connect to hit

0:26:07.200,0:26:08.400
enter

0:26:08.400,0:26:11.279
um so splunk ford uh

0:26:11.279,0:26:13.279
yeah we need to add it i keep forgetting

0:26:13.279,0:26:15.760
the the preliminary command so add ford

0:26:15.760,0:26:18.320
server splunk username

0:26:18.320,0:26:21.919
um so in this case uh let me just uh put

0:26:21.919,0:26:25.840
in my credentials here

0:26:26.640,0:26:29.440
all right and it's going to then add the

0:26:29.440,0:26:31.760
forwarding to that particular address

0:26:31.760,0:26:33.760
all right now that that is done

0:26:33.760,0:26:35.440
we can actually we actually need to

0:26:35.440,0:26:37.919
configure a particular file

0:26:37.919,0:26:40.720
and that is going to be the outputs.conf

0:26:40.720,0:26:43.039
directory if it's already set up for us

0:26:43.039,0:26:45.039
which it should be

0:26:45.039,0:26:46.880
then we do not need to go through the

0:26:46.880,0:26:49.360
initial setup so

0:26:49.360,0:26:51.120
if we head over into the following

0:26:51.120,0:26:52.640
directory so i'll just take a step back

0:26:52.640,0:26:54.080
we're still in the splunk for the

0:26:54.080,0:26:55.279
directory

0:26:55.279,0:26:58.159
uh we'll head over into

0:26:58.159,0:27:01.679
the etsy directory and under system

0:27:01.679,0:27:05.039
we have a file under local i think it is

0:27:05.039,0:27:06.640
called outputs right so i'm going to say

0:27:06.640,0:27:08.720
sudo vim outputs

0:27:08.720,0:27:09.840
dot conf

0:27:09.840,0:27:11.840
and really the only thing that is

0:27:11.840,0:27:13.840
required here

0:27:13.840,0:27:16.159
is of course just leave the default

0:27:16.159,0:27:18.320
configuration as is the default group is

0:27:18.320,0:27:21.760
fine so tcp out default auto lb group

0:27:21.760,0:27:23.279
that's fine so you make sure that the

0:27:23.279,0:27:25.840
server option here is configured that's

0:27:25.840,0:27:28.480
the most important and the tcp out

0:27:28.480,0:27:30.320
server address is also configured in

0:27:30.320,0:27:32.000
this format so we don't need to make any

0:27:32.000,0:27:33.760
changes there so i'll just say quit and

0:27:33.760,0:27:35.120
exit

0:27:35.120,0:27:38.640
once that is done we also need to check

0:27:38.640,0:27:41.279
uh the actual inputs configuration file

0:27:41.279,0:27:43.200
but before we do that

0:27:43.200,0:27:45.279
let's take a look so if you revisit the

0:27:45.279,0:27:46.880
snort video

0:27:46.880,0:27:48.880
you know that all the logs are stored

0:27:48.880,0:27:51.840
under var uh log

0:27:51.840,0:27:55.760
and snot right so we have the alert log

0:27:55.760,0:27:59.279
um and we also have uh so again based on

0:27:59.279,0:28:01.120
the type of um

0:28:01.120,0:28:03.200
of alerts you want generated so you know

0:28:03.200,0:28:05.440
if i say man snort here

0:28:05.440,0:28:07.440
uh you can see that we have the alert

0:28:07.440,0:28:09.440
mode so you can use the fast mode or the

0:28:09.440,0:28:11.360
full mode in this case i'll be using the

0:28:11.360,0:28:12.559
fast mode

0:28:12.559,0:28:13.760
um

0:28:13.760,0:28:15.279
and i'll give you a description of what

0:28:15.279,0:28:17.279
what's going on here right so

0:28:17.279,0:28:19.919
uh full writes the alert to the alert

0:28:19.919,0:28:21.919
file with the full decoded header as

0:28:21.919,0:28:24.720
well as the alert message which might be

0:28:24.720,0:28:27.279
important so we can also do that as well

0:28:27.279,0:28:29.600
so this was from the previous uh from

0:28:29.600,0:28:31.760
the from from the snort video where we

0:28:31.760,0:28:33.360
had ran uh you know where we had

0:28:33.360,0:28:35.840
essentially run snot and uh you know

0:28:35.840,0:28:38.480
where we were identifying various alerts

0:28:38.480,0:28:41.919
so uh what we can do is uh again we will

0:28:41.919,0:28:43.760
go through what needs to be created but

0:28:43.760,0:28:45.600
we can run a quick test command just to

0:28:45.600,0:28:46.880
see whether

0:28:46.880,0:28:48.799
the the actual alerts are being logged

0:28:48.799,0:28:50.320
within the alert file because we have

0:28:50.320,0:28:53.039
alert dot one ideally we would only want

0:28:53.039,0:28:55.760
to forward this file into splunk

0:28:55.760,0:28:58.080
so uh in order to do this what i'm going

0:28:58.080,0:29:00.080
to do now is i'm just going to run snot

0:29:00.080,0:29:01.600
really quickly so i'm going to say sudo

0:29:01.600,0:29:02.559
snort

0:29:02.559,0:29:03.919
queue

0:29:03.919,0:29:06.000
for quiet and then

0:29:06.000,0:29:09.360
the actual directory for the logs is var

0:29:09.360,0:29:11.360
log snot

0:29:11.360,0:29:12.880
and then we can say the interface is

0:29:12.880,0:29:14.640
enp0s3

0:29:14.640,0:29:16.240
again make sure to replace that with

0:29:16.240,0:29:19.039
your own interface uh the alert we can

0:29:19.039,0:29:20.320
say full

0:29:20.320,0:29:23.360
and the configuration is sc

0:29:23.360,0:29:25.039
snort

0:29:25.039,0:29:26.399
dot conf

0:29:26.399,0:29:28.320
i believe we had another configuration

0:29:28.320,0:29:30.720
file yeah we had used the snot.com file

0:29:30.720,0:29:32.399
so i'll hit enter

0:29:32.399,0:29:34.880
and now let me open up my file explorer

0:29:34.880,0:29:35.840
here

0:29:35.840,0:29:38.720
we take a look at the var directory

0:29:38.720,0:29:42.240
under log and under snort

0:29:42.240,0:29:44.960
we have alert there we are so

0:29:44.960,0:29:47.960
that has been modified the last was

0:29:47.960,0:29:51.200
modified uh

0:29:51.200,0:29:53.919
right over there okay so that's 19 yeah

0:29:53.919,0:29:55.679
so this is the last modified so i know

0:29:55.679,0:29:58.000
this file is not human readable uh we

0:29:58.000,0:30:00.399
are not going to be folding this dot log

0:30:00.399,0:30:02.960
file so i'll just close that there

0:30:02.960,0:30:05.840
so i'm just going to try and uh

0:30:05.840,0:30:07.440
i'm just going to try and perform a few

0:30:07.440,0:30:09.679
checks on the networks like a few pings

0:30:09.679,0:30:11.760
just to see if that's detected

0:30:11.760,0:30:14.080
uh so i'll just you know perform a ping

0:30:14.080,0:30:15.679
really quickly

0:30:15.679,0:30:17.520
again the alerts will not be logged on

0:30:17.520,0:30:18.960
our terminal because they're being

0:30:18.960,0:30:21.200
logged uh you know into the respective

0:30:21.200,0:30:24.159
alert file or the alert log file so i'll

0:30:24.159,0:30:26.080
just perform uh you know a few pings as

0:30:26.080,0:30:27.679
i was saying which i'm doing right now

0:30:27.679,0:30:29.520
on the attacker system

0:30:29.520,0:30:31.760
uh once that is done let's see whether

0:30:31.760,0:30:33.760
those changes are being highlighted in

0:30:33.760,0:30:37.600
alet indeed they are okay so now this is

0:30:37.600,0:30:39.919
um

0:30:40.159,0:30:42.399
as you can see here

0:30:42.399,0:30:45.279
this is the full

0:30:45.360,0:30:48.000
these are so to begin with we had used

0:30:48.000,0:30:50.399
the fast alert

0:30:50.399,0:30:54.000
we had used the fast alert output mode

0:30:54.000,0:30:56.080
and right over here we then have the

0:30:56.080,0:30:57.039
full

0:30:57.039,0:31:00.159
alert mode which i'm not really sure how

0:31:00.159,0:31:01.919
we want to

0:31:01.919,0:31:05.360
go about doing this but you can see

0:31:05.360,0:31:07.360
we can actually make a few changes but

0:31:07.360,0:31:09.600
what we can do is we can get rid of this

0:31:09.600,0:31:11.440
traffic here

0:31:11.440,0:31:13.519
but you can see the messages actually

0:31:13.519,0:31:15.279
being logged so

0:31:15.279,0:31:17.760
we can get rid of this here

0:31:17.760,0:31:20.399
because we don't want to mix fast um we

0:31:20.399,0:31:22.559
don't mix fast alerts

0:31:22.559,0:31:24.480
with um

0:31:24.480,0:31:26.080
we don't want to mix the alerts that

0:31:26.080,0:31:28.799
were output in the fast mode uh with the

0:31:28.799,0:31:31.519
full mode so we can just get rid of that

0:31:31.519,0:31:34.159
there and save that

0:31:34.159,0:31:37.840
so once that is done i'll just say

0:31:37.840,0:31:40.320
we actually need permissions to modify

0:31:40.320,0:31:42.000
that file

0:31:42.000,0:31:45.600
but you know what we can do is what i am

0:31:45.600,0:31:47.279
going to do actually is close without

0:31:47.279,0:31:49.519
saving is i'm just going to stop snort

0:31:49.519,0:31:50.399
there

0:31:50.399,0:31:52.080
and i'm just going to say

0:31:52.080,0:31:54.480
sudo remove var

0:31:54.480,0:31:56.799
log

0:31:56.960,0:31:59.120
and snort and we're going to remove

0:31:59.120,0:32:01.360
alert

0:32:01.360,0:32:02.720
all right and we're also going to remove

0:32:02.720,0:32:04.240
alert dot one

0:32:04.240,0:32:05.440
all right so i'm just going to run this

0:32:05.440,0:32:07.039
again just to see if that file is

0:32:07.039,0:32:08.240
generated

0:32:08.240,0:32:11.120
so there we are we have alert there

0:32:11.120,0:32:12.559
so now it's much cleaner so i'll just

0:32:12.559,0:32:14.240
run a few pings just to make sure that

0:32:14.240,0:32:16.480
the traffic is being locked all those

0:32:16.480,0:32:18.480
alerts are being logged

0:32:18.480,0:32:20.399
uh so there we are we have a few pings

0:32:20.399,0:32:21.519
there

0:32:21.519,0:32:24.640
and we can also you know just run a few

0:32:24.640,0:32:26.960
checks there okay so there we are we can

0:32:26.960,0:32:29.360
see that those are now being logged and

0:32:29.360,0:32:31.519
of course we can change the format based

0:32:31.519,0:32:32.320
on

0:32:32.320,0:32:33.519
you can change it based on your

0:32:33.519,0:32:35.039
requirements right

0:32:35.039,0:32:37.840
so um

0:32:38.000,0:32:39.919
now that that is done

0:32:39.919,0:32:42.000
what we can do is we can close that up

0:32:42.000,0:32:44.960
and we can actually leave snort running

0:32:44.960,0:32:46.320
as is

0:32:46.320,0:32:48.960
so what i'll do is i'm just going to

0:32:48.960,0:32:51.120
open up another tab

0:32:51.120,0:32:53.120
so i'll just you know i can say control

0:32:53.120,0:32:54.880
shift d there we are

0:32:54.880,0:32:56.799
and we're currently within the following

0:32:56.799,0:33:00.159
directory so opt opt splunk forward etsy

0:33:00.159,0:33:01.519
system local

0:33:01.519,0:33:03.120
so

0:33:03.120,0:33:06.000
once that is done we now need to add

0:33:06.000,0:33:08.080
uh we now need to add the files that we

0:33:08.080,0:33:09.919
would like to monitor or that we would

0:33:09.919,0:33:12.240
like to forward right so the log files

0:33:12.240,0:33:15.360
so i'll go back into the bin directory

0:33:15.360,0:33:17.679
so there we are cd bin because that's

0:33:17.679,0:33:19.360
where we have the splunk binary so i'll

0:33:19.360,0:33:20.960
say sudo

0:33:20.960,0:33:22.000
um

0:33:22.000,0:33:24.399
splunk

0:33:24.399,0:33:28.320
and we can say add monitor

0:33:28.320,0:33:30.720
and the file that we want to forward is

0:33:30.720,0:33:34.399
under var log snot and it is just alert

0:33:34.399,0:33:36.559
right so that's all that's really all

0:33:36.559,0:33:38.720
that we want to do right

0:33:38.720,0:33:41.600
and we can also utilize the fast alerts

0:33:41.600,0:33:44.399
but let's just do this for now

0:33:44.399,0:33:46.399
and we only want the alerts we don't

0:33:46.399,0:33:48.320
want the actual log files that contain

0:33:48.320,0:33:53.840
the packets themselves so i'll hit enter

0:33:54.480,0:33:56.399
all right so it's now going to forward

0:33:56.399,0:33:58.960
those alerts into splunk which pretty

0:33:58.960,0:34:02.159
much means that on our end we are done

0:34:02.159,0:34:04.000
however we still need to check one more

0:34:04.000,0:34:05.840
configuration file so i'll just take a

0:34:05.840,0:34:08.000
step back here and we'll head over into

0:34:08.000,0:34:10.879
the etsy directory under apps

0:34:10.879,0:34:13.119
and search

0:34:13.119,0:34:15.520
and then into local

0:34:15.520,0:34:16.720
when you think we'll need to root

0:34:16.720,0:34:18.320
permissions to access this so i'll just

0:34:18.320,0:34:20.079
switch to the root user and head over

0:34:20.079,0:34:21.520
into local

0:34:21.520,0:34:24.399
and we're looking for the inputs dot

0:34:24.399,0:34:26.560
conf file

0:34:26.560,0:34:28.079
uh right so we need to actually

0:34:28.079,0:34:29.760
configure this because this is very

0:34:29.760,0:34:31.040
important so

0:34:31.040,0:34:35.119
uh the first thing we want to do is let

0:34:35.119,0:34:35.919
us

0:34:35.919,0:34:38.639
add a new line here and within the

0:34:38.639,0:34:41.440
square brackets i'll just say splunk

0:34:41.440,0:34:44.240
uh tcp

0:34:44.240,0:34:46.399
and we then want to specify the port so

0:34:46.399,0:34:48.399
9997

0:34:48.399,0:34:49.679
let me make sure i type that in

0:34:49.679,0:34:51.520
correctly

0:34:51.520,0:34:54.240
we then need to actually put in the

0:34:54.240,0:34:56.960
connection

0:34:56.960,0:35:01.200
um so the connection host so connection

0:35:01.200,0:35:03.440
host is going to be equal to the ip

0:35:03.440,0:35:05.280
address of the splunk

0:35:05.280,0:35:06.560
server

0:35:06.560,0:35:08.960
so i'll just copy that there paste that

0:35:08.960,0:35:11.280
in there

0:35:11.280,0:35:14.000
once that is done

0:35:14.000,0:35:16.320
this is fine here disabled is set to

0:35:16.320,0:35:19.040
false we want index is going to be equal

0:35:19.040,0:35:20.320
to main

0:35:20.320,0:35:23.680
and then the source type

0:35:23.680,0:35:26.560
is going to be equal to snot

0:35:26.560,0:35:27.520
alert

0:35:27.520,0:35:28.960
full

0:35:28.960,0:35:31.280
and we can then say the source is equal

0:35:31.280,0:35:33.040
to snort all right so this is a very

0:35:33.040,0:35:35.280
important configuration so let me just

0:35:35.280,0:35:36.640
go through those options or

0:35:36.640,0:35:38.640
configurations again we have the splunk

0:35:38.640,0:35:40.320
tcp option

0:35:40.320,0:35:42.880
uh we then have the actual connection

0:35:42.880,0:35:45.520
host the monitor is set correctly to

0:35:45.520,0:35:46.640
that file

0:35:46.640,0:35:49.520
uh it's enabled index equals main source

0:35:49.520,0:35:51.680
type equals snorter that full source is

0:35:51.680,0:35:53.680
equal to snot fantastic so we'll write

0:35:53.680,0:35:54.720
in quit

0:35:54.720,0:35:57.040
uh once this is done

0:35:57.040,0:35:58.720
we'll need to restart splunk so i'll

0:35:58.720,0:36:00.800
switch back to my user lexis here and

0:36:00.800,0:36:04.560
we'll navigate back to the bin directory

0:36:04.560,0:36:06.400
so i'll say cd bin

0:36:06.400,0:36:08.800
and we'll say sudo

0:36:08.800,0:36:11.680
let me say splunk and we can then say

0:36:11.680,0:36:13.440
restart

0:36:13.440,0:36:15.680
all right hit enter

0:36:15.680,0:36:18.320
it's going to stop the splunk daemon

0:36:18.320,0:36:19.680
shutting it down

0:36:19.680,0:36:22.160
restart it and it's done successfully so

0:36:22.160,0:36:24.560
all the checks were completed without

0:36:24.560,0:36:27.119
any issue all right so

0:36:27.119,0:36:29.040
now that this is done we can actually go

0:36:29.040,0:36:31.440
back into splunk here and we'll navigate

0:36:31.440,0:36:33.280
to the dashboard

0:36:33.280,0:36:35.839
uh this is your splunk server right

0:36:35.839,0:36:37.440
and let's take a look at the messages

0:36:37.440,0:36:39.920
here that's just uh a few updates we

0:36:39.920,0:36:41.920
don't need to do anything there so if we

0:36:41.920,0:36:43.119
click on

0:36:43.119,0:36:45.599
search and reporting just to verify that

0:36:45.599,0:36:47.839
that data has indeed been for that i'll

0:36:47.839,0:36:49.280
just skip through this if we click on

0:36:49.280,0:36:51.040
data summary

0:36:51.040,0:36:52.880
under sources you should see that we

0:36:52.880,0:36:55.680
have the host and in my case the name of

0:36:55.680,0:36:58.640
the system is black box so that should

0:36:58.640,0:37:01.119
be reflected there so there we are black

0:37:01.119,0:37:03.280
box we have 42

0:37:03.280,0:37:06.800
logs or alerts if you will sources 42 we

0:37:06.800,0:37:08.640
can click on that there to just see the

0:37:08.640,0:37:11.280
data that has been logged indeed we can

0:37:11.280,0:37:13.040
see that has been done correctly so

0:37:13.040,0:37:14.880
source type is alert

0:37:14.880,0:37:17.280
uh we can see that it's imported you

0:37:17.280,0:37:19.440
know pretty much all the data or the you

0:37:19.440,0:37:21.119
know these are the this is the full log

0:37:21.119,0:37:23.599
whereby we have the reference to that

0:37:23.599,0:37:24.880
there

0:37:24.880,0:37:26.800
uh that's weird i didn't actually run

0:37:26.800,0:37:30.240
anything weird uh but uh there you go

0:37:30.240,0:37:32.720
um so now that this is done uh you can

0:37:32.720,0:37:34.880
use splunk to essentially visualize this

0:37:34.880,0:37:36.800
data you know however you want so you

0:37:36.800,0:37:39.359
know i can go into visualization

0:37:39.359,0:37:42.240
uh and we can click on maybe we can

0:37:42.240,0:37:44.720
create a um

0:37:44.720,0:37:46.880
we can select a few fields so if i go

0:37:46.880,0:37:50.240
back into the events here i can select a

0:37:50.240,0:37:52.240
few fields that i want displayed here

0:37:52.240,0:37:54.320
and i can you know essentially extract

0:37:54.320,0:37:57.040
the fields that i want with rejects

0:37:57.040,0:37:57.920
but

0:37:57.920,0:37:59.680
i don't think this is necessary in this

0:37:59.680,0:38:01.520
point because if we actually go back to

0:38:01.520,0:38:03.599
the dashboard

0:38:03.599,0:38:06.160
and we click on

0:38:06.160,0:38:10.079
let's see splunk snot alert for splunk

0:38:10.079,0:38:11.440
let's see if this is actually whether

0:38:11.440,0:38:15.200
this automates that process for us

0:38:15.200,0:38:17.280
uh there we are actually it looks like

0:38:17.280,0:38:21.599
it does so um classification bad traffic

0:38:21.599,0:38:24.160
so it looks like that is working

0:38:24.160,0:38:26.400
so what we can do now

0:38:26.400,0:38:28.720
is run a few

0:38:28.720,0:38:31.280
uh we can actually utilize this script

0:38:31.280,0:38:33.520
here the

0:38:33.520,0:38:37.119
uh the test my nids script here so all

0:38:37.119,0:38:39.440
you need to do to run it is just copy

0:38:39.440,0:38:41.520
this one liner script here or this

0:38:41.520,0:38:43.200
command that will download it into your

0:38:43.200,0:38:46.000
tmp directory and will then execute it

0:38:46.000,0:38:49.200
so you know to execute it within your

0:38:49.200,0:38:51.599
temp directory you can just uh execute

0:38:51.599,0:38:53.040
the actual

0:38:53.040,0:38:54.400
um

0:38:54.400,0:38:56.240
you know the actual binary there it is a

0:38:56.240,0:38:58.800
binary not a script

0:38:58.800,0:39:01.280
and uh once that is done you can then

0:39:01.280,0:39:03.520
select the option here so let me just do

0:39:03.520,0:39:05.920
that on my attacker system

0:39:05.920,0:39:08.880
i'm just gonna run it one more time so

0:39:08.880,0:39:14.359
um just going to say ls here and

0:39:16.160,0:39:18.960
if i uh open up the documentation so

0:39:18.960,0:39:21.839
firstly i will

0:39:21.839,0:39:23.440
i will run

0:39:23.440,0:39:26.640
a quick linux uid check so

0:39:26.640,0:39:28.960
i'll just hit enter

0:39:28.960,0:39:31.280
okay that is done i'll then perform a

0:39:31.280,0:39:35.119
http basic authentication

0:39:35.119,0:39:37.839
and a malware user agent so i'm doing

0:39:37.839,0:39:40.640
that right now

0:39:40.839,0:39:46.000
okay and we can run one more here so

0:39:46.000,0:39:48.720
uh let's see let's see let's see uh we

0:39:48.720,0:39:51.520
can try exe or dll download over http

0:39:51.520,0:39:55.280
that is surely going to be um

0:39:55.280,0:39:57.040
logged

0:39:57.040,0:39:59.839
or that's going to trigger an alert

0:39:59.839,0:40:00.640
so

0:40:00.640,0:40:03.040
uh do we have uh that is running all

0:40:03.040,0:40:05.280
right so snot is running that's great

0:40:05.280,0:40:08.079
uh so we know that the log is being uh

0:40:08.079,0:40:10.240
the actual alerts are being forwarded

0:40:10.240,0:40:12.960
absolutely fantastic so let's go back in

0:40:12.960,0:40:15.040
here i've already run those

0:40:15.040,0:40:18.400
uh those particular checks

0:40:18.400,0:40:20.160
so let me just refresh this i know it

0:40:20.160,0:40:22.160
usually takes a couple of seconds to a

0:40:22.160,0:40:24.400
couple of minutes but that data should

0:40:24.400,0:40:26.240
start should actually be reflected there

0:40:26.240,0:40:28.160
we are fantastic so

0:40:28.160,0:40:31.119
uh we can see that uh you know firstly

0:40:31.119,0:40:32.880
i'll just explain the dashboard here

0:40:32.880,0:40:33.760
because

0:40:33.760,0:40:36.160
uh this dashboard is automatically you

0:40:36.160,0:40:38.000
know set up for you by the snort app

0:40:38.000,0:40:39.920
which is really awesome as i said you

0:40:39.920,0:40:41.440
don't need to go through that process

0:40:41.440,0:40:42.560
yourself

0:40:42.560,0:40:44.560
so the first graph here essentially

0:40:44.560,0:40:46.400
tells you your events

0:40:46.400,0:40:48.560
uh and and it also displays uh you know

0:40:48.560,0:40:50.400
the total number of sources so you can

0:40:50.400,0:40:52.560
see that there you also have the time

0:40:52.560,0:40:54.480
uh and you saw you have your events and

0:40:54.480,0:40:56.079
then the timeline here and you can

0:40:56.079,0:40:58.880
essentially you know view a trend or the

0:40:58.880,0:41:01.680
trend of uh of events there you then

0:41:01.680,0:41:04.880
have the top uh the top source countries

0:41:04.880,0:41:07.040
right over here and if i just run

0:41:07.040,0:41:08.720
another check really quickly here

0:41:08.720,0:41:11.119
through the nids website

0:41:11.119,0:41:14.720
so uh let me just run the curl command

0:41:14.720,0:41:16.640
uh you should actually see that because

0:41:16.640,0:41:19.280
we are reaching out to uh you know a

0:41:19.280,0:41:21.280
connection made to an external server

0:41:21.280,0:41:23.680
that it should reflect that info under

0:41:23.680,0:41:25.760
the top countries the top source

0:41:25.760,0:41:26.800
countries

0:41:26.800,0:41:28.800
so uh we then have the events here which

0:41:28.800,0:41:31.280
uh you know you can click on um and then

0:41:31.280,0:41:33.119
of course you have the sources

0:41:33.119,0:41:36.079
so these are the uh snort event types

0:41:36.079,0:41:37.760
and these are actually the

0:41:37.760,0:41:39.680
classification so we can see potentially

0:41:39.680,0:41:42.640
bad traffic attempted information leak

0:41:42.640,0:41:44.720
and you know you can just refresh your

0:41:44.720,0:41:47.440
dashboard to get the latest

0:41:47.440,0:41:49.359
so we'll give that a couple of seconds

0:41:49.359,0:41:52.000
and you can also specify the actual uh

0:41:52.000,0:41:53.599
interval period

0:41:53.599,0:41:56.400
so uh i'll just wait for this uh let's

0:41:56.400,0:41:58.880
see if it's actually being logged or

0:41:58.880,0:42:00.319
whether we can see all of that so i'll

0:42:00.319,0:42:04.000
just go back into the dashboard here

0:42:04.000,0:42:04.800
and

0:42:04.800,0:42:07.359
we'll go into search and reporting and

0:42:07.359,0:42:09.920
if we click on the actual

0:42:09.920,0:42:13.040
data summary and the sources uh we can

0:42:13.040,0:42:15.359
see we have snort there and then vast

0:42:15.359,0:42:19.520
not alert so we click on snot there

0:42:19.520,0:42:22.000
okay so this is bad traffic that's

0:42:22.000,0:42:25.440
really weird because

0:42:26.079,0:42:27.920
the source is not we had added two

0:42:27.920,0:42:29.520
sources there

0:42:29.520,0:42:32.720
so data summary

0:42:32.720,0:42:34.800
let me just click on that there and if

0:42:34.800,0:42:36.960
we click on these sources there this is

0:42:36.960,0:42:40.800
the one that we want ideally

0:42:43.200,0:42:46.079
yeah so that looks like uh the correct

0:42:46.079,0:42:48.720
one there

0:42:49.599,0:42:51.680
yeah that's the correct traffic um uh i

0:42:51.680,0:42:55.119
think that's why uh the actual uh let me

0:42:55.119,0:42:56.960
see if i can find so snot alert for

0:42:56.960,0:43:00.640
splunk let me click on the app there

0:43:02.480,0:43:04.160
show filters it should be displaying

0:43:04.160,0:43:06.400
much more than that because i know yeah

0:43:06.400,0:43:08.319
they're not just four

0:43:08.319,0:43:09.920
so

0:43:09.920,0:43:12.640
uh if we actually head over into the

0:43:12.640,0:43:16.560
uh snot event search here

0:43:18.480,0:43:20.800
we can actually search for uh you know

0:43:20.800,0:43:25.359
we can utilize uh yeah so these are only

0:43:25.359,0:43:28.400
this is only monitoring the pings so

0:43:28.400,0:43:30.240
that's weird i'm not really sure why we

0:43:30.240,0:43:32.319
have two data sources i think it's to do

0:43:32.319,0:43:33.839
with the fact

0:43:33.839,0:43:37.040
uh that uh you know we had so let me

0:43:37.040,0:43:39.520
just go back here

0:43:39.520,0:43:42.640
apps search and sudo root

0:43:42.640,0:43:46.720
let me just check that here so cd local

0:43:46.720,0:43:47.839
vim

0:43:47.839,0:43:50.640
inputs dot look so there we are so the

0:43:50.640,0:43:53.280
source is snort

0:43:53.280,0:43:56.079
we already specified the source as not

0:43:56.079,0:43:57.599
there

0:43:57.599,0:43:59.520
but it's all it's adding

0:43:59.520,0:44:02.319
this particular you know the alert as uh

0:44:02.319,0:44:04.160
as a source as well

0:44:04.160,0:44:06.400
and then this the source type is not

0:44:06.400,0:44:09.040
alert full index main yeah that that

0:44:09.040,0:44:10.560
should be working that should be working

0:44:10.560,0:44:12.319
without any issues i'm not really sure

0:44:12.319,0:44:14.079
why that is the case but

0:44:14.079,0:44:16.480
we can actually customize what data set

0:44:16.480,0:44:18.000
we want to use

0:44:18.000,0:44:19.359
so uh

0:44:19.359,0:44:21.520
i think let me actually showcase how to

0:44:21.520,0:44:23.359
do that right now

0:44:23.359,0:44:25.839
um so apologies about that i actually

0:44:25.839,0:44:27.599
figured out what the issue was it was

0:44:27.599,0:44:30.319
because the system i was running

0:44:30.319,0:44:32.079
uh this particular

0:44:32.079,0:44:34.560
attacks from wasn't even connected to

0:44:34.560,0:44:36.800
the local network

0:44:36.800,0:44:38.880
and even though i was running these

0:44:38.880,0:44:41.040
these attacks i did realize that of

0:44:41.040,0:44:42.640
course they weren't working so i'm just

0:44:42.640,0:44:44.880
gonna i've just reconnected it

0:44:44.880,0:44:47.359
and what i'm gonna do is i'm just gonna

0:44:47.359,0:44:49.599
run this one more time

0:44:49.599,0:44:53.359
so just give me a second here and i'll

0:44:53.359,0:44:56.319
be able to do that one more time so

0:44:56.319,0:44:58.560
let me just navigate to that particular

0:44:58.560,0:45:00.079
directory

0:45:00.079,0:45:01.040
and

0:45:01.040,0:45:02.480
we'll actually see whether this will

0:45:02.480,0:45:04.400
work so

0:45:04.400,0:45:06.000
you can actually see there's much more

0:45:06.000,0:45:07.920
uh that's been captured in regards to

0:45:07.920,0:45:10.160
events and i'll be explaining this

0:45:10.160,0:45:12.480
dashboard in a couple of seconds

0:45:12.480,0:45:13.359
so

0:45:13.359,0:45:14.960
let me just uh

0:45:14.960,0:45:17.359
launch that first attack there so that

0:45:17.359,0:45:19.440
you know let me just launch that first

0:45:19.440,0:45:22.240
uh type of check and of course i'm using

0:45:22.240,0:45:26.400
test my nids here so uh unfortunately

0:45:26.400,0:45:28.000
that wasn't even being logged which is

0:45:28.000,0:45:30.000
why i was a bit confused as to why those

0:45:30.000,0:45:32.800
logs are not being displayed here

0:45:32.800,0:45:35.520
so i'll give that a couple of seconds

0:45:35.520,0:45:36.800
and

0:45:36.800,0:45:38.880
we'll be able to see this happen

0:45:38.880,0:45:41.920
in real time as well

0:45:41.920,0:45:44.560
all right so that is done so i've

0:45:44.560,0:45:46.319
essentially launched a couple of those

0:45:46.319,0:45:48.319
tests and uh

0:45:48.319,0:45:50.640
this as i said this is your default uh

0:45:50.640,0:45:52.560
dashboard that you're provided with here

0:45:52.560,0:45:53.520
so

0:45:53.520,0:45:55.760
um you know you can actually refresh uh

0:45:55.760,0:45:58.720
all of these um all of these panels here

0:45:58.720,0:46:00.800
if you will so that'll display the

0:46:00.800,0:46:03.920
latest and as i said here because i'd

0:46:03.920,0:46:05.839
had performed the actual

0:46:05.839,0:46:07.680
uh you know i'd perform the actual check

0:46:07.680,0:46:09.520
and then connected to an external server

0:46:09.520,0:46:11.680
you can see that you know the top source

0:46:11.680,0:46:13.680
countries are highlighted there

0:46:13.680,0:46:15.839
you can also refresh the number of

0:46:15.839,0:46:18.160
events as you can see here

0:46:18.160,0:46:20.319
and the number of sources so

0:46:20.319,0:46:22.319
uh you can also do that for the rest of

0:46:22.319,0:46:24.480
the panel so these are the top 10

0:46:24.480,0:46:26.800
classifications

0:46:26.800,0:46:28.960
in terms of events if you will and then

0:46:28.960,0:46:31.359
the snort event types as you can see

0:46:31.359,0:46:32.319
here

0:46:32.319,0:46:33.839
so for example in this case we have the

0:46:33.839,0:46:36.160
attack response id check which if we

0:46:36.160,0:46:37.520
click on

0:46:37.520,0:46:40.319
right over here

0:46:41.119,0:46:42.640
you can see that it actually displays

0:46:42.640,0:46:44.400
that and you can then uh you can then

0:46:44.400,0:46:46.400
click on the signature itself and this

0:46:46.400,0:46:48.880
is for statistics now if you click on

0:46:48.880,0:46:52.000
the snort event search tab right over

0:46:52.000,0:46:53.040
here

0:46:53.040,0:46:54.880
you can see that this allows you to

0:46:54.880,0:46:57.119
search based on the source ip the source

0:46:57.119,0:46:59.680
port the destination ip destination port

0:46:59.680,0:47:02.240
and the event type so i can check for

0:47:02.240,0:47:04.400
attack responses based on the rule set

0:47:04.400,0:47:06.480
that we had used previously

0:47:06.480,0:47:09.359
and i can also specify the timing right

0:47:09.359,0:47:12.079
so that's really fantastic there

0:47:12.079,0:47:14.640
so you can see that right over here we

0:47:14.640,0:47:16.240
have that logged

0:47:16.240,0:47:19.040
which is fantastic and

0:47:19.040,0:47:21.920
if we click on the snort world map

0:47:21.920,0:47:24.000
that'll essentially as you'll see in a

0:47:24.000,0:47:26.160
couple of seconds this will essentially

0:47:26.160,0:47:28.559
display the countries by the source ips

0:47:28.559,0:47:29.839
in this case it should display the

0:47:29.839,0:47:32.079
united states which makes sense

0:47:32.079,0:47:34.800
uh and there we are so again this is

0:47:34.800,0:47:37.119
extremely helpful especially if you work

0:47:37.119,0:47:39.839
in a sock and as i said there's multiple

0:47:39.839,0:47:41.920
uh you know security tools you can

0:47:41.920,0:47:45.040
integrate with uh with splunk

0:47:45.040,0:47:46.880
now one thing that i wanted to highlight

0:47:46.880,0:47:49.440
is you can if you click on edit i'll

0:47:49.440,0:47:51.200
just go back to the

0:47:51.200,0:47:53.200
event summary here because this is very

0:47:53.200,0:47:55.119
important

0:47:55.119,0:47:57.280
you can set this as your main dashboard

0:47:57.280,0:47:58.960
so if you right click here you can set

0:47:58.960,0:48:01.520
this as your home dashboard

0:48:01.520,0:48:03.599
so i'll just click on that there

0:48:03.599,0:48:05.440
and now you'll see on your dashboard

0:48:05.440,0:48:08.240
here if i just close that top menu

0:48:08.240,0:48:10.240
that will actually be displayed there so

0:48:10.240,0:48:12.319
give it a couple of seconds

0:48:12.319,0:48:14.079
and of course you can click on the cog

0:48:14.079,0:48:16.240
wheel here

0:48:16.240,0:48:19.280
and essentially display whatever

0:48:19.280,0:48:21.520
you know you can specify your default

0:48:21.520,0:48:23.200
dashboard now there are a couple of

0:48:23.200,0:48:25.599
other ones that are created by default

0:48:25.599,0:48:27.119
uh but yeah you can have that on your

0:48:27.119,0:48:28.400
dashboard

0:48:28.400,0:48:31.040
uh and uh you know if you actually click

0:48:31.040,0:48:33.839
on snot the snot alert for splunk here

0:48:33.839,0:48:36.240
and we'll just go back into that snot

0:48:36.240,0:48:38.240
event summary tab

0:48:38.240,0:48:40.880
uh you can actually edit the way these

0:48:40.880,0:48:44.240
um these particular panels are tiled so

0:48:44.240,0:48:46.079
uh you know you can convert it to a

0:48:46.079,0:48:48.880
pre-built panel or you know

0:48:48.880,0:48:50.400
you can you can actually convert it to a

0:48:50.400,0:48:52.960
pre-built panel you can get rid of it

0:48:52.960,0:48:54.720
uh you can also move them around based

0:48:54.720,0:48:57.440
on your own requirements and uh in this

0:48:57.440,0:48:59.680
case you can actually let's see if i can

0:48:59.680,0:49:00.880
show you can actually select the

0:49:00.880,0:49:02.480
visualization

0:49:02.480,0:49:04.240
uh so in this case i think the default

0:49:04.240,0:49:06.079
one is fine and you can then view the

0:49:06.079,0:49:07.920
report here so

0:49:07.920,0:49:08.960
um

0:49:08.960,0:49:11.359
if we click on this one here for example

0:49:11.359,0:49:13.280
we could actually use the bar graph to

0:49:13.280,0:49:15.280
display the you know the number of the

0:49:15.280,0:49:17.200
actual um

0:49:17.200,0:49:19.440
the top source countries uh and have

0:49:19.440,0:49:21.599
them displayed in a bar graph style but

0:49:21.599,0:49:23.280
we can just take it back into the pie

0:49:23.280,0:49:25.599
chart there and you can also change this

0:49:25.599,0:49:27.440
for the events as well

0:49:27.440,0:49:29.359
so uh you know if we wanted to view a

0:49:29.359,0:49:31.440
trend we can click on the bar graph

0:49:31.440,0:49:32.240
there

0:49:32.240,0:49:34.000
uh in this case i don't think that's

0:49:34.000,0:49:37.040
formatted correctly so uh if we just use

0:49:37.040,0:49:39.440
the the default one

0:49:39.440,0:49:42.880
uh which i believe was i think it was no

0:49:42.880,0:49:46.160
that wasn't the one i believe it was uh

0:49:46.160,0:49:47.920
let's see if i can identify it here it

0:49:47.920,0:49:50.800
was the number there we are so 26 uh so

0:49:50.800,0:49:52.640
as i said you can customize this based

0:49:52.640,0:49:53.839
on your own

0:49:53.839,0:49:55.440
uh you know

0:49:55.440,0:49:57.440
your own requirements so for example

0:49:57.440,0:49:59.839
this one might do well if it was in the

0:49:59.839,0:50:02.240
form of a bar graph so you know

0:50:02.240,0:50:04.240
you can utilize that if you feel that

0:50:04.240,0:50:06.319
that is appropriate

0:50:06.319,0:50:08.319
uh in this case uh you know we can also

0:50:08.319,0:50:11.920
specify uh the actual um you know we can

0:50:11.920,0:50:14.559
actually list the events themselves

0:50:14.559,0:50:16.079
uh let's see which other ones look

0:50:16.079,0:50:17.920
really good here

0:50:17.920,0:50:19.760
uh and uh yeah once you're done with the

0:50:19.760,0:50:22.079
customization you can then cancel or

0:50:22.079,0:50:24.559
save based on your requirements and you

0:50:24.559,0:50:27.200
can also filter on this particular tab

0:50:27.200,0:50:28.960
here you know through the source ip

0:50:28.960,0:50:31.280
destination ip etc

0:50:31.280,0:50:33.839
um let's see what else did i wanted to

0:50:33.839,0:50:35.599
did i want to highlight let me just

0:50:35.599,0:50:38.000
refresh this once more

0:50:38.000,0:50:39.760
and you know to essentially get the

0:50:39.760,0:50:42.480
latest data

0:50:42.480,0:50:44.480
and uh you can see uh in terms of the

0:50:44.480,0:50:46.480
fan the in terms of the panels this will

0:50:46.480,0:50:49.520
display the last 100 attempts

0:50:49.520,0:50:51.760
uh and uh you know you can go through

0:50:51.760,0:50:53.599
them like so

0:50:53.599,0:50:55.839
uh you can also view i think we've gone

0:50:55.839,0:50:57.119
through all of them but you have the

0:50:57.119,0:50:59.440
persistent sources so two or more days

0:50:59.440,0:51:01.359
of activity in the last 30 days so you

0:51:01.359,0:51:03.040
actually need a lot of data for that to

0:51:03.040,0:51:05.200
be displayed or to give you anything

0:51:05.200,0:51:06.400
useful

0:51:06.400,0:51:07.520
um

0:51:07.520,0:51:09.760
yeah so that is

0:51:09.760,0:51:11.680
what i wanted to highlight in regards to

0:51:11.680,0:51:14.079
the snot alert for splunk app and the

0:51:14.079,0:51:15.839
actual dashboards which i said it

0:51:15.839,0:51:17.359
already does for you

0:51:17.359,0:51:19.119
now you can create your own dashboard as

0:51:19.119,0:51:21.200
i said if i go back into apps and search

0:51:21.200,0:51:22.720
and reporting

0:51:22.720,0:51:25.200
based on your own sources so i'll just

0:51:25.200,0:51:27.280
click on data summary there and if i

0:51:27.280,0:51:29.280
click on sources

0:51:29.280,0:51:30.960
you can click on the

0:51:30.960,0:51:33.839
this source here for example and

0:51:33.839,0:51:36.640
you know in this case we can actually uh

0:51:36.640,0:51:39.680
just click on that there and i can click

0:51:39.680,0:51:41.920
on extract fields

0:51:41.920,0:51:43.359
and you can extract the fields with

0:51:43.359,0:51:46.319
rejects so i'll click on next there

0:51:46.319,0:51:47.760
and you can then select the fields that

0:51:47.760,0:51:50.400
you want so for example in this case we

0:51:50.400,0:51:52.720
would want the date and time

0:51:52.720,0:51:55.280
so i can just highlight that there so i

0:51:55.280,0:51:56.319
can say

0:51:56.319,0:51:59.520
time for example add the extraction

0:51:59.520,0:52:02.000
and then of course we have the source ip

0:52:02.000,0:52:03.839
and the port but i'll just highlight

0:52:03.839,0:52:05.680
them together but i think it's actually

0:52:05.680,0:52:07.440
recommended just to highlight the source

0:52:07.440,0:52:08.880
ip there

0:52:08.880,0:52:13.200
so source we can say crc src

0:52:13.200,0:52:14.559
underscore

0:52:14.559,0:52:15.520
ip

0:52:15.520,0:52:18.480
add that extraction and we then have the

0:52:18.480,0:52:20.800
destination ip which in this case uh

0:52:20.800,0:52:22.559
because this is uh

0:52:22.559,0:52:25.520
an sm snmp broadcast

0:52:25.520,0:52:27.520
request we can we know that that's the

0:52:27.520,0:52:30.880
destination ip so i'll say dst

0:52:30.880,0:52:33.040
underscore ip

0:52:33.040,0:52:36.720
add the extraction let's see what else

0:52:36.720,0:52:40.079
we can do um

0:52:40.079,0:52:41.440
in this case it's saying the extraction

0:52:41.440,0:52:42.960
field you're extracting if you're

0:52:42.960,0:52:45.040
extracting multiple fields try removing

0:52:45.040,0:52:47.040
one or more fields start with the

0:52:47.040,0:52:48.720
extractions that are embedded within

0:52:48.720,0:52:51.680
longer strings okay so let's try and use

0:52:51.680,0:52:54.400
another alert here

0:52:54.400,0:52:57.599
that was kind of interesting um let's

0:52:57.599,0:52:58.319
see

0:52:58.319,0:53:00.480
it's not displaying all of them here but

0:53:00.480,0:53:02.800
you get the idea once you're done

0:53:02.800,0:53:04.480
uh you know for example i can remove

0:53:04.480,0:53:06.079
that field here i'm just giving you an

0:53:06.079,0:53:08.720
example of that so remove that field

0:53:08.720,0:53:12.000
uh there we are i can then say next and

0:53:12.000,0:53:15.440
i can click on validate and save based

0:53:15.440,0:53:18.240
on those fields there hit finish

0:53:18.240,0:53:20.800
and then you know i can go back to

0:53:20.800,0:53:23.359
uh you know search and reporting

0:53:23.359,0:53:25.280
and if i wanted to create a very simple

0:53:25.280,0:53:27.040
visualization which i'll show you right

0:53:27.040,0:53:27.839
now

0:53:27.839,0:53:30.000
even though i don't really need those

0:53:30.000,0:53:31.920
extracted fields although they might be

0:53:31.920,0:53:33.280
useful so

0:53:33.280,0:53:36.079
i can click on those extracted fields

0:53:36.079,0:53:38.559
now i believe they should have been

0:53:38.559,0:53:39.760
added

0:53:39.760,0:53:41.200
i'm not really sure why they aren't

0:53:41.200,0:53:43.440
being highlighted here there we are so

0:53:43.440,0:53:45.200
source ip

0:53:45.200,0:53:47.760
uh we can also specify the source port

0:53:47.760,0:53:50.240
uh we all there there they are so i had

0:53:50.240,0:53:51.760
actually they took a while to be

0:53:51.760,0:53:53.599
displayed there so

0:53:53.599,0:53:56.559
uh so support that why why not we can

0:53:56.559,0:53:59.920
yeah i think that's pretty much it so

0:53:59.920,0:54:02.079
uh based on those we can actually build

0:54:02.079,0:54:04.480
an event type however if we go to

0:54:04.480,0:54:07.520
visualization and click on pivot here

0:54:07.520,0:54:10.640
selected fields is five hit ok

0:54:10.640,0:54:12.559
we can actually you know visualize this

0:54:12.559,0:54:14.319
however we want so for example if i

0:54:14.319,0:54:17.119
wanted a column chart here

0:54:17.119,0:54:19.680
number one will display the count

0:54:19.680,0:54:22.079
i can just add the

0:54:22.079,0:54:24.079
events

0:54:24.079,0:54:26.319
because that's the count and we should

0:54:26.319,0:54:28.720
have at the bottom the time which i did

0:54:28.720,0:54:32.559
specify uh we believe within that range

0:54:32.559,0:54:34.000
there

0:54:34.000,0:54:36.720
but that's not being highlighted here so

0:54:36.720,0:54:39.280
the number of events and you know you

0:54:39.280,0:54:41.839
can go ahead and click as you can

0:54:41.839,0:54:43.440
essentially save it

0:54:43.440,0:54:45.280
so you get the idea you don't really

0:54:45.280,0:54:46.880
need to do this because we have the

0:54:46.880,0:54:48.480
snort app here

0:54:48.480,0:54:50.079
which pretty much gives you the

0:54:50.079,0:54:52.880
summaries that are useful to you or for

0:54:52.880,0:54:53.839
you

0:54:53.839,0:54:56.559
and there we are so fantastic so that's

0:54:56.559,0:54:57.920
going to conclude the practical

0:54:57.920,0:55:01.119
demonstration side of this video

0:55:01.119,0:55:02.799
so uh thank you very much for watching

0:55:02.799,0:55:04.559
this video if you have any questions or

0:55:04.559,0:55:06.240
suggestions leave them in the comments

0:55:06.240,0:55:07.200
section

0:55:07.200,0:55:08.559
if you want to reach out to me you can

0:55:08.559,0:55:10.160
do so via

0:55:10.160,0:55:12.319
twitter or the discord server the links

0:55:12.319,0:55:14.240
to both of those are in the description

0:55:14.240,0:55:16.720
section furthermore we are now moving on

0:55:16.720,0:55:18.720
to part two so this will conclude part

0:55:18.720,0:55:21.040
one so part two will be available on the

0:55:21.040,0:55:24.559
lynnodes on 24 platform so uh the videos

0:55:24.559,0:55:26.559
are available uh on demand so all you

0:55:26.559,0:55:28.559
need to do just click uh click the link

0:55:28.559,0:55:31.599
in the description register for part two

0:55:31.599,0:55:33.520
after which an email will be sent to you

0:55:33.520,0:55:34.720
and you'll be given uh you know

0:55:34.720,0:55:37.200
immediate access to to the videos uh

0:55:37.200,0:55:40.000
within part two so uh thank you very

0:55:40.000,0:55:42.799
much uh for watching part one uh in the

0:55:42.799,0:55:45.040
next video in part two we'll get started

0:55:45.040,0:55:46.640
or we'll take a look at host intrusion

0:55:46.640,0:55:49.520
detection with os sec so i'll be seeing

0:55:49.520,0:55:53.640
you in the next video

0:55:59.130,0:56:12.240
[Music]

0:56:12.240,0:56:14.319
you