1 00:00:01,120 --> 00:00:03,520 hello everyone welcome back to the blue 2 00:00:03,520 --> 00:00:05,440 team training series brought to you by 3 00:00:05,440 --> 00:00:08,160 linode and hackersploit in this video 4 00:00:08,160 --> 00:00:10,160 we're going to be taking a look at how 5 00:00:10,160 --> 00:00:12,160 to set up or how to perform security 6 00:00:12,160 --> 00:00:14,400 vent monitoring with splunk more 7 00:00:14,400 --> 00:00:16,800 specifically uh splunk enterprise 8 00:00:16,800 --> 00:00:18,640 security right so the objective here 9 00:00:18,640 --> 00:00:21,439 will be to monitor uh intrusions and 10 00:00:21,439 --> 00:00:23,519 threats with splunk and you might be 11 00:00:23,519 --> 00:00:25,119 asking yourself well how are we going to 12 00:00:25,119 --> 00:00:28,400 do this what setup are we using well the 13 00:00:28,400 --> 00:00:30,480 scenario that i've set up for this video 14 00:00:30,480 --> 00:00:32,559 is we're essentially going to 15 00:00:32,559 --> 00:00:34,320 take all the knowledge that we've 16 00:00:34,320 --> 00:00:37,680 learned during the snort video and we 17 00:00:37,680 --> 00:00:39,360 are going to essentially forward all of 18 00:00:39,360 --> 00:00:42,719 the snort logs uh into splunk or have 19 00:00:42,719 --> 00:00:44,480 that done automatically through the 20 00:00:44,480 --> 00:00:47,680 splunk universal folder so that we get 21 00:00:47,680 --> 00:00:50,320 the latest logs when snort is running on 22 00:00:50,320 --> 00:00:52,399 our ubuntu virtual machine 23 00:00:52,399 --> 00:00:55,039 and the objective here is to use splunk 24 00:00:55,039 --> 00:00:58,000 in conjunction with the splunk snort app 25 00:00:58,000 --> 00:01:01,039 to essentially visualize and identify or 26 00:01:01,039 --> 00:01:03,359 monitor network intrusions and any 27 00:01:03,359 --> 00:01:04,479 malicious 28 00:01:04,479 --> 00:01:06,720 network traffic you know within the 29 00:01:06,720 --> 00:01:08,980 network that i'm monitoring 30 00:01:08,980 --> 00:01:19,360 [Music] 31 00:01:19,360 --> 00:01:21,680 at a very high level what will we be 32 00:01:21,680 --> 00:01:23,280 covering well firstly we'll get an 33 00:01:23,280 --> 00:01:25,439 introduction to splunk now before we 34 00:01:25,439 --> 00:01:28,400 move any forward or we actually carry on 35 00:01:28,400 --> 00:01:30,720 i do want to note that this video is not 36 00:01:30,720 --> 00:01:32,400 going to be focused on splunk 37 00:01:32,400 --> 00:01:34,640 fundamentals i'm going to be i'm going 38 00:01:34,640 --> 00:01:36,400 to assume that you already know what 39 00:01:36,400 --> 00:01:37,759 splunk is 40 00:01:37,759 --> 00:01:40,400 and how it can be used you know 41 00:01:40,400 --> 00:01:42,079 and how it's used generally speaking 42 00:01:42,079 --> 00:01:44,720 because splunk is not really a tool uh 43 00:01:44,720 --> 00:01:48,320 that is specific to security for example 44 00:01:48,320 --> 00:01:49,759 that's why they have the splunk 45 00:01:49,759 --> 00:01:52,720 enterprise security version or edition 46 00:01:52,720 --> 00:01:54,320 and i'm just going to assume that you 47 00:01:54,320 --> 00:01:56,079 know how to use splunk at a very basic 48 00:01:56,079 --> 00:01:58,320 level so once we get an introduction to 49 00:01:58,320 --> 00:02:00,960 splunk we'll go over splunk enterprise 50 00:02:00,960 --> 00:02:02,960 uh security at the enterprise the 51 00:02:02,960 --> 00:02:05,119 enterprise security edition and how it 52 00:02:05,119 --> 00:02:06,640 can be used for security event 53 00:02:06,640 --> 00:02:08,399 monitoring especially in our case 54 00:02:08,399 --> 00:02:10,879 because we want to essentially monitor 55 00:02:10,879 --> 00:02:13,280 uh the intrusion detection logs 56 00:02:13,280 --> 00:02:15,360 generated by snort 57 00:02:15,360 --> 00:02:16,800 so we'll then move on to deploying 58 00:02:16,800 --> 00:02:18,720 splunk enterprise security on linux 59 00:02:18,720 --> 00:02:20,640 which is absolutely fantastic because 60 00:02:20,640 --> 00:02:22,560 they have a cloud image 61 00:02:22,560 --> 00:02:24,560 available for it that allows you to spin 62 00:02:24,560 --> 00:02:26,400 it up without going through the process 63 00:02:26,400 --> 00:02:28,720 of installing it and configuring it so 64 00:02:28,720 --> 00:02:30,720 that will set up that'll set it up for 65 00:02:30,720 --> 00:02:32,800 us we'll then take a look at how to 66 00:02:32,800 --> 00:02:35,280 configure splunk and how to set up the 67 00:02:35,280 --> 00:02:38,239 splunk universal folder on the ubuntu 68 00:02:38,239 --> 00:02:40,480 virtual machine that is running snot so 69 00:02:40,480 --> 00:02:42,319 that we can forward those logs into 70 00:02:42,319 --> 00:02:44,560 splunk uh and then of course we'll take 71 00:02:44,560 --> 00:02:46,720 a look at the splunk snot event uh 72 00:02:46,720 --> 00:02:49,519 dashboard that will be provided to us by 73 00:02:49,519 --> 00:02:50,400 the 74 00:02:50,400 --> 00:02:52,879 splunk snot app so if this sounds like a 75 00:02:52,879 --> 00:02:55,360 gibberish to you don't worry it'll make 76 00:02:55,360 --> 00:02:57,599 sense in a couple of uh in a couple of 77 00:02:57,599 --> 00:02:58,879 minutes 78 00:02:58,879 --> 00:03:00,959 with that being said uh given the fact 79 00:03:00,959 --> 00:03:02,800 that we're going to be using uh you know 80 00:03:02,800 --> 00:03:04,400 we're going to be using snort to 81 00:03:04,400 --> 00:03:06,959 generate alerts and monitor those alerts 82 00:03:06,959 --> 00:03:09,040 uh if you have not gone through these uh 83 00:03:09,040 --> 00:03:11,519 the actual snort video please do that as 84 00:03:11,519 --> 00:03:14,239 it will help you set up snot and you can 85 00:03:14,239 --> 00:03:16,400 then run through this demo with that 86 00:03:16,400 --> 00:03:19,280 being said this is not a holistic video 87 00:03:19,280 --> 00:03:20,800 that will cover everything you can do 88 00:03:20,800 --> 00:03:23,440 with splunk enterprise security we are 89 00:03:23,440 --> 00:03:25,120 just focused on 90 00:03:25,120 --> 00:03:27,760 the intrusion detection uh logs produced 91 00:03:27,760 --> 00:03:30,000 by snort and how they can be 92 00:03:30,000 --> 00:03:32,879 imported or forwarded to splunk for uh 93 00:03:32,879 --> 00:03:35,680 you know analysis and monitoring 94 00:03:35,680 --> 00:03:38,159 uh so the prerequisites are the same as 95 00:03:38,159 --> 00:03:39,760 the previous videos the only difference 96 00:03:39,760 --> 00:03:41,680 is uh you know that you need to have a 97 00:03:41,680 --> 00:03:43,840 basic familiarity with splunk and how to 98 00:03:43,840 --> 00:03:46,080 navigate around the various menu 99 00:03:46,080 --> 00:03:47,760 elements and 100 00:03:47,760 --> 00:03:49,680 essentially just how to use it at a very 101 00:03:49,680 --> 00:03:51,360 basic level if you're not familiar with 102 00:03:51,360 --> 00:03:54,239 splunk i'll give you a few resources at 103 00:03:54,239 --> 00:03:56,000 the end of the at the end of these 104 00:03:56,000 --> 00:03:58,159 slides uh that will help you out or help 105 00:03:58,159 --> 00:04:00,159 you get started 106 00:04:00,159 --> 00:04:01,760 all right so let's get an introduction 107 00:04:01,760 --> 00:04:04,239 to splunk so what is splunk that's the 108 00:04:04,239 --> 00:04:05,680 main question if you've never heard of 109 00:04:05,680 --> 00:04:08,480 splunk splunk is an extremely powerful 110 00:04:08,480 --> 00:04:10,400 platform that is used to analyze data 111 00:04:10,400 --> 00:04:13,360 and logs produced by systems or machines 112 00:04:13,360 --> 00:04:15,920 as splunk likes to call them so 113 00:04:15,920 --> 00:04:18,639 what problem is splunk trying to solve 114 00:04:18,639 --> 00:04:20,880 here well let's look at this from the 115 00:04:20,880 --> 00:04:24,880 perspective of web 2.0 or you know the 116 00:04:24,880 --> 00:04:26,720 the interconnected world we live in 117 00:04:26,720 --> 00:04:29,199 today and we're going to be looking at 118 00:04:29,199 --> 00:04:31,199 it from the context of from the 119 00:04:31,199 --> 00:04:33,360 perspective of security 120 00:04:33,360 --> 00:04:35,759 so if we take a simple system let's say 121 00:04:35,759 --> 00:04:38,720 we have a windows operating system or a 122 00:04:38,720 --> 00:04:41,360 system running windows well that windows 123 00:04:41,360 --> 00:04:44,880 system produces a lot of data or logs 124 00:04:44,880 --> 00:04:47,040 uh that you know that contain 125 00:04:47,040 --> 00:04:48,800 information that you know at a first 126 00:04:48,800 --> 00:04:51,600 glance might not seem that important but 127 00:04:51,600 --> 00:04:53,919 once you start getting into specific 128 00:04:53,919 --> 00:04:57,360 sectors like security those logs start 129 00:04:57,360 --> 00:04:59,680 uh you know those logs have uh you know 130 00:04:59,680 --> 00:05:02,080 very important value to organizations 131 00:05:02,080 --> 00:05:04,880 now multiply that by a thousand systems 132 00:05:04,880 --> 00:05:06,800 so let's say we have an organization 133 00:05:06,800 --> 00:05:08,560 they have a thousand computers within 134 00:05:08,560 --> 00:05:10,479 their network or you know distributed 135 00:05:10,479 --> 00:05:13,520 worldwide and all of these systems are 136 00:05:13,520 --> 00:05:14,960 you know need to be secured their 137 00:05:14,960 --> 00:05:17,919 security needs to be monitored so how do 138 00:05:17,919 --> 00:05:20,560 we monitor all of this well this is 139 00:05:20,560 --> 00:05:22,639 where splunk comes into play so splunk 140 00:05:22,639 --> 00:05:25,280 allows you to essentially funnel all of 141 00:05:25,280 --> 00:05:27,360 this data produced by systems or 142 00:05:27,360 --> 00:05:28,800 machines 143 00:05:28,800 --> 00:05:30,720 into splunk and then splunk allows you 144 00:05:30,720 --> 00:05:32,560 to monitor search and analyze this 145 00:05:32,560 --> 00:05:35,280 machine generated data and the logs 146 00:05:35,280 --> 00:05:37,840 through a web interface so in order to 147 00:05:37,840 --> 00:05:39,680 use splunk you'll need to import your 148 00:05:39,680 --> 00:05:42,479 own data or logs alternatively you can 149 00:05:42,479 --> 00:05:45,280 utilize the splunk universal folder to 150 00:05:45,280 --> 00:05:47,759 forward logs and data to splunk for 151 00:05:47,759 --> 00:05:51,360 analysis and of course visualization etc 152 00:05:51,360 --> 00:05:53,280 now splunk does so much more that i 153 00:05:53,280 --> 00:05:55,199 really can't go over all of the features 154 00:05:55,199 --> 00:05:56,880 here but as i said we're looking at this 155 00:05:56,880 --> 00:06:00,400 from the uh lens of a security engineer 156 00:06:00,400 --> 00:06:02,240 all right so splunk collates all the 157 00:06:02,240 --> 00:06:04,800 data and logs from various sources and 158 00:06:04,800 --> 00:06:06,720 provides you with a central index that 159 00:06:06,720 --> 00:06:08,800 you can search through splunk also 160 00:06:08,800 --> 00:06:11,039 provides you with robust visualization 161 00:06:11,039 --> 00:06:12,720 and reporting tools that allow you to 162 00:06:12,720 --> 00:06:15,360 identify the data that interests you 163 00:06:15,360 --> 00:06:17,440 transform the data into results and 164 00:06:17,440 --> 00:06:19,840 visualize the answers in the form of a 165 00:06:19,840 --> 00:06:23,280 report chart graph etc all right so what 166 00:06:23,280 --> 00:06:25,360 i'm saying here is that splunk allows 167 00:06:25,360 --> 00:06:28,080 you to take all of this security related 168 00:06:28,080 --> 00:06:31,600 logs and data and make sense of them and 169 00:06:31,600 --> 00:06:33,520 essentially get the answers that you're 170 00:06:33,520 --> 00:06:35,520 looking for so for example from the 171 00:06:35,520 --> 00:06:37,680 perspective of a security engineer what 172 00:06:37,680 --> 00:06:40,240 do you want from all of this data well 173 00:06:40,240 --> 00:06:42,160 at a very high level you want to know 174 00:06:42,160 --> 00:06:44,080 whether something is going wrong and 175 00:06:44,080 --> 00:06:46,400 what could go wrong in the context of 176 00:06:46,400 --> 00:06:48,800 security a network could be compromised 177 00:06:48,800 --> 00:06:50,560 there could be some malicious network 178 00:06:50,560 --> 00:06:53,120 traffic or activity going on a system 179 00:06:53,120 --> 00:06:55,919 could be compromised etc etc you get the 180 00:06:55,919 --> 00:06:58,160 idea so we need that data to be 181 00:06:58,160 --> 00:07:00,560 displayed to us as a security engineer 182 00:07:00,560 --> 00:07:02,560 and splunk is really one of the best 183 00:07:02,560 --> 00:07:04,960 tools uh you know when it comes down to 184 00:07:04,960 --> 00:07:08,000 you know taking a lot of data 185 00:07:08,000 --> 00:07:09,840 and then identifying the data that 186 00:07:09,840 --> 00:07:11,840 interests you transforming that data 187 00:07:11,840 --> 00:07:14,960 into results and then visualizing that 188 00:07:14,960 --> 00:07:17,360 data in the form of the report chart or 189 00:07:17,360 --> 00:07:19,759 graph right so that's really what we're 190 00:07:19,759 --> 00:07:21,599 going to be doing and as i said going 191 00:07:21,599 --> 00:07:23,520 back to the scenario we're going to be 192 00:07:23,520 --> 00:07:26,080 focusing on how to you know essentially 193 00:07:26,080 --> 00:07:28,800 get in or how to forward 194 00:07:28,800 --> 00:07:31,919 the logs created or the logs and alerts 195 00:07:31,919 --> 00:07:33,360 created by 196 00:07:33,360 --> 00:07:36,000 snort into splunk for analysis and 197 00:07:36,000 --> 00:07:39,280 luckily for us splunk has a snort app or 198 00:07:39,280 --> 00:07:40,960 plug-in if you will that that will 199 00:07:40,960 --> 00:07:43,680 essentially simplify this process 200 00:07:43,680 --> 00:07:44,800 so 201 00:07:44,800 --> 00:07:47,360 let's get an idea as to you know how we 202 00:07:47,360 --> 00:07:49,120 can use splunk for security when 203 00:07:49,120 --> 00:07:51,759 monitoring so splunk enterprise security 204 00:07:51,759 --> 00:07:54,800 also known as splunk es is a security 205 00:07:54,800 --> 00:07:56,800 information and event management 206 00:07:56,800 --> 00:07:59,199 solution also known as a seam 207 00:07:59,199 --> 00:08:01,360 it is used to but is used by security 208 00:08:01,360 --> 00:08:03,680 teams to quickly detect and respond to 209 00:08:03,680 --> 00:08:06,160 internal and external attacks or threats 210 00:08:06,160 --> 00:08:09,680 or intrusions so splunk es can be used 211 00:08:09,680 --> 00:08:11,759 for security when monitoring incident 212 00:08:11,759 --> 00:08:14,240 response and running a sock or security 213 00:08:14,240 --> 00:08:15,919 operations center 214 00:08:15,919 --> 00:08:18,080 in this video we'll be using splunk es 215 00:08:18,080 --> 00:08:20,000 to monitor and visualize the snort 216 00:08:20,000 --> 00:08:22,240 intrusion alerts this will be 217 00:08:22,240 --> 00:08:24,400 facilitated through the help of the snot 218 00:08:24,400 --> 00:08:26,639 app for splunk and the splunk universal 219 00:08:26,639 --> 00:08:29,280 folder now the splunk universal folder 220 00:08:29,280 --> 00:08:31,199 is pretty much the most important 221 00:08:31,199 --> 00:08:33,039 element of what we'll be exploring 222 00:08:33,039 --> 00:08:35,200 because what it does and this is really 223 00:08:35,200 --> 00:08:37,200 cool is it allow it automatically 224 00:08:37,200 --> 00:08:39,279 forwards the latest logs 225 00:08:39,279 --> 00:08:40,479 even when 226 00:08:40,479 --> 00:08:42,479 when snot is running it forwards those 227 00:08:42,479 --> 00:08:45,040 alerts and logs into splunk and you can 228 00:08:45,040 --> 00:08:46,560 see them in real time which is 229 00:08:46,560 --> 00:08:49,440 absolutely fantastic 230 00:08:49,440 --> 00:08:52,320 so as i said if you're new to splunk 231 00:08:52,320 --> 00:08:54,800 then these resources are really helpful 232 00:08:54,800 --> 00:08:57,120 for you so splunk offer really great 233 00:08:57,120 --> 00:08:59,040 tutorials and courses designed for 234 00:08:59,040 --> 00:09:00,720 absolute beginners you can check that 235 00:09:00,720 --> 00:09:02,959 out by clicking on the link within this 236 00:09:02,959 --> 00:09:05,600 slide and you can learn more about the 237 00:09:05,600 --> 00:09:08,160 splunk enterprise security edition from 238 00:09:08,160 --> 00:09:09,760 that particular link 239 00:09:09,760 --> 00:09:11,040 now as i said we're going to be 240 00:09:11,040 --> 00:09:12,240 deploying 241 00:09:12,240 --> 00:09:15,200 uh splunk on linux more specifically 242 00:09:15,200 --> 00:09:17,120 splunk es and this is the lab 243 00:09:17,120 --> 00:09:19,200 environment so we're going to spin up uh 244 00:09:19,200 --> 00:09:21,519 you know splunk yes on linux now again 245 00:09:21,519 --> 00:09:23,279 to follow through with this as uh you 246 00:09:23,279 --> 00:09:25,760 know linux has been absolutely fantastic 247 00:09:25,760 --> 00:09:28,320 with uh you know by providing uh all of 248 00:09:28,320 --> 00:09:30,959 you guys uh with a way to get a hundred 249 00:09:30,959 --> 00:09:33,279 dollars in free linux credit all you 250 00:09:33,279 --> 00:09:35,120 need to do is just click the link in the 251 00:09:35,120 --> 00:09:37,440 description section and sign up and a 252 00:09:37,440 --> 00:09:39,040 hundred dollars will be added to your 253 00:09:39,040 --> 00:09:40,959 account so that you can follow along 254 00:09:40,959 --> 00:09:43,279 with this series um so we're going to 255 00:09:43,279 --> 00:09:45,200 set up splunk yes on linux and then 256 00:09:45,200 --> 00:09:47,279 within my internal network uh we're just 257 00:09:47,279 --> 00:09:49,040 gonna have a very basic infrastructure 258 00:09:49,040 --> 00:09:50,399 we're going to have the ubuntu virtual 259 00:09:50,399 --> 00:09:52,880 machine that is running snot this is the 260 00:09:52,880 --> 00:09:54,880 same virtual machine that we had set up 261 00:09:54,880 --> 00:09:57,680 and used uh to set up snort and set up 262 00:09:57,680 --> 00:09:59,839 suricata and the one we had used with 263 00:09:59,839 --> 00:10:01,360 wazoo 264 00:10:01,360 --> 00:10:03,519 and yeah that's essentially it we're 265 00:10:03,519 --> 00:10:04,720 going to have a very basic 266 00:10:04,720 --> 00:10:06,399 infrastructure where we have an attacker 267 00:10:06,399 --> 00:10:08,560 system that i'm going to be using to 268 00:10:08,560 --> 00:10:09,519 perform 269 00:10:09,519 --> 00:10:11,600 uh a bit of uh you know network 270 00:10:11,600 --> 00:10:15,040 intrusion detection uh emulation whereby 271 00:10:15,040 --> 00:10:17,519 i will essentially perform or run a 272 00:10:17,519 --> 00:10:20,880 couple of commands or uh or scripts to 273 00:10:20,880 --> 00:10:23,279 essentially emulate malicious network 274 00:10:23,279 --> 00:10:26,160 activity so that these logs are uh are 275 00:10:26,160 --> 00:10:28,320 essentially or so so this traffic is 276 00:10:28,320 --> 00:10:29,839 essentially logged and that will provide 277 00:10:29,839 --> 00:10:32,800 us with a good idea as to how helpful 278 00:10:32,800 --> 00:10:35,279 splunk is for security event monitoring 279 00:10:35,279 --> 00:10:37,760 especially in the context of our network 280 00:10:37,760 --> 00:10:40,320 intrusions 281 00:10:40,320 --> 00:10:41,920 so as i said you don't really need to 282 00:10:41,920 --> 00:10:44,240 have a windows workstation you simply 283 00:10:44,240 --> 00:10:46,000 need to have the ubuntu vm and you can 284 00:10:46,000 --> 00:10:48,800 pretty much run everything from it and 285 00:10:48,800 --> 00:10:50,560 of course you can set up the splunk 286 00:10:50,560 --> 00:10:52,000 enterprise 287 00:10:52,000 --> 00:10:54,240 enterprise security server on linux 288 00:10:54,240 --> 00:10:56,480 without any issues 289 00:10:56,480 --> 00:10:58,399 so that's the lab environment we can now 290 00:10:58,399 --> 00:11:00,000 get started with the practical 291 00:11:00,000 --> 00:11:01,440 demonstration so i'm going to switch 292 00:11:01,440 --> 00:11:05,040 over to my ubuntu virtual machine 293 00:11:05,040 --> 00:11:07,600 all right so i'm back on my ubuntu 294 00:11:07,600 --> 00:11:09,360 virtual machine and you can see i have 295 00:11:09,360 --> 00:11:11,279 linux opened up here 296 00:11:11,279 --> 00:11:13,279 i haven't set anything up yet because 297 00:11:13,279 --> 00:11:14,640 we're going to be walking through the 298 00:11:14,640 --> 00:11:16,079 process together 299 00:11:16,079 --> 00:11:18,959 i then have the splunk.com website here 300 00:11:18,959 --> 00:11:21,040 so if you're new to splunk then you need 301 00:11:21,040 --> 00:11:22,640 to create a new account in order to 302 00:11:22,640 --> 00:11:25,040 follow along so uh just head over to 303 00:11:25,040 --> 00:11:27,279 head over to splunk.com and you know 304 00:11:27,279 --> 00:11:29,519 register for an account it's free 305 00:11:29,519 --> 00:11:31,120 once that is done 306 00:11:31,120 --> 00:11:33,120 you'll need to activate your account or 307 00:11:33,120 --> 00:11:35,120 verify your account through the email or 308 00:11:35,120 --> 00:11:36,880 the verification email 309 00:11:36,880 --> 00:11:39,680 they'll send you once that is done 310 00:11:39,680 --> 00:11:41,279 we can then move forward because in 311 00:11:41,279 --> 00:11:44,320 order to access the actual um 312 00:11:44,320 --> 00:11:46,800 splunk universal folder you'll need to 313 00:11:46,800 --> 00:11:48,720 have an account and of course um you 314 00:11:48,720 --> 00:11:50,639 know in this case i'll be going through 315 00:11:50,639 --> 00:11:52,800 everything as we move along in a 316 00:11:52,800 --> 00:11:55,519 structured uh in a structured manner and 317 00:11:55,519 --> 00:11:59,120 then to perform the actual nids 318 00:11:59,120 --> 00:12:00,160 tests 319 00:12:00,160 --> 00:12:01,920 we are going to be using the test 320 00:12:01,920 --> 00:12:03,839 mynids.org 321 00:12:03,839 --> 00:12:06,480 project which is on github so this is 322 00:12:06,480 --> 00:12:08,880 essentially a bash script 323 00:12:08,880 --> 00:12:11,440 that allows you to as you can see here 324 00:12:11,440 --> 00:12:13,279 it allows you to essentially emulate or 325 00:12:13,279 --> 00:12:16,800 simulate malicious network traffic so uh 326 00:12:16,800 --> 00:12:19,440 previously we had used the website uh 327 00:12:19,440 --> 00:12:21,279 the website technique to essentially get 328 00:12:21,279 --> 00:12:23,760 a linux uid and that traffic would be 329 00:12:23,760 --> 00:12:26,240 logged as malicious or 330 00:12:26,240 --> 00:12:27,760 it could be logged as a potential 331 00:12:27,760 --> 00:12:30,000 intrusion and we can run a few other 332 00:12:30,000 --> 00:12:33,360 checks like an http basic authentication 333 00:12:33,360 --> 00:12:35,519 bad certificate authorities 334 00:12:35,519 --> 00:12:38,639 uh an exe or dll download over http so 335 00:12:38,639 --> 00:12:40,720 you know just we can run tests that are 336 00:12:40,720 --> 00:12:42,959 you know will just make our 337 00:12:42,959 --> 00:12:45,440 intrusion detection system uh blow up in 338 00:12:45,440 --> 00:12:47,600 terms of alerts and that's what we want 339 00:12:47,600 --> 00:12:49,519 because we want to see how that data is 340 00:12:49,519 --> 00:12:52,160 presented to us as a security engineer 341 00:12:52,160 --> 00:12:55,040 on splunk with that being said the first 342 00:12:55,040 --> 00:12:57,680 step of course is to set up splunk es on 343 00:12:57,680 --> 00:12:58,880 linux so 344 00:12:58,880 --> 00:13:01,680 just click on uh click on create and a 345 00:13:01,680 --> 00:13:04,079 linux and click on marketplace 346 00:13:04,079 --> 00:13:06,399 and they already have splunk here so 347 00:13:06,399 --> 00:13:08,480 there we are you can click on that there 348 00:13:08,480 --> 00:13:10,240 and if you click on this little info 349 00:13:10,240 --> 00:13:12,399 button here it'll give you an idea as to 350 00:13:12,399 --> 00:13:14,320 how to deploy it on 351 00:13:14,320 --> 00:13:16,480 uh on linux and of course you have more 352 00:13:16,480 --> 00:13:18,399 information regarding splunk so you have 353 00:13:18,399 --> 00:13:20,480 the documentation link there so i'll 354 00:13:20,480 --> 00:13:22,959 just click on splunk 355 00:13:22,959 --> 00:13:24,639 once that is clicked we can then head 356 00:13:24,639 --> 00:13:26,720 over here you'll need to specify the 357 00:13:26,720 --> 00:13:28,959 splunk admin user i recommend using 358 00:13:28,959 --> 00:13:31,600 admin to begin with and then specify a 359 00:13:31,600 --> 00:13:33,440 password 360 00:13:33,440 --> 00:13:35,519 if you're setting up you know splunk on 361 00:13:35,519 --> 00:13:37,600 a domain then you can specify the 362 00:13:37,600 --> 00:13:39,839 lynnode api token to essentially create 363 00:13:39,839 --> 00:13:42,320 the dns records that's if you're using 364 00:13:42,320 --> 00:13:43,839 linux dns 365 00:13:43,839 --> 00:13:45,839 dns service 366 00:13:45,839 --> 00:13:47,519 uh and then of course you need to add 367 00:13:47,519 --> 00:13:49,519 the admin email for the server so in 368 00:13:49,519 --> 00:13:52,000 this case i can just say for example 369 00:13:52,000 --> 00:13:54,000 hackersploit 370 00:13:54,000 --> 00:13:55,519 gmail.com 371 00:13:55,519 --> 00:13:57,360 don't spam me on this email because i 372 00:13:57,360 --> 00:13:59,519 don't respond anyway so we can create 373 00:13:59,519 --> 00:14:01,040 another user 374 00:14:01,040 --> 00:14:02,480 uh so this is the username for the 375 00:14:02,480 --> 00:14:04,720 lynnode admins ssh user please ensure 376 00:14:04,720 --> 00:14:06,480 that the username does not contain any 377 00:14:06,480 --> 00:14:08,880 so we can just call this admin and then 378 00:14:08,880 --> 00:14:11,360 for the admin user we'll just say 379 00:14:11,360 --> 00:14:13,199 provide that there 380 00:14:13,199 --> 00:14:14,800 so the image we're going to set it up on 381 00:14:14,800 --> 00:14:18,079 ubuntu 20.04 the region i'll say london 382 00:14:18,079 --> 00:14:19,920 because that's closest to me 383 00:14:19,920 --> 00:14:22,240 as for the actual linux plan 384 00:14:22,240 --> 00:14:24,720 linux es doesn't require that many 385 00:14:24,720 --> 00:14:26,480 resources especially because you know 386 00:14:26,480 --> 00:14:28,720 the amount of data that we're processing 387 00:14:28,720 --> 00:14:30,959 on the logs that are being forwarded to 388 00:14:30,959 --> 00:14:34,320 splunk are relatively few so less than 389 00:14:34,320 --> 00:14:36,160 100 which if you've used splunk before 390 00:14:36,160 --> 00:14:37,920 for security vent monitoring you know 391 00:14:37,920 --> 00:14:39,040 that that is 392 00:14:39,040 --> 00:14:41,199 like really really small in fl in in 393 00:14:41,199 --> 00:14:43,199 fact splunk will actually tell you that 394 00:14:43,199 --> 00:14:44,959 you know the amount of data 395 00:14:44,959 --> 00:14:47,519 to begin with that you have imported or 396 00:14:47,519 --> 00:14:49,680 you afforded is too little to make any 397 00:14:49,680 --> 00:14:50,880 sense off 398 00:14:50,880 --> 00:14:52,480 but that's where the snort app for 399 00:14:52,480 --> 00:14:54,800 splunk comes into play so i'll just say 400 00:14:54,800 --> 00:14:56,000 splunk 401 00:14:56,000 --> 00:14:58,160 and i'll provide my root password for 402 00:14:58,160 --> 00:14:59,360 the server 403 00:14:59,360 --> 00:15:02,079 and we can click on create 404 00:15:02,079 --> 00:15:03,360 all right now 405 00:15:03,360 --> 00:15:06,079 uh once this is set up and provisioned 406 00:15:06,079 --> 00:15:08,079 the actual installer is going to begin 407 00:15:08,079 --> 00:15:10,079 so it's going to set up because there is 408 00:15:10,079 --> 00:15:12,800 an auto installer setup that will set up 409 00:15:12,800 --> 00:15:15,199 splunk yes for you so uh let it 410 00:15:15,199 --> 00:15:16,880 provision after that's done you can 411 00:15:16,880 --> 00:15:19,199 launch the lish console to avoid logging 412 00:15:19,199 --> 00:15:22,160 in via ssh and of course one thing that 413 00:15:22,160 --> 00:15:24,000 i need to that i don't need to tell you 414 00:15:24,000 --> 00:15:25,680 is if you're setting this up for 415 00:15:25,680 --> 00:15:27,680 production then you need to make sure 416 00:15:27,680 --> 00:15:29,759 you're securing your server so do only 417 00:15:29,759 --> 00:15:32,720 use ssh keys for authentication with the 418 00:15:32,720 --> 00:15:33,759 server 419 00:15:33,759 --> 00:15:35,920 if you're new to hardening and securing 420 00:15:35,920 --> 00:15:37,759 a linux server you can check out the 421 00:15:37,759 --> 00:15:39,360 previous series 422 00:15:39,360 --> 00:15:41,920 that we did with linux the linux server 423 00:15:41,920 --> 00:15:44,800 security series uh that'll give you uh 424 00:15:44,800 --> 00:15:46,959 you know all the information you need to 425 00:15:46,959 --> 00:15:49,759 secure a linux server for production 426 00:15:49,759 --> 00:15:50,959 with that being said i'm just going to 427 00:15:50,959 --> 00:15:52,800 let it provision after which we can 428 00:15:52,800 --> 00:15:54,560 launch the english console to see what's 429 00:15:54,560 --> 00:15:56,639 going on in the background and we can 430 00:15:56,639 --> 00:15:58,800 then get started uh you know officially 431 00:15:58,800 --> 00:16:00,000 with um 432 00:16:00,000 --> 00:16:01,839 with how to set up splunk we then need 433 00:16:01,839 --> 00:16:04,720 to set up the universal folder 434 00:16:04,720 --> 00:16:08,639 so uh this is booting now 435 00:16:08,639 --> 00:16:11,120 all right so the server is booted and 436 00:16:11,120 --> 00:16:12,800 you can see i've just opened up the lish 437 00:16:12,800 --> 00:16:14,320 console here 438 00:16:14,320 --> 00:16:15,920 to essentially view what's going on as 439 00:16:15,920 --> 00:16:18,000 you can see it's begun setting up a 440 00:16:18,000 --> 00:16:20,399 splunk yes so just give this a couple of 441 00:16:20,399 --> 00:16:21,519 minutes 442 00:16:21,519 --> 00:16:23,279 to essentially begin 443 00:16:23,279 --> 00:16:25,600 um and once it's done it'll actually 444 00:16:25,600 --> 00:16:27,360 tell you that it'll provide you with the 445 00:16:27,360 --> 00:16:28,800 login prompt 446 00:16:28,800 --> 00:16:30,399 but it's probably logged in as the root 447 00:16:30,399 --> 00:16:32,000 user already so 448 00:16:32,000 --> 00:16:33,759 uh just let this complete i'm just gonna 449 00:16:33,759 --> 00:16:36,880 wait for this to actually conclude 450 00:16:36,880 --> 00:16:40,000 all right so once uh splunk es is done 451 00:16:40,000 --> 00:16:42,880 uh or the actual uh linode is done here 452 00:16:42,880 --> 00:16:44,320 with the setup you can see it's gonna 453 00:16:44,320 --> 00:16:46,240 tell you installation complete 454 00:16:46,240 --> 00:16:48,160 and you can then log in uh keep this 455 00:16:48,160 --> 00:16:49,519 window open because this is going to be 456 00:16:49,519 --> 00:16:50,880 very important as we'll need to 457 00:16:50,880 --> 00:16:53,440 configure a few firewall rules because 458 00:16:53,440 --> 00:16:56,320 uh by default this linux comes with ufw 459 00:16:56,320 --> 00:16:58,720 which is the uncomplicated firewall for 460 00:16:58,720 --> 00:17:00,079 debian or 461 00:17:00,079 --> 00:17:02,000 it typically comes pre-packaged with 462 00:17:02,000 --> 00:17:04,959 debian-based distributions like ubuntu 463 00:17:04,959 --> 00:17:06,559 in this case it's already added the 464 00:17:06,559 --> 00:17:08,400 firewall rule for the port that we 465 00:17:08,400 --> 00:17:10,000 wanted but just keep it open because 466 00:17:10,000 --> 00:17:12,559 we'll need to run a few checks um so you 467 00:17:12,559 --> 00:17:14,000 can log in there so i'm just going to 468 00:17:14,000 --> 00:17:15,679 log in with the credentials that i 469 00:17:15,679 --> 00:17:18,720 specified as the root user and i can 470 00:17:18,720 --> 00:17:22,160 just say sudo ufw status 471 00:17:22,160 --> 00:17:23,839 um 472 00:17:23,839 --> 00:17:25,439 and you can see these are all the 473 00:17:25,439 --> 00:17:28,160 allowed rules or the actual rules 474 00:17:28,160 --> 00:17:30,400 configured for the firewall which is 475 00:17:30,400 --> 00:17:32,400 looking good uh so far 476 00:17:32,400 --> 00:17:35,679 so we can access the splunk es instance 477 00:17:35,679 --> 00:17:37,840 that we set up by pasting in the ip of 478 00:17:37,840 --> 00:17:42,080 the server and and opening up port 8000 479 00:17:42,080 --> 00:17:44,080 that's going to open up splunk yes for 480 00:17:44,080 --> 00:17:45,760 you so just give this a couple of 481 00:17:45,760 --> 00:17:48,240 seconds there we are and the credentials 482 00:17:48,240 --> 00:17:50,880 that we had used were admin and the 483 00:17:50,880 --> 00:17:53,280 password that i created uh that you know 484 00:17:53,280 --> 00:17:54,559 of course you'll you'll be able to 485 00:17:54,559 --> 00:17:57,200 specify yourself so just sign in 486 00:17:57,200 --> 00:17:59,919 um and once that is done you'll be 487 00:17:59,919 --> 00:18:03,360 brought to splunk enterprise 488 00:18:03,360 --> 00:18:05,360 security here so there we are explore 489 00:18:05,360 --> 00:18:07,200 splunk enterprise 490 00:18:07,200 --> 00:18:10,000 uh and um 491 00:18:10,000 --> 00:18:11,360 in this case what we're going to be 492 00:18:11,360 --> 00:18:14,080 doing what we're going to start off with 493 00:18:14,080 --> 00:18:16,240 is we need to go through a few 494 00:18:16,240 --> 00:18:18,720 configuration uh changes with splunk 495 00:18:18,720 --> 00:18:19,760 itself 496 00:18:19,760 --> 00:18:22,880 so the idea firstly is to configure 497 00:18:22,880 --> 00:18:25,600 uh the actual uh rece the receiving of 498 00:18:25,600 --> 00:18:27,360 data so if you head over into settings 499 00:18:27,360 --> 00:18:29,440 you can click on under data just click 500 00:18:29,440 --> 00:18:31,840 on forwarding and receiving 501 00:18:31,840 --> 00:18:34,400 uh and once that is done once that is 502 00:18:34,400 --> 00:18:35,760 loaded up 503 00:18:35,760 --> 00:18:38,080 um under received data we need to 504 00:18:38,080 --> 00:18:40,000 configure this instance to receive data 505 00:18:40,000 --> 00:18:41,600 forwarded from other instances so we 506 00:18:41,600 --> 00:18:43,520 want to configure receiving 507 00:18:43,520 --> 00:18:45,120 and we just want to set the default 508 00:18:45,120 --> 00:18:46,799 receiving port 509 00:18:46,799 --> 00:18:50,400 so we can say new receiving port 510 00:18:50,400 --> 00:18:52,160 and the port is of course going to be 511 00:18:52,160 --> 00:18:54,799 the default which is 9997 which is why 512 00:18:54,799 --> 00:18:56,640 that firewall rule was added so i'll 513 00:18:56,640 --> 00:18:58,880 click on save 514 00:18:58,880 --> 00:19:01,200 all right so once that is done we can 515 00:19:01,200 --> 00:19:03,520 now install the snot 516 00:19:03,520 --> 00:19:06,240 app for splunk so click on apps and head 517 00:19:06,240 --> 00:19:08,480 over into find more apps 518 00:19:08,480 --> 00:19:11,360 and because the ubuntu server is running 519 00:19:11,360 --> 00:19:13,120 or the ubuntu vm that i'm currently 520 00:19:13,120 --> 00:19:15,919 working on is running snot 2 we'll need 521 00:19:15,919 --> 00:19:18,160 the appropriate uh app here so i'll just 522 00:19:18,160 --> 00:19:20,160 search for snot there and we're not 523 00:19:20,160 --> 00:19:22,320 looking for these note 3 json alerts 524 00:19:22,320 --> 00:19:24,320 although that you know could be quite 525 00:19:24,320 --> 00:19:26,480 useful but we want the snort alert for 526 00:19:26,480 --> 00:19:28,720 splunk all right so this app provides 527 00:19:28,720 --> 00:19:30,880 field extraction so that's really great 528 00:19:30,880 --> 00:19:32,400 because performing your own field 529 00:19:32,400 --> 00:19:34,960 extractions uh you know using rejects 530 00:19:34,960 --> 00:19:36,400 can be quite difficult if you're a 531 00:19:36,400 --> 00:19:39,360 beginner so fast and full 532 00:19:39,360 --> 00:19:42,400 as well as dashboards uh saved searches 533 00:19:42,400 --> 00:19:45,600 reports event types tags and event 534 00:19:45,600 --> 00:19:48,080 search interfaces so we'll install that 535 00:19:48,080 --> 00:19:50,240 now you'll need to log in with the spa 536 00:19:50,240 --> 00:19:52,400 your splunk account credentials that you 537 00:19:52,400 --> 00:19:55,120 uh you know that you actually created on 538 00:19:55,120 --> 00:19:57,760 splunk.com so i'll just fill in my 539 00:19:57,760 --> 00:20:00,400 information really quickly 540 00:20:00,400 --> 00:20:02,240 all right so i've put in my username and 541 00:20:02,240 --> 00:20:04,240 password so i'll just say i'll accept 542 00:20:04,240 --> 00:20:06,320 the terms and conditions there so log in 543 00:20:06,320 --> 00:20:07,600 and install 544 00:20:07,600 --> 00:20:09,280 that's going to install it there we are 545 00:20:09,280 --> 00:20:10,880 so we'll just hit done 546 00:20:10,880 --> 00:20:13,360 now that is done if we head back over 547 00:20:13,360 --> 00:20:16,400 into our dashboard so i'll just click on 548 00:20:16,400 --> 00:20:18,400 splunk enterprise there 549 00:20:18,400 --> 00:20:20,720 and you can now see we have snot alert 550 00:20:20,720 --> 00:20:23,039 force for splunk so that's it already 551 00:20:23,039 --> 00:20:25,600 comes pre-configured with a dashboard 552 00:20:25,600 --> 00:20:28,000 um so we'll just let this uh load up 553 00:20:28,000 --> 00:20:30,000 here and you can see that we don't have 554 00:20:30,000 --> 00:20:32,480 any data yet so uh this will display 555 00:20:32,480 --> 00:20:34,559 your events and sources top source 556 00:20:34,559 --> 00:20:36,480 countries the events this is very 557 00:20:36,480 --> 00:20:38,480 important the sources top 10 558 00:20:38,480 --> 00:20:41,039 classifications so that will classify uh 559 00:20:41,039 --> 00:20:44,400 your alerts uh in in terms of uh the 560 00:20:44,400 --> 00:20:46,640 type which again will make sense uh in a 561 00:20:46,640 --> 00:20:49,280 couple of seconds uh so now that that is 562 00:20:49,280 --> 00:20:51,600 done we actually need to configure 563 00:20:51,600 --> 00:20:54,480 the actual splunk universal folder so 564 00:20:54,480 --> 00:20:56,480 i'll just open that up in a new tab it's 565 00:20:56,480 --> 00:20:59,120 absolutely free to download the debian 566 00:20:59,120 --> 00:21:01,840 client or the uh the splunk universal 567 00:21:01,840 --> 00:21:04,159 ford debian package so universal 568 00:21:04,159 --> 00:21:06,960 forwarders uh provide reliable secure 569 00:21:06,960 --> 00:21:09,440 data collection from remote from remote 570 00:21:09,440 --> 00:21:11,520 sources and forward that data into 571 00:21:11,520 --> 00:21:14,159 splunk software for indexing and 572 00:21:14,159 --> 00:21:16,880 consolidation they can scale to tens of 573 00:21:16,880 --> 00:21:18,799 thousands of remote systems collecting 574 00:21:18,799 --> 00:21:20,720 terabytes of data so 575 00:21:20,720 --> 00:21:23,039 again you can actually see why splunk is 576 00:21:23,039 --> 00:21:25,360 so powerful and why it's widely uh used 577 00:21:25,360 --> 00:21:27,440 and deployed because of the fact that 578 00:21:27,440 --> 00:21:30,480 you can literally uh you know be you can 579 00:21:30,480 --> 00:21:32,640 literally forward a ton of data from a 580 00:21:32,640 --> 00:21:35,840 ton of systems into splunk so because 581 00:21:35,840 --> 00:21:38,480 the uh because snot is running on this 582 00:21:38,480 --> 00:21:40,480 ubuntu vm we need the debian package so 583 00:21:40,480 --> 00:21:41,919 i'll click on linux and we want the 584 00:21:41,919 --> 00:21:45,039 64-bit version again you can choose one 585 00:21:45,039 --> 00:21:46,559 based on your requirements so if you're 586 00:21:46,559 --> 00:21:49,840 running on red at fedora or centos you 587 00:21:49,840 --> 00:21:51,520 can use the rpm package so i'll just 588 00:21:51,520 --> 00:21:54,559 download the debian package here 589 00:21:54,559 --> 00:21:56,080 give that a couple of seconds it's then 590 00:21:56,080 --> 00:21:58,240 going to begin downloading it and then 591 00:21:58,240 --> 00:22:00,000 i'll walk you through the setup process 592 00:22:00,000 --> 00:22:01,840 so there we are 593 00:22:01,840 --> 00:22:05,120 it's begun the setup 594 00:22:07,360 --> 00:22:09,440 and once that is done i'll open up my 595 00:22:09,440 --> 00:22:10,799 terminal so that's saved in the 596 00:22:10,799 --> 00:22:12,960 downloads directory so 597 00:22:12,960 --> 00:22:14,320 if we check if we head over into the 598 00:22:14,320 --> 00:22:15,840 downloads directory you can see we have 599 00:22:15,840 --> 00:22:17,919 the splunk forwarder debian package 600 00:22:17,919 --> 00:22:19,200 there 601 00:22:19,200 --> 00:22:21,679 so what we want to do firstly is we want 602 00:22:21,679 --> 00:22:25,120 to move this package uh into the actual 603 00:22:25,120 --> 00:22:28,080 opt directory on linux uh which will 604 00:22:28,080 --> 00:22:30,880 essentially allow us to uh you know to 605 00:22:30,880 --> 00:22:33,360 to set it up as as optional software and 606 00:22:33,360 --> 00:22:35,280 it's really good to have all that 607 00:22:35,280 --> 00:22:38,240 optional software stored in the opt 608 00:22:38,240 --> 00:22:42,240 directory so uh once that is done uh 609 00:22:42,240 --> 00:22:44,320 once that's downloaded we can say uh 610 00:22:44,320 --> 00:22:45,600 move 611 00:22:45,600 --> 00:22:48,480 splunk forwarder into opt 612 00:22:48,480 --> 00:22:50,400 and we'll need sudo privileges so i'll 613 00:22:50,400 --> 00:22:52,559 say sudo move there we are and i'll just 614 00:22:52,559 --> 00:22:55,120 type in my password fantastic so we'll 615 00:22:55,120 --> 00:22:57,360 now navigate to the opt directory and to 616 00:22:57,360 --> 00:23:00,320 install this we can say sudo apt 617 00:23:00,320 --> 00:23:02,960 and then we can specify install so we 618 00:23:02,960 --> 00:23:05,120 can say sudo apt install 619 00:23:05,120 --> 00:23:06,960 and then we specify the package itself 620 00:23:06,960 --> 00:23:09,440 so splunk folder 621 00:23:09,440 --> 00:23:11,440 and we're just going to hit enter that's 622 00:23:11,440 --> 00:23:13,520 going to install it for you 623 00:23:13,520 --> 00:23:16,880 give that a couple of seconds 624 00:23:19,440 --> 00:23:21,520 all right so once that is installed if 625 00:23:21,520 --> 00:23:23,039 you list out the contents of this 626 00:23:23,039 --> 00:23:24,559 directory you're going to have a splunk 627 00:23:24,559 --> 00:23:26,559 for the directory here so i'll say cd 628 00:23:26,559 --> 00:23:29,200 splunk folder and under the binary 629 00:23:29,200 --> 00:23:31,200 directory we can navigate to that here 630 00:23:31,200 --> 00:23:32,720 we'll need to start 631 00:23:32,720 --> 00:23:35,600 us we'll need to start splunk so we will 632 00:23:35,600 --> 00:23:37,280 say uh sudo 633 00:23:37,280 --> 00:23:39,039 and a binary we want to run is called 634 00:23:39,039 --> 00:23:41,279 splunk and we'll accept the license uh 635 00:23:41,279 --> 00:23:42,799 the reason we're doing this is because 636 00:23:42,799 --> 00:23:44,799 we need to configure it so we need to 637 00:23:44,799 --> 00:23:46,799 specify the username and password or you 638 00:23:46,799 --> 00:23:49,279 know create a username and password 639 00:23:49,279 --> 00:23:52,000 and once that is done uh you'll actually 640 00:23:52,000 --> 00:23:53,360 see what that looks like so i'll just 641 00:23:53,360 --> 00:23:55,679 say accept the license 642 00:23:55,679 --> 00:23:56,640 and 643 00:23:56,640 --> 00:23:59,200 you can see in this case let's see if i 644 00:23:59,200 --> 00:24:01,200 typed that in correctly that should 645 00:24:01,200 --> 00:24:03,600 actually start so splunk start i did not 646 00:24:03,600 --> 00:24:05,440 specify start there 647 00:24:05,440 --> 00:24:06,799 there we are so please enter an 648 00:24:06,799 --> 00:24:09,679 administrator name i'll just say admin 649 00:24:09,679 --> 00:24:12,000 so again splunk software must create an 650 00:24:12,000 --> 00:24:14,320 administrator account during startup 651 00:24:14,320 --> 00:24:16,559 otherwise you cannot log in so create 652 00:24:16,559 --> 00:24:18,159 credentials for the administrator 653 00:24:18,159 --> 00:24:19,279 account 654 00:24:19,279 --> 00:24:20,640 um 655 00:24:20,640 --> 00:24:22,320 so in this case uh you know you can 656 00:24:22,320 --> 00:24:23,600 create whatever you want i'm just going 657 00:24:23,600 --> 00:24:26,000 to fill in my credentials here 658 00:24:26,000 --> 00:24:28,640 all right so i've just entered my 659 00:24:28,640 --> 00:24:30,320 administrator username and then of 660 00:24:30,320 --> 00:24:32,400 course my password so 661 00:24:32,400 --> 00:24:33,840 that is done 662 00:24:33,840 --> 00:24:36,240 uh so it'll go through um 663 00:24:36,240 --> 00:24:37,760 it'll essentially go through and check 664 00:24:37,760 --> 00:24:40,400 the prerequisites uh new certs have been 665 00:24:40,400 --> 00:24:42,960 generated in the following directory 666 00:24:42,960 --> 00:24:45,200 and all the preliminary checks have 667 00:24:45,200 --> 00:24:47,520 passed so starting the splunk server 668 00:24:47,520 --> 00:24:49,440 daemon so that's started you can also 669 00:24:49,440 --> 00:24:52,159 enable it to run on system startup so if 670 00:24:52,159 --> 00:24:55,440 i say you know for example sudo system 671 00:24:55,440 --> 00:24:56,720 ctl 672 00:24:56,720 --> 00:24:59,520 status splunk 673 00:24:59,520 --> 00:25:01,840 let me type that in correctly here so 674 00:25:01,840 --> 00:25:03,360 splunk 675 00:25:03,360 --> 00:25:07,520 sorry systems pseudosystem ctl 676 00:25:07,520 --> 00:25:10,240 and we can say splunk d 677 00:25:10,240 --> 00:25:12,880 uh sorry so we can say splunk i'm not 678 00:25:12,880 --> 00:25:15,039 really sure why that's not loading here 679 00:25:15,039 --> 00:25:17,520 but i do know that the daemon is running 680 00:25:17,520 --> 00:25:21,440 and there should be a an init 681 00:25:21,440 --> 00:25:24,799 an init demon for that but in any case 682 00:25:24,799 --> 00:25:27,360 you can always start it that way 683 00:25:27,360 --> 00:25:29,840 once that is done we will need to add 684 00:25:29,840 --> 00:25:32,320 our ford server so the we need to add 685 00:25:32,320 --> 00:25:34,960 the the address of the server uh the 686 00:25:34,960 --> 00:25:37,039 splunk server that we're forwarding our 687 00:25:37,039 --> 00:25:39,600 logs to we'll go we'll move on to what 688 00:25:39,600 --> 00:25:42,480 logs we want to forward in a second but 689 00:25:42,480 --> 00:25:44,159 let's do that first so again we're going 690 00:25:44,159 --> 00:25:46,720 to use the 691 00:25:47,520 --> 00:25:49,360 the splunk binary and we're going to say 692 00:25:49,360 --> 00:25:50,480 forward 693 00:25:50,480 --> 00:25:52,559 server and we'll just copy the ip 694 00:25:52,559 --> 00:25:54,799 address of your 695 00:25:54,799 --> 00:25:57,600 your splunk server here so there we are 696 00:25:57,600 --> 00:26:00,640 and i'll paste that in there 697 00:26:00,640 --> 00:26:03,320 and then you need to type in the port so 698 00:26:03,320 --> 00:26:07,200 9997 that's the port to connect to hit 699 00:26:07,200 --> 00:26:08,400 enter 700 00:26:08,400 --> 00:26:11,279 um so splunk ford uh 701 00:26:11,279 --> 00:26:13,279 yeah we need to add it i keep forgetting 702 00:26:13,279 --> 00:26:15,760 the the preliminary command so add ford 703 00:26:15,760 --> 00:26:18,320 server splunk username 704 00:26:18,320 --> 00:26:21,919 um so in this case uh let me just uh put 705 00:26:21,919 --> 00:26:25,840 in my credentials here 706 00:26:26,640 --> 00:26:29,440 all right and it's going to then add the 707 00:26:29,440 --> 00:26:31,760 forwarding to that particular address 708 00:26:31,760 --> 00:26:33,760 all right now that that is done 709 00:26:33,760 --> 00:26:35,440 we can actually we actually need to 710 00:26:35,440 --> 00:26:37,919 configure a particular file 711 00:26:37,919 --> 00:26:40,720 and that is going to be the outputs.conf 712 00:26:40,720 --> 00:26:43,039 directory if it's already set up for us 713 00:26:43,039 --> 00:26:45,039 which it should be 714 00:26:45,039 --> 00:26:46,880 then we do not need to go through the 715 00:26:46,880 --> 00:26:49,360 initial setup so 716 00:26:49,360 --> 00:26:51,120 if we head over into the following 717 00:26:51,120 --> 00:26:52,640 directory so i'll just take a step back 718 00:26:52,640 --> 00:26:54,080 we're still in the splunk for the 719 00:26:54,080 --> 00:26:55,279 directory 720 00:26:55,279 --> 00:26:58,159 uh we'll head over into 721 00:26:58,159 --> 00:27:01,679 the etsy directory and under system 722 00:27:01,679 --> 00:27:05,039 we have a file under local i think it is 723 00:27:05,039 --> 00:27:06,640 called outputs right so i'm going to say 724 00:27:06,640 --> 00:27:08,720 sudo vim outputs 725 00:27:08,720 --> 00:27:09,840 dot conf 726 00:27:09,840 --> 00:27:11,840 and really the only thing that is 727 00:27:11,840 --> 00:27:13,840 required here 728 00:27:13,840 --> 00:27:16,159 is of course just leave the default 729 00:27:16,159 --> 00:27:18,320 configuration as is the default group is 730 00:27:18,320 --> 00:27:21,760 fine so tcp out default auto lb group 731 00:27:21,760 --> 00:27:23,279 that's fine so you make sure that the 732 00:27:23,279 --> 00:27:25,840 server option here is configured that's 733 00:27:25,840 --> 00:27:28,480 the most important and the tcp out 734 00:27:28,480 --> 00:27:30,320 server address is also configured in 735 00:27:30,320 --> 00:27:32,000 this format so we don't need to make any 736 00:27:32,000 --> 00:27:33,760 changes there so i'll just say quit and 737 00:27:33,760 --> 00:27:35,120 exit 738 00:27:35,120 --> 00:27:38,640 once that is done we also need to check 739 00:27:38,640 --> 00:27:41,279 uh the actual inputs configuration file 740 00:27:41,279 --> 00:27:43,200 but before we do that 741 00:27:43,200 --> 00:27:45,279 let's take a look so if you revisit the 742 00:27:45,279 --> 00:27:46,880 snort video 743 00:27:46,880 --> 00:27:48,880 you know that all the logs are stored 744 00:27:48,880 --> 00:27:51,840 under var uh log 745 00:27:51,840 --> 00:27:55,760 and snot right so we have the alert log 746 00:27:55,760 --> 00:27:59,279 um and we also have uh so again based on 747 00:27:59,279 --> 00:28:01,120 the type of um 748 00:28:01,120 --> 00:28:03,200 of alerts you want generated so you know 749 00:28:03,200 --> 00:28:05,440 if i say man snort here 750 00:28:05,440 --> 00:28:07,440 uh you can see that we have the alert 751 00:28:07,440 --> 00:28:09,440 mode so you can use the fast mode or the 752 00:28:09,440 --> 00:28:11,360 full mode in this case i'll be using the 753 00:28:11,360 --> 00:28:12,559 fast mode 754 00:28:12,559 --> 00:28:13,760 um 755 00:28:13,760 --> 00:28:15,279 and i'll give you a description of what 756 00:28:15,279 --> 00:28:17,279 what's going on here right so 757 00:28:17,279 --> 00:28:19,919 uh full writes the alert to the alert 758 00:28:19,919 --> 00:28:21,919 file with the full decoded header as 759 00:28:21,919 --> 00:28:24,720 well as the alert message which might be 760 00:28:24,720 --> 00:28:27,279 important so we can also do that as well 761 00:28:27,279 --> 00:28:29,600 so this was from the previous uh from 762 00:28:29,600 --> 00:28:31,760 the from from the snort video where we 763 00:28:31,760 --> 00:28:33,360 had ran uh you know where we had 764 00:28:33,360 --> 00:28:35,840 essentially run snot and uh you know 765 00:28:35,840 --> 00:28:38,480 where we were identifying various alerts 766 00:28:38,480 --> 00:28:41,919 so uh what we can do is uh again we will 767 00:28:41,919 --> 00:28:43,760 go through what needs to be created but 768 00:28:43,760 --> 00:28:45,600 we can run a quick test command just to 769 00:28:45,600 --> 00:28:46,880 see whether 770 00:28:46,880 --> 00:28:48,799 the the actual alerts are being logged 771 00:28:48,799 --> 00:28:50,320 within the alert file because we have 772 00:28:50,320 --> 00:28:53,039 alert dot one ideally we would only want 773 00:28:53,039 --> 00:28:55,760 to forward this file into splunk 774 00:28:55,760 --> 00:28:58,080 so uh in order to do this what i'm going 775 00:28:58,080 --> 00:29:00,080 to do now is i'm just going to run snot 776 00:29:00,080 --> 00:29:01,600 really quickly so i'm going to say sudo 777 00:29:01,600 --> 00:29:02,559 snort 778 00:29:02,559 --> 00:29:03,919 queue 779 00:29:03,919 --> 00:29:06,000 for quiet and then 780 00:29:06,000 --> 00:29:09,360 the actual directory for the logs is var 781 00:29:09,360 --> 00:29:11,360 log snot 782 00:29:11,360 --> 00:29:12,880 and then we can say the interface is 783 00:29:12,880 --> 00:29:14,640 enp0s3 784 00:29:14,640 --> 00:29:16,240 again make sure to replace that with 785 00:29:16,240 --> 00:29:19,039 your own interface uh the alert we can 786 00:29:19,039 --> 00:29:20,320 say full 787 00:29:20,320 --> 00:29:23,360 and the configuration is sc 788 00:29:23,360 --> 00:29:25,039 snort 789 00:29:25,039 --> 00:29:26,399 dot conf 790 00:29:26,399 --> 00:29:28,320 i believe we had another configuration 791 00:29:28,320 --> 00:29:30,720 file yeah we had used the snot.com file 792 00:29:30,720 --> 00:29:32,399 so i'll hit enter 793 00:29:32,399 --> 00:29:34,880 and now let me open up my file explorer 794 00:29:34,880 --> 00:29:35,840 here 795 00:29:35,840 --> 00:29:38,720 we take a look at the var directory 796 00:29:38,720 --> 00:29:42,240 under log and under snort 797 00:29:42,240 --> 00:29:44,960 we have alert there we are so 798 00:29:44,960 --> 00:29:47,960 that has been modified the last was 799 00:29:47,960 --> 00:29:51,200 modified uh 800 00:29:51,200 --> 00:29:53,919 right over there okay so that's 19 yeah 801 00:29:53,919 --> 00:29:55,679 so this is the last modified so i know 802 00:29:55,679 --> 00:29:58,000 this file is not human readable uh we 803 00:29:58,000 --> 00:30:00,399 are not going to be folding this dot log 804 00:30:00,399 --> 00:30:02,960 file so i'll just close that there 805 00:30:02,960 --> 00:30:05,840 so i'm just going to try and uh 806 00:30:05,840 --> 00:30:07,440 i'm just going to try and perform a few 807 00:30:07,440 --> 00:30:09,679 checks on the networks like a few pings 808 00:30:09,679 --> 00:30:11,760 just to see if that's detected 809 00:30:11,760 --> 00:30:14,080 uh so i'll just you know perform a ping 810 00:30:14,080 --> 00:30:15,679 really quickly 811 00:30:15,679 --> 00:30:17,520 again the alerts will not be logged on 812 00:30:17,520 --> 00:30:18,960 our terminal because they're being 813 00:30:18,960 --> 00:30:21,200 logged uh you know into the respective 814 00:30:21,200 --> 00:30:24,159 alert file or the alert log file so i'll 815 00:30:24,159 --> 00:30:26,080 just perform uh you know a few pings as 816 00:30:26,080 --> 00:30:27,679 i was saying which i'm doing right now 817 00:30:27,679 --> 00:30:29,520 on the attacker system 818 00:30:29,520 --> 00:30:31,760 uh once that is done let's see whether 819 00:30:31,760 --> 00:30:33,760 those changes are being highlighted in 820 00:30:33,760 --> 00:30:37,600 alet indeed they are okay so now this is 821 00:30:37,600 --> 00:30:39,919 um 822 00:30:40,159 --> 00:30:42,399 as you can see here 823 00:30:42,399 --> 00:30:45,279 this is the full 824 00:30:45,360 --> 00:30:48,000 these are so to begin with we had used 825 00:30:48,000 --> 00:30:50,399 the fast alert 826 00:30:50,399 --> 00:30:54,000 we had used the fast alert output mode 827 00:30:54,000 --> 00:30:56,080 and right over here we then have the 828 00:30:56,080 --> 00:30:57,039 full 829 00:30:57,039 --> 00:31:00,159 alert mode which i'm not really sure how 830 00:31:00,159 --> 00:31:01,919 we want to 831 00:31:01,919 --> 00:31:05,360 go about doing this but you can see 832 00:31:05,360 --> 00:31:07,360 we can actually make a few changes but 833 00:31:07,360 --> 00:31:09,600 what we can do is we can get rid of this 834 00:31:09,600 --> 00:31:11,440 traffic here 835 00:31:11,440 --> 00:31:13,519 but you can see the messages actually 836 00:31:13,519 --> 00:31:15,279 being logged so 837 00:31:15,279 --> 00:31:17,760 we can get rid of this here 838 00:31:17,760 --> 00:31:20,399 because we don't want to mix fast um we 839 00:31:20,399 --> 00:31:22,559 don't mix fast alerts 840 00:31:22,559 --> 00:31:24,480 with um 841 00:31:24,480 --> 00:31:26,080 we don't want to mix the alerts that 842 00:31:26,080 --> 00:31:28,799 were output in the fast mode uh with the 843 00:31:28,799 --> 00:31:31,519 full mode so we can just get rid of that 844 00:31:31,519 --> 00:31:34,159 there and save that 845 00:31:34,159 --> 00:31:37,840 so once that is done i'll just say 846 00:31:37,840 --> 00:31:40,320 we actually need permissions to modify 847 00:31:40,320 --> 00:31:42,000 that file 848 00:31:42,000 --> 00:31:45,600 but you know what we can do is what i am 849 00:31:45,600 --> 00:31:47,279 going to do actually is close without 850 00:31:47,279 --> 00:31:49,519 saving is i'm just going to stop snort 851 00:31:49,519 --> 00:31:50,399 there 852 00:31:50,399 --> 00:31:52,080 and i'm just going to say 853 00:31:52,080 --> 00:31:54,480 sudo remove var 854 00:31:54,480 --> 00:31:56,799 log 855 00:31:56,960 --> 00:31:59,120 and snort and we're going to remove 856 00:31:59,120 --> 00:32:01,360 alert 857 00:32:01,360 --> 00:32:02,720 all right and we're also going to remove 858 00:32:02,720 --> 00:32:04,240 alert dot one 859 00:32:04,240 --> 00:32:05,440 all right so i'm just going to run this 860 00:32:05,440 --> 00:32:07,039 again just to see if that file is 861 00:32:07,039 --> 00:32:08,240 generated 862 00:32:08,240 --> 00:32:11,120 so there we are we have alert there 863 00:32:11,120 --> 00:32:12,559 so now it's much cleaner so i'll just 864 00:32:12,559 --> 00:32:14,240 run a few pings just to make sure that 865 00:32:14,240 --> 00:32:16,480 the traffic is being locked all those 866 00:32:16,480 --> 00:32:18,480 alerts are being logged 867 00:32:18,480 --> 00:32:20,399 uh so there we are we have a few pings 868 00:32:20,399 --> 00:32:21,519 there 869 00:32:21,519 --> 00:32:24,640 and we can also you know just run a few 870 00:32:24,640 --> 00:32:26,960 checks there okay so there we are we can 871 00:32:26,960 --> 00:32:29,360 see that those are now being logged and 872 00:32:29,360 --> 00:32:31,519 of course we can change the format based 873 00:32:31,519 --> 00:32:32,320 on 874 00:32:32,320 --> 00:32:33,519 you can change it based on your 875 00:32:33,519 --> 00:32:35,039 requirements right 876 00:32:35,039 --> 00:32:37,840 so um 877 00:32:38,000 --> 00:32:39,919 now that that is done 878 00:32:39,919 --> 00:32:42,000 what we can do is we can close that up 879 00:32:42,000 --> 00:32:44,960 and we can actually leave snort running 880 00:32:44,960 --> 00:32:46,320 as is 881 00:32:46,320 --> 00:32:48,960 so what i'll do is i'm just going to 882 00:32:48,960 --> 00:32:51,120 open up another tab 883 00:32:51,120 --> 00:32:53,120 so i'll just you know i can say control 884 00:32:53,120 --> 00:32:54,880 shift d there we are 885 00:32:54,880 --> 00:32:56,799 and we're currently within the following 886 00:32:56,799 --> 00:33:00,159 directory so opt opt splunk forward etsy 887 00:33:00,159 --> 00:33:01,519 system local 888 00:33:01,519 --> 00:33:03,120 so 889 00:33:03,120 --> 00:33:06,000 once that is done we now need to add 890 00:33:06,000 --> 00:33:08,080 uh we now need to add the files that we 891 00:33:08,080 --> 00:33:09,919 would like to monitor or that we would 892 00:33:09,919 --> 00:33:12,240 like to forward right so the log files 893 00:33:12,240 --> 00:33:15,360 so i'll go back into the bin directory 894 00:33:15,360 --> 00:33:17,679 so there we are cd bin because that's 895 00:33:17,679 --> 00:33:19,360 where we have the splunk binary so i'll 896 00:33:19,360 --> 00:33:20,960 say sudo 897 00:33:20,960 --> 00:33:22,000 um 898 00:33:22,000 --> 00:33:24,399 splunk 899 00:33:24,399 --> 00:33:28,320 and we can say add monitor 900 00:33:28,320 --> 00:33:30,720 and the file that we want to forward is 901 00:33:30,720 --> 00:33:34,399 under var log snot and it is just alert 902 00:33:34,399 --> 00:33:36,559 right so that's all that's really all 903 00:33:36,559 --> 00:33:38,720 that we want to do right 904 00:33:38,720 --> 00:33:41,600 and we can also utilize the fast alerts 905 00:33:41,600 --> 00:33:44,399 but let's just do this for now 906 00:33:44,399 --> 00:33:46,399 and we only want the alerts we don't 907 00:33:46,399 --> 00:33:48,320 want the actual log files that contain 908 00:33:48,320 --> 00:33:53,840 the packets themselves so i'll hit enter 909 00:33:54,480 --> 00:33:56,399 all right so it's now going to forward 910 00:33:56,399 --> 00:33:58,960 those alerts into splunk which pretty 911 00:33:58,960 --> 00:34:02,159 much means that on our end we are done 912 00:34:02,159 --> 00:34:04,000 however we still need to check one more 913 00:34:04,000 --> 00:34:05,840 configuration file so i'll just take a 914 00:34:05,840 --> 00:34:08,000 step back here and we'll head over into 915 00:34:08,000 --> 00:34:10,879 the etsy directory under apps 916 00:34:10,879 --> 00:34:13,119 and search 917 00:34:13,119 --> 00:34:15,520 and then into local 918 00:34:15,520 --> 00:34:16,720 when you think we'll need to root 919 00:34:16,720 --> 00:34:18,320 permissions to access this so i'll just 920 00:34:18,320 --> 00:34:20,079 switch to the root user and head over 921 00:34:20,079 --> 00:34:21,520 into local 922 00:34:21,520 --> 00:34:24,399 and we're looking for the inputs dot 923 00:34:24,399 --> 00:34:26,560 conf file 924 00:34:26,560 --> 00:34:28,079 uh right so we need to actually 925 00:34:28,079 --> 00:34:29,760 configure this because this is very 926 00:34:29,760 --> 00:34:31,040 important so 927 00:34:31,040 --> 00:34:35,119 uh the first thing we want to do is let 928 00:34:35,119 --> 00:34:35,919 us 929 00:34:35,919 --> 00:34:38,639 add a new line here and within the 930 00:34:38,639 --> 00:34:41,440 square brackets i'll just say splunk 931 00:34:41,440 --> 00:34:44,240 uh tcp 932 00:34:44,240 --> 00:34:46,399 and we then want to specify the port so 933 00:34:46,399 --> 00:34:48,399 9997 934 00:34:48,399 --> 00:34:49,679 let me make sure i type that in 935 00:34:49,679 --> 00:34:51,520 correctly 936 00:34:51,520 --> 00:34:54,240 we then need to actually put in the 937 00:34:54,240 --> 00:34:56,960 connection 938 00:34:56,960 --> 00:35:01,200 um so the connection host so connection 939 00:35:01,200 --> 00:35:03,440 host is going to be equal to the ip 940 00:35:03,440 --> 00:35:05,280 address of the splunk 941 00:35:05,280 --> 00:35:06,560 server 942 00:35:06,560 --> 00:35:08,960 so i'll just copy that there paste that 943 00:35:08,960 --> 00:35:11,280 in there 944 00:35:11,280 --> 00:35:14,000 once that is done 945 00:35:14,000 --> 00:35:16,320 this is fine here disabled is set to 946 00:35:16,320 --> 00:35:19,040 false we want index is going to be equal 947 00:35:19,040 --> 00:35:20,320 to main 948 00:35:20,320 --> 00:35:23,680 and then the source type 949 00:35:23,680 --> 00:35:26,560 is going to be equal to snot 950 00:35:26,560 --> 00:35:27,520 alert 951 00:35:27,520 --> 00:35:28,960 full 952 00:35:28,960 --> 00:35:31,280 and we can then say the source is equal 953 00:35:31,280 --> 00:35:33,040 to snort all right so this is a very 954 00:35:33,040 --> 00:35:35,280 important configuration so let me just 955 00:35:35,280 --> 00:35:36,640 go through those options or 956 00:35:36,640 --> 00:35:38,640 configurations again we have the splunk 957 00:35:38,640 --> 00:35:40,320 tcp option 958 00:35:40,320 --> 00:35:42,880 uh we then have the actual connection 959 00:35:42,880 --> 00:35:45,520 host the monitor is set correctly to 960 00:35:45,520 --> 00:35:46,640 that file 961 00:35:46,640 --> 00:35:49,520 uh it's enabled index equals main source 962 00:35:49,520 --> 00:35:51,680 type equals snorter that full source is 963 00:35:51,680 --> 00:35:53,680 equal to snot fantastic so we'll write 964 00:35:53,680 --> 00:35:54,720 in quit 965 00:35:54,720 --> 00:35:57,040 uh once this is done 966 00:35:57,040 --> 00:35:58,720 we'll need to restart splunk so i'll 967 00:35:58,720 --> 00:36:00,800 switch back to my user lexis here and 968 00:36:00,800 --> 00:36:04,560 we'll navigate back to the bin directory 969 00:36:04,560 --> 00:36:06,400 so i'll say cd bin 970 00:36:06,400 --> 00:36:08,800 and we'll say sudo 971 00:36:08,800 --> 00:36:11,680 let me say splunk and we can then say 972 00:36:11,680 --> 00:36:13,440 restart 973 00:36:13,440 --> 00:36:15,680 all right hit enter 974 00:36:15,680 --> 00:36:18,320 it's going to stop the splunk daemon 975 00:36:18,320 --> 00:36:19,680 shutting it down 976 00:36:19,680 --> 00:36:22,160 restart it and it's done successfully so 977 00:36:22,160 --> 00:36:24,560 all the checks were completed without 978 00:36:24,560 --> 00:36:27,119 any issue all right so 979 00:36:27,119 --> 00:36:29,040 now that this is done we can actually go 980 00:36:29,040 --> 00:36:31,440 back into splunk here and we'll navigate 981 00:36:31,440 --> 00:36:33,280 to the dashboard 982 00:36:33,280 --> 00:36:35,839 uh this is your splunk server right 983 00:36:35,839 --> 00:36:37,440 and let's take a look at the messages 984 00:36:37,440 --> 00:36:39,920 here that's just uh a few updates we 985 00:36:39,920 --> 00:36:41,920 don't need to do anything there so if we 986 00:36:41,920 --> 00:36:43,119 click on 987 00:36:43,119 --> 00:36:45,599 search and reporting just to verify that 988 00:36:45,599 --> 00:36:47,839 that data has indeed been for that i'll 989 00:36:47,839 --> 00:36:49,280 just skip through this if we click on 990 00:36:49,280 --> 00:36:51,040 data summary 991 00:36:51,040 --> 00:36:52,880 under sources you should see that we 992 00:36:52,880 --> 00:36:55,680 have the host and in my case the name of 993 00:36:55,680 --> 00:36:58,640 the system is black box so that should 994 00:36:58,640 --> 00:37:01,119 be reflected there so there we are black 995 00:37:01,119 --> 00:37:03,280 box we have 42 996 00:37:03,280 --> 00:37:06,800 logs or alerts if you will sources 42 we 997 00:37:06,800 --> 00:37:08,640 can click on that there to just see the 998 00:37:08,640 --> 00:37:11,280 data that has been logged indeed we can 999 00:37:11,280 --> 00:37:13,040 see that has been done correctly so 1000 00:37:13,040 --> 00:37:14,880 source type is alert 1001 00:37:14,880 --> 00:37:17,280 uh we can see that it's imported you 1002 00:37:17,280 --> 00:37:19,440 know pretty much all the data or the you 1003 00:37:19,440 --> 00:37:21,119 know these are the this is the full log 1004 00:37:21,119 --> 00:37:23,599 whereby we have the reference to that 1005 00:37:23,599 --> 00:37:24,880 there 1006 00:37:24,880 --> 00:37:26,800 uh that's weird i didn't actually run 1007 00:37:26,800 --> 00:37:30,240 anything weird uh but uh there you go 1008 00:37:30,240 --> 00:37:32,720 um so now that this is done uh you can 1009 00:37:32,720 --> 00:37:34,880 use splunk to essentially visualize this 1010 00:37:34,880 --> 00:37:36,800 data you know however you want so you 1011 00:37:36,800 --> 00:37:39,359 know i can go into visualization 1012 00:37:39,359 --> 00:37:42,240 uh and we can click on maybe we can 1013 00:37:42,240 --> 00:37:44,720 create a um 1014 00:37:44,720 --> 00:37:46,880 we can select a few fields so if i go 1015 00:37:46,880 --> 00:37:50,240 back into the events here i can select a 1016 00:37:50,240 --> 00:37:52,240 few fields that i want displayed here 1017 00:37:52,240 --> 00:37:54,320 and i can you know essentially extract 1018 00:37:54,320 --> 00:37:57,040 the fields that i want with rejects 1019 00:37:57,040 --> 00:37:57,920 but 1020 00:37:57,920 --> 00:37:59,680 i don't think this is necessary in this 1021 00:37:59,680 --> 00:38:01,520 point because if we actually go back to 1022 00:38:01,520 --> 00:38:03,599 the dashboard 1023 00:38:03,599 --> 00:38:06,160 and we click on 1024 00:38:06,160 --> 00:38:10,079 let's see splunk snot alert for splunk 1025 00:38:10,079 --> 00:38:11,440 let's see if this is actually whether 1026 00:38:11,440 --> 00:38:15,200 this automates that process for us 1027 00:38:15,200 --> 00:38:17,280 uh there we are actually it looks like 1028 00:38:17,280 --> 00:38:21,599 it does so um classification bad traffic 1029 00:38:21,599 --> 00:38:24,160 so it looks like that is working 1030 00:38:24,160 --> 00:38:26,400 so what we can do now 1031 00:38:26,400 --> 00:38:28,720 is run a few 1032 00:38:28,720 --> 00:38:31,280 uh we can actually utilize this script 1033 00:38:31,280 --> 00:38:33,520 here the 1034 00:38:33,520 --> 00:38:37,119 uh the test my nids script here so all 1035 00:38:37,119 --> 00:38:39,440 you need to do to run it is just copy 1036 00:38:39,440 --> 00:38:41,520 this one liner script here or this 1037 00:38:41,520 --> 00:38:43,200 command that will download it into your 1038 00:38:43,200 --> 00:38:46,000 tmp directory and will then execute it 1039 00:38:46,000 --> 00:38:49,200 so you know to execute it within your 1040 00:38:49,200 --> 00:38:51,599 temp directory you can just uh execute 1041 00:38:51,599 --> 00:38:53,040 the actual 1042 00:38:53,040 --> 00:38:54,400 um 1043 00:38:54,400 --> 00:38:56,240 you know the actual binary there it is a 1044 00:38:56,240 --> 00:38:58,800 binary not a script 1045 00:38:58,800 --> 00:39:01,280 and uh once that is done you can then 1046 00:39:01,280 --> 00:39:03,520 select the option here so let me just do 1047 00:39:03,520 --> 00:39:05,920 that on my attacker system 1048 00:39:05,920 --> 00:39:08,880 i'm just gonna run it one more time so 1049 00:39:08,880 --> 00:39:14,359 um just going to say ls here and 1050 00:39:16,160 --> 00:39:18,960 if i uh open up the documentation so 1051 00:39:18,960 --> 00:39:21,839 firstly i will 1052 00:39:21,839 --> 00:39:23,440 i will run 1053 00:39:23,440 --> 00:39:26,640 a quick linux uid check so 1054 00:39:26,640 --> 00:39:28,960 i'll just hit enter 1055 00:39:28,960 --> 00:39:31,280 okay that is done i'll then perform a 1056 00:39:31,280 --> 00:39:35,119 http basic authentication 1057 00:39:35,119 --> 00:39:37,839 and a malware user agent so i'm doing 1058 00:39:37,839 --> 00:39:40,640 that right now 1059 00:39:40,839 --> 00:39:46,000 okay and we can run one more here so 1060 00:39:46,000 --> 00:39:48,720 uh let's see let's see let's see uh we 1061 00:39:48,720 --> 00:39:51,520 can try exe or dll download over http 1062 00:39:51,520 --> 00:39:55,280 that is surely going to be um 1063 00:39:55,280 --> 00:39:57,040 logged 1064 00:39:57,040 --> 00:39:59,839 or that's going to trigger an alert 1065 00:39:59,839 --> 00:40:00,640 so 1066 00:40:00,640 --> 00:40:03,040 uh do we have uh that is running all 1067 00:40:03,040 --> 00:40:05,280 right so snot is running that's great 1068 00:40:05,280 --> 00:40:08,079 uh so we know that the log is being uh 1069 00:40:08,079 --> 00:40:10,240 the actual alerts are being forwarded 1070 00:40:10,240 --> 00:40:12,960 absolutely fantastic so let's go back in 1071 00:40:12,960 --> 00:40:15,040 here i've already run those 1072 00:40:15,040 --> 00:40:18,400 uh those particular checks 1073 00:40:18,400 --> 00:40:20,160 so let me just refresh this i know it 1074 00:40:20,160 --> 00:40:22,160 usually takes a couple of seconds to a 1075 00:40:22,160 --> 00:40:24,400 couple of minutes but that data should 1076 00:40:24,400 --> 00:40:26,240 start should actually be reflected there 1077 00:40:26,240 --> 00:40:28,160 we are fantastic so 1078 00:40:28,160 --> 00:40:31,119 uh we can see that uh you know firstly 1079 00:40:31,119 --> 00:40:32,880 i'll just explain the dashboard here 1080 00:40:32,880 --> 00:40:33,760 because 1081 00:40:33,760 --> 00:40:36,160 uh this dashboard is automatically you 1082 00:40:36,160 --> 00:40:38,000 know set up for you by the snort app 1083 00:40:38,000 --> 00:40:39,920 which is really awesome as i said you 1084 00:40:39,920 --> 00:40:41,440 don't need to go through that process 1085 00:40:41,440 --> 00:40:42,560 yourself 1086 00:40:42,560 --> 00:40:44,560 so the first graph here essentially 1087 00:40:44,560 --> 00:40:46,400 tells you your events 1088 00:40:46,400 --> 00:40:48,560 uh and and it also displays uh you know 1089 00:40:48,560 --> 00:40:50,400 the total number of sources so you can 1090 00:40:50,400 --> 00:40:52,560 see that there you also have the time 1091 00:40:52,560 --> 00:40:54,480 uh and you saw you have your events and 1092 00:40:54,480 --> 00:40:56,079 then the timeline here and you can 1093 00:40:56,079 --> 00:40:58,880 essentially you know view a trend or the 1094 00:40:58,880 --> 00:41:01,680 trend of uh of events there you then 1095 00:41:01,680 --> 00:41:04,880 have the top uh the top source countries 1096 00:41:04,880 --> 00:41:07,040 right over here and if i just run 1097 00:41:07,040 --> 00:41:08,720 another check really quickly here 1098 00:41:08,720 --> 00:41:11,119 through the nids website 1099 00:41:11,119 --> 00:41:14,720 so uh let me just run the curl command 1100 00:41:14,720 --> 00:41:16,640 uh you should actually see that because 1101 00:41:16,640 --> 00:41:19,280 we are reaching out to uh you know a 1102 00:41:19,280 --> 00:41:21,280 connection made to an external server 1103 00:41:21,280 --> 00:41:23,680 that it should reflect that info under 1104 00:41:23,680 --> 00:41:25,760 the top countries the top source 1105 00:41:25,760 --> 00:41:26,800 countries 1106 00:41:26,800 --> 00:41:28,800 so uh we then have the events here which 1107 00:41:28,800 --> 00:41:31,280 uh you know you can click on um and then 1108 00:41:31,280 --> 00:41:33,119 of course you have the sources 1109 00:41:33,119 --> 00:41:36,079 so these are the uh snort event types 1110 00:41:36,079 --> 00:41:37,760 and these are actually the 1111 00:41:37,760 --> 00:41:39,680 classification so we can see potentially 1112 00:41:39,680 --> 00:41:42,640 bad traffic attempted information leak 1113 00:41:42,640 --> 00:41:44,720 and you know you can just refresh your 1114 00:41:44,720 --> 00:41:47,440 dashboard to get the latest 1115 00:41:47,440 --> 00:41:49,359 so we'll give that a couple of seconds 1116 00:41:49,359 --> 00:41:52,000 and you can also specify the actual uh 1117 00:41:52,000 --> 00:41:53,599 interval period 1118 00:41:53,599 --> 00:41:56,400 so uh i'll just wait for this uh let's 1119 00:41:56,400 --> 00:41:58,880 see if it's actually being logged or 1120 00:41:58,880 --> 00:42:00,319 whether we can see all of that so i'll 1121 00:42:00,319 --> 00:42:04,000 just go back into the dashboard here 1122 00:42:04,000 --> 00:42:04,800 and 1123 00:42:04,800 --> 00:42:07,359 we'll go into search and reporting and 1124 00:42:07,359 --> 00:42:09,920 if we click on the actual 1125 00:42:09,920 --> 00:42:13,040 data summary and the sources uh we can 1126 00:42:13,040 --> 00:42:15,359 see we have snort there and then vast 1127 00:42:15,359 --> 00:42:19,520 not alert so we click on snot there 1128 00:42:19,520 --> 00:42:22,000 okay so this is bad traffic that's 1129 00:42:22,000 --> 00:42:25,440 really weird because 1130 00:42:26,079 --> 00:42:27,920 the source is not we had added two 1131 00:42:27,920 --> 00:42:29,520 sources there 1132 00:42:29,520 --> 00:42:32,720 so data summary 1133 00:42:32,720 --> 00:42:34,800 let me just click on that there and if 1134 00:42:34,800 --> 00:42:36,960 we click on these sources there this is 1135 00:42:36,960 --> 00:42:40,800 the one that we want ideally 1136 00:42:43,200 --> 00:42:46,079 yeah so that looks like uh the correct 1137 00:42:46,079 --> 00:42:48,720 one there 1138 00:42:49,599 --> 00:42:51,680 yeah that's the correct traffic um uh i 1139 00:42:51,680 --> 00:42:55,119 think that's why uh the actual uh let me 1140 00:42:55,119 --> 00:42:56,960 see if i can find so snot alert for 1141 00:42:56,960 --> 00:43:00,640 splunk let me click on the app there 1142 00:43:02,480 --> 00:43:04,160 show filters it should be displaying 1143 00:43:04,160 --> 00:43:06,400 much more than that because i know yeah 1144 00:43:06,400 --> 00:43:08,319 they're not just four 1145 00:43:08,319 --> 00:43:09,920 so 1146 00:43:09,920 --> 00:43:12,640 uh if we actually head over into the 1147 00:43:12,640 --> 00:43:16,560 uh snot event search here 1148 00:43:18,480 --> 00:43:20,800 we can actually search for uh you know 1149 00:43:20,800 --> 00:43:25,359 we can utilize uh yeah so these are only 1150 00:43:25,359 --> 00:43:28,400 this is only monitoring the pings so 1151 00:43:28,400 --> 00:43:30,240 that's weird i'm not really sure why we 1152 00:43:30,240 --> 00:43:32,319 have two data sources i think it's to do 1153 00:43:32,319 --> 00:43:33,839 with the fact 1154 00:43:33,839 --> 00:43:37,040 uh that uh you know we had so let me 1155 00:43:37,040 --> 00:43:39,520 just go back here 1156 00:43:39,520 --> 00:43:42,640 apps search and sudo root 1157 00:43:42,640 --> 00:43:46,720 let me just check that here so cd local 1158 00:43:46,720 --> 00:43:47,839 vim 1159 00:43:47,839 --> 00:43:50,640 inputs dot look so there we are so the 1160 00:43:50,640 --> 00:43:53,280 source is snort 1161 00:43:53,280 --> 00:43:56,079 we already specified the source as not 1162 00:43:56,079 --> 00:43:57,599 there 1163 00:43:57,599 --> 00:43:59,520 but it's all it's adding 1164 00:43:59,520 --> 00:44:02,319 this particular you know the alert as uh 1165 00:44:02,319 --> 00:44:04,160 as a source as well 1166 00:44:04,160 --> 00:44:06,400 and then this the source type is not 1167 00:44:06,400 --> 00:44:09,040 alert full index main yeah that that 1168 00:44:09,040 --> 00:44:10,560 should be working that should be working 1169 00:44:10,560 --> 00:44:12,319 without any issues i'm not really sure 1170 00:44:12,319 --> 00:44:14,079 why that is the case but 1171 00:44:14,079 --> 00:44:16,480 we can actually customize what data set 1172 00:44:16,480 --> 00:44:18,000 we want to use 1173 00:44:18,000 --> 00:44:19,359 so uh 1174 00:44:19,359 --> 00:44:21,520 i think let me actually showcase how to 1175 00:44:21,520 --> 00:44:23,359 do that right now 1176 00:44:23,359 --> 00:44:25,839 um so apologies about that i actually 1177 00:44:25,839 --> 00:44:27,599 figured out what the issue was it was 1178 00:44:27,599 --> 00:44:30,319 because the system i was running 1179 00:44:30,319 --> 00:44:32,079 uh this particular 1180 00:44:32,079 --> 00:44:34,560 attacks from wasn't even connected to 1181 00:44:34,560 --> 00:44:36,800 the local network 1182 00:44:36,800 --> 00:44:38,880 and even though i was running these 1183 00:44:38,880 --> 00:44:41,040 these attacks i did realize that of 1184 00:44:41,040 --> 00:44:42,640 course they weren't working so i'm just 1185 00:44:42,640 --> 00:44:44,880 gonna i've just reconnected it 1186 00:44:44,880 --> 00:44:47,359 and what i'm gonna do is i'm just gonna 1187 00:44:47,359 --> 00:44:49,599 run this one more time 1188 00:44:49,599 --> 00:44:53,359 so just give me a second here and i'll 1189 00:44:53,359 --> 00:44:56,319 be able to do that one more time so 1190 00:44:56,319 --> 00:44:58,560 let me just navigate to that particular 1191 00:44:58,560 --> 00:45:00,079 directory 1192 00:45:00,079 --> 00:45:01,040 and 1193 00:45:01,040 --> 00:45:02,480 we'll actually see whether this will 1194 00:45:02,480 --> 00:45:04,400 work so 1195 00:45:04,400 --> 00:45:06,000 you can actually see there's much more 1196 00:45:06,000 --> 00:45:07,920 uh that's been captured in regards to 1197 00:45:07,920 --> 00:45:10,160 events and i'll be explaining this 1198 00:45:10,160 --> 00:45:12,480 dashboard in a couple of seconds 1199 00:45:12,480 --> 00:45:13,359 so 1200 00:45:13,359 --> 00:45:14,960 let me just uh 1201 00:45:14,960 --> 00:45:17,359 launch that first attack there so that 1202 00:45:17,359 --> 00:45:19,440 you know let me just launch that first 1203 00:45:19,440 --> 00:45:22,240 uh type of check and of course i'm using 1204 00:45:22,240 --> 00:45:26,400 test my nids here so uh unfortunately 1205 00:45:26,400 --> 00:45:28,000 that wasn't even being logged which is 1206 00:45:28,000 --> 00:45:30,000 why i was a bit confused as to why those 1207 00:45:30,000 --> 00:45:32,800 logs are not being displayed here 1208 00:45:32,800 --> 00:45:35,520 so i'll give that a couple of seconds 1209 00:45:35,520 --> 00:45:36,800 and 1210 00:45:36,800 --> 00:45:38,880 we'll be able to see this happen 1211 00:45:38,880 --> 00:45:41,920 in real time as well 1212 00:45:41,920 --> 00:45:44,560 all right so that is done so i've 1213 00:45:44,560 --> 00:45:46,319 essentially launched a couple of those 1214 00:45:46,319 --> 00:45:48,319 tests and uh 1215 00:45:48,319 --> 00:45:50,640 this as i said this is your default uh 1216 00:45:50,640 --> 00:45:52,560 dashboard that you're provided with here 1217 00:45:52,560 --> 00:45:53,520 so 1218 00:45:53,520 --> 00:45:55,760 um you know you can actually refresh uh 1219 00:45:55,760 --> 00:45:58,720 all of these um all of these panels here 1220 00:45:58,720 --> 00:46:00,800 if you will so that'll display the 1221 00:46:00,800 --> 00:46:03,920 latest and as i said here because i'd 1222 00:46:03,920 --> 00:46:05,839 had performed the actual 1223 00:46:05,839 --> 00:46:07,680 uh you know i'd perform the actual check 1224 00:46:07,680 --> 00:46:09,520 and then connected to an external server 1225 00:46:09,520 --> 00:46:11,680 you can see that you know the top source 1226 00:46:11,680 --> 00:46:13,680 countries are highlighted there 1227 00:46:13,680 --> 00:46:15,839 you can also refresh the number of 1228 00:46:15,839 --> 00:46:18,160 events as you can see here 1229 00:46:18,160 --> 00:46:20,319 and the number of sources so 1230 00:46:20,319 --> 00:46:22,319 uh you can also do that for the rest of 1231 00:46:22,319 --> 00:46:24,480 the panel so these are the top 10 1232 00:46:24,480 --> 00:46:26,800 classifications 1233 00:46:26,800 --> 00:46:28,960 in terms of events if you will and then 1234 00:46:28,960 --> 00:46:31,359 the snort event types as you can see 1235 00:46:31,359 --> 00:46:32,319 here 1236 00:46:32,319 --> 00:46:33,839 so for example in this case we have the 1237 00:46:33,839 --> 00:46:36,160 attack response id check which if we 1238 00:46:36,160 --> 00:46:37,520 click on 1239 00:46:37,520 --> 00:46:40,319 right over here 1240 00:46:41,119 --> 00:46:42,640 you can see that it actually displays 1241 00:46:42,640 --> 00:46:44,400 that and you can then uh you can then 1242 00:46:44,400 --> 00:46:46,400 click on the signature itself and this 1243 00:46:46,400 --> 00:46:48,880 is for statistics now if you click on 1244 00:46:48,880 --> 00:46:52,000 the snort event search tab right over 1245 00:46:52,000 --> 00:46:53,040 here 1246 00:46:53,040 --> 00:46:54,880 you can see that this allows you to 1247 00:46:54,880 --> 00:46:57,119 search based on the source ip the source 1248 00:46:57,119 --> 00:46:59,680 port the destination ip destination port 1249 00:46:59,680 --> 00:47:02,240 and the event type so i can check for 1250 00:47:02,240 --> 00:47:04,400 attack responses based on the rule set 1251 00:47:04,400 --> 00:47:06,480 that we had used previously 1252 00:47:06,480 --> 00:47:09,359 and i can also specify the timing right 1253 00:47:09,359 --> 00:47:12,079 so that's really fantastic there 1254 00:47:12,079 --> 00:47:14,640 so you can see that right over here we 1255 00:47:14,640 --> 00:47:16,240 have that logged 1256 00:47:16,240 --> 00:47:19,040 which is fantastic and 1257 00:47:19,040 --> 00:47:21,920 if we click on the snort world map 1258 00:47:21,920 --> 00:47:24,000 that'll essentially as you'll see in a 1259 00:47:24,000 --> 00:47:26,160 couple of seconds this will essentially 1260 00:47:26,160 --> 00:47:28,559 display the countries by the source ips 1261 00:47:28,559 --> 00:47:29,839 in this case it should display the 1262 00:47:29,839 --> 00:47:32,079 united states which makes sense 1263 00:47:32,079 --> 00:47:34,800 uh and there we are so again this is 1264 00:47:34,800 --> 00:47:37,119 extremely helpful especially if you work 1265 00:47:37,119 --> 00:47:39,839 in a sock and as i said there's multiple 1266 00:47:39,839 --> 00:47:41,920 uh you know security tools you can 1267 00:47:41,920 --> 00:47:45,040 integrate with uh with splunk 1268 00:47:45,040 --> 00:47:46,880 now one thing that i wanted to highlight 1269 00:47:46,880 --> 00:47:49,440 is you can if you click on edit i'll 1270 00:47:49,440 --> 00:47:51,200 just go back to the 1271 00:47:51,200 --> 00:47:53,200 event summary here because this is very 1272 00:47:53,200 --> 00:47:55,119 important 1273 00:47:55,119 --> 00:47:57,280 you can set this as your main dashboard 1274 00:47:57,280 --> 00:47:58,960 so if you right click here you can set 1275 00:47:58,960 --> 00:48:01,520 this as your home dashboard 1276 00:48:01,520 --> 00:48:03,599 so i'll just click on that there 1277 00:48:03,599 --> 00:48:05,440 and now you'll see on your dashboard 1278 00:48:05,440 --> 00:48:08,240 here if i just close that top menu 1279 00:48:08,240 --> 00:48:10,240 that will actually be displayed there so 1280 00:48:10,240 --> 00:48:12,319 give it a couple of seconds 1281 00:48:12,319 --> 00:48:14,079 and of course you can click on the cog 1282 00:48:14,079 --> 00:48:16,240 wheel here 1283 00:48:16,240 --> 00:48:19,280 and essentially display whatever 1284 00:48:19,280 --> 00:48:21,520 you know you can specify your default 1285 00:48:21,520 --> 00:48:23,200 dashboard now there are a couple of 1286 00:48:23,200 --> 00:48:25,599 other ones that are created by default 1287 00:48:25,599 --> 00:48:27,119 uh but yeah you can have that on your 1288 00:48:27,119 --> 00:48:28,400 dashboard 1289 00:48:28,400 --> 00:48:31,040 uh and uh you know if you actually click 1290 00:48:31,040 --> 00:48:33,839 on snot the snot alert for splunk here 1291 00:48:33,839 --> 00:48:36,240 and we'll just go back into that snot 1292 00:48:36,240 --> 00:48:38,240 event summary tab 1293 00:48:38,240 --> 00:48:40,880 uh you can actually edit the way these 1294 00:48:40,880 --> 00:48:44,240 um these particular panels are tiled so 1295 00:48:44,240 --> 00:48:46,079 uh you know you can convert it to a 1296 00:48:46,079 --> 00:48:48,880 pre-built panel or you know 1297 00:48:48,880 --> 00:48:50,400 you can you can actually convert it to a 1298 00:48:50,400 --> 00:48:52,960 pre-built panel you can get rid of it 1299 00:48:52,960 --> 00:48:54,720 uh you can also move them around based 1300 00:48:54,720 --> 00:48:57,440 on your own requirements and uh in this 1301 00:48:57,440 --> 00:48:59,680 case you can actually let's see if i can 1302 00:48:59,680 --> 00:49:00,880 show you can actually select the 1303 00:49:00,880 --> 00:49:02,480 visualization 1304 00:49:02,480 --> 00:49:04,240 uh so in this case i think the default 1305 00:49:04,240 --> 00:49:06,079 one is fine and you can then view the 1306 00:49:06,079 --> 00:49:07,920 report here so 1307 00:49:07,920 --> 00:49:08,960 um 1308 00:49:08,960 --> 00:49:11,359 if we click on this one here for example 1309 00:49:11,359 --> 00:49:13,280 we could actually use the bar graph to 1310 00:49:13,280 --> 00:49:15,280 display the you know the number of the 1311 00:49:15,280 --> 00:49:17,200 actual um 1312 00:49:17,200 --> 00:49:19,440 the top source countries uh and have 1313 00:49:19,440 --> 00:49:21,599 them displayed in a bar graph style but 1314 00:49:21,599 --> 00:49:23,280 we can just take it back into the pie 1315 00:49:23,280 --> 00:49:25,599 chart there and you can also change this 1316 00:49:25,599 --> 00:49:27,440 for the events as well 1317 00:49:27,440 --> 00:49:29,359 so uh you know if we wanted to view a 1318 00:49:29,359 --> 00:49:31,440 trend we can click on the bar graph 1319 00:49:31,440 --> 00:49:32,240 there 1320 00:49:32,240 --> 00:49:34,000 uh in this case i don't think that's 1321 00:49:34,000 --> 00:49:37,040 formatted correctly so uh if we just use 1322 00:49:37,040 --> 00:49:39,440 the the default one 1323 00:49:39,440 --> 00:49:42,880 uh which i believe was i think it was no 1324 00:49:42,880 --> 00:49:46,160 that wasn't the one i believe it was uh 1325 00:49:46,160 --> 00:49:47,920 let's see if i can identify it here it 1326 00:49:47,920 --> 00:49:50,800 was the number there we are so 26 uh so 1327 00:49:50,800 --> 00:49:52,640 as i said you can customize this based 1328 00:49:52,640 --> 00:49:53,839 on your own 1329 00:49:53,839 --> 00:49:55,440 uh you know 1330 00:49:55,440 --> 00:49:57,440 your own requirements so for example 1331 00:49:57,440 --> 00:49:59,839 this one might do well if it was in the 1332 00:49:59,839 --> 00:50:02,240 form of a bar graph so you know 1333 00:50:02,240 --> 00:50:04,240 you can utilize that if you feel that 1334 00:50:04,240 --> 00:50:06,319 that is appropriate 1335 00:50:06,319 --> 00:50:08,319 uh in this case uh you know we can also 1336 00:50:08,319 --> 00:50:11,920 specify uh the actual um you know we can 1337 00:50:11,920 --> 00:50:14,559 actually list the events themselves 1338 00:50:14,559 --> 00:50:16,079 uh let's see which other ones look 1339 00:50:16,079 --> 00:50:17,920 really good here 1340 00:50:17,920 --> 00:50:19,760 uh and uh yeah once you're done with the 1341 00:50:19,760 --> 00:50:22,079 customization you can then cancel or 1342 00:50:22,079 --> 00:50:24,559 save based on your requirements and you 1343 00:50:24,559 --> 00:50:27,200 can also filter on this particular tab 1344 00:50:27,200 --> 00:50:28,960 here you know through the source ip 1345 00:50:28,960 --> 00:50:31,280 destination ip etc 1346 00:50:31,280 --> 00:50:33,839 um let's see what else did i wanted to 1347 00:50:33,839 --> 00:50:35,599 did i want to highlight let me just 1348 00:50:35,599 --> 00:50:38,000 refresh this once more 1349 00:50:38,000 --> 00:50:39,760 and you know to essentially get the 1350 00:50:39,760 --> 00:50:42,480 latest data 1351 00:50:42,480 --> 00:50:44,480 and uh you can see uh in terms of the 1352 00:50:44,480 --> 00:50:46,480 fan the in terms of the panels this will 1353 00:50:46,480 --> 00:50:49,520 display the last 100 attempts 1354 00:50:49,520 --> 00:50:51,760 uh and uh you know you can go through 1355 00:50:51,760 --> 00:50:53,599 them like so 1356 00:50:53,599 --> 00:50:55,839 uh you can also view i think we've gone 1357 00:50:55,839 --> 00:50:57,119 through all of them but you have the 1358 00:50:57,119 --> 00:50:59,440 persistent sources so two or more days 1359 00:50:59,440 --> 00:51:01,359 of activity in the last 30 days so you 1360 00:51:01,359 --> 00:51:03,040 actually need a lot of data for that to 1361 00:51:03,040 --> 00:51:05,200 be displayed or to give you anything 1362 00:51:05,200 --> 00:51:06,400 useful 1363 00:51:06,400 --> 00:51:07,520 um 1364 00:51:07,520 --> 00:51:09,760 yeah so that is 1365 00:51:09,760 --> 00:51:11,680 what i wanted to highlight in regards to 1366 00:51:11,680 --> 00:51:14,079 the snot alert for splunk app and the 1367 00:51:14,079 --> 00:51:15,839 actual dashboards which i said it 1368 00:51:15,839 --> 00:51:17,359 already does for you 1369 00:51:17,359 --> 00:51:19,119 now you can create your own dashboard as 1370 00:51:19,119 --> 00:51:21,200 i said if i go back into apps and search 1371 00:51:21,200 --> 00:51:22,720 and reporting 1372 00:51:22,720 --> 00:51:25,200 based on your own sources so i'll just 1373 00:51:25,200 --> 00:51:27,280 click on data summary there and if i 1374 00:51:27,280 --> 00:51:29,280 click on sources 1375 00:51:29,280 --> 00:51:30,960 you can click on the 1376 00:51:30,960 --> 00:51:33,839 this source here for example and 1377 00:51:33,839 --> 00:51:36,640 you know in this case we can actually uh 1378 00:51:36,640 --> 00:51:39,680 just click on that there and i can click 1379 00:51:39,680 --> 00:51:41,920 on extract fields 1380 00:51:41,920 --> 00:51:43,359 and you can extract the fields with 1381 00:51:43,359 --> 00:51:46,319 rejects so i'll click on next there 1382 00:51:46,319 --> 00:51:47,760 and you can then select the fields that 1383 00:51:47,760 --> 00:51:50,400 you want so for example in this case we 1384 00:51:50,400 --> 00:51:52,720 would want the date and time 1385 00:51:52,720 --> 00:51:55,280 so i can just highlight that there so i 1386 00:51:55,280 --> 00:51:56,319 can say 1387 00:51:56,319 --> 00:51:59,520 time for example add the extraction 1388 00:51:59,520 --> 00:52:02,000 and then of course we have the source ip 1389 00:52:02,000 --> 00:52:03,839 and the port but i'll just highlight 1390 00:52:03,839 --> 00:52:05,680 them together but i think it's actually 1391 00:52:05,680 --> 00:52:07,440 recommended just to highlight the source 1392 00:52:07,440 --> 00:52:08,880 ip there 1393 00:52:08,880 --> 00:52:13,200 so source we can say crc src 1394 00:52:13,200 --> 00:52:14,559 underscore 1395 00:52:14,559 --> 00:52:15,520 ip 1396 00:52:15,520 --> 00:52:18,480 add that extraction and we then have the 1397 00:52:18,480 --> 00:52:20,800 destination ip which in this case uh 1398 00:52:20,800 --> 00:52:22,559 because this is uh 1399 00:52:22,559 --> 00:52:25,520 an sm snmp broadcast 1400 00:52:25,520 --> 00:52:27,520 request we can we know that that's the 1401 00:52:27,520 --> 00:52:30,880 destination ip so i'll say dst 1402 00:52:30,880 --> 00:52:33,040 underscore ip 1403 00:52:33,040 --> 00:52:36,720 add the extraction let's see what else 1404 00:52:36,720 --> 00:52:40,079 we can do um 1405 00:52:40,079 --> 00:52:41,440 in this case it's saying the extraction 1406 00:52:41,440 --> 00:52:42,960 field you're extracting if you're 1407 00:52:42,960 --> 00:52:45,040 extracting multiple fields try removing 1408 00:52:45,040 --> 00:52:47,040 one or more fields start with the 1409 00:52:47,040 --> 00:52:48,720 extractions that are embedded within 1410 00:52:48,720 --> 00:52:51,680 longer strings okay so let's try and use 1411 00:52:51,680 --> 00:52:54,400 another alert here 1412 00:52:54,400 --> 00:52:57,599 that was kind of interesting um let's 1413 00:52:57,599 --> 00:52:58,319 see 1414 00:52:58,319 --> 00:53:00,480 it's not displaying all of them here but 1415 00:53:00,480 --> 00:53:02,800 you get the idea once you're done 1416 00:53:02,800 --> 00:53:04,480 uh you know for example i can remove 1417 00:53:04,480 --> 00:53:06,079 that field here i'm just giving you an 1418 00:53:06,079 --> 00:53:08,720 example of that so remove that field 1419 00:53:08,720 --> 00:53:12,000 uh there we are i can then say next and 1420 00:53:12,000 --> 00:53:15,440 i can click on validate and save based 1421 00:53:15,440 --> 00:53:18,240 on those fields there hit finish 1422 00:53:18,240 --> 00:53:20,800 and then you know i can go back to 1423 00:53:20,800 --> 00:53:23,359 uh you know search and reporting 1424 00:53:23,359 --> 00:53:25,280 and if i wanted to create a very simple 1425 00:53:25,280 --> 00:53:27,040 visualization which i'll show you right 1426 00:53:27,040 --> 00:53:27,839 now 1427 00:53:27,839 --> 00:53:30,000 even though i don't really need those 1428 00:53:30,000 --> 00:53:31,920 extracted fields although they might be 1429 00:53:31,920 --> 00:53:33,280 useful so 1430 00:53:33,280 --> 00:53:36,079 i can click on those extracted fields 1431 00:53:36,079 --> 00:53:38,559 now i believe they should have been 1432 00:53:38,559 --> 00:53:39,760 added 1433 00:53:39,760 --> 00:53:41,200 i'm not really sure why they aren't 1434 00:53:41,200 --> 00:53:43,440 being highlighted here there we are so 1435 00:53:43,440 --> 00:53:45,200 source ip 1436 00:53:45,200 --> 00:53:47,760 uh we can also specify the source port 1437 00:53:47,760 --> 00:53:50,240 uh we all there there they are so i had 1438 00:53:50,240 --> 00:53:51,760 actually they took a while to be 1439 00:53:51,760 --> 00:53:53,599 displayed there so 1440 00:53:53,599 --> 00:53:56,559 uh so support that why why not we can 1441 00:53:56,559 --> 00:53:59,920 yeah i think that's pretty much it so 1442 00:53:59,920 --> 00:54:02,079 uh based on those we can actually build 1443 00:54:02,079 --> 00:54:04,480 an event type however if we go to 1444 00:54:04,480 --> 00:54:07,520 visualization and click on pivot here 1445 00:54:07,520 --> 00:54:10,640 selected fields is five hit ok 1446 00:54:10,640 --> 00:54:12,559 we can actually you know visualize this 1447 00:54:12,559 --> 00:54:14,319 however we want so for example if i 1448 00:54:14,319 --> 00:54:17,119 wanted a column chart here 1449 00:54:17,119 --> 00:54:19,680 number one will display the count 1450 00:54:19,680 --> 00:54:22,079 i can just add the 1451 00:54:22,079 --> 00:54:24,079 events 1452 00:54:24,079 --> 00:54:26,319 because that's the count and we should 1453 00:54:26,319 --> 00:54:28,720 have at the bottom the time which i did 1454 00:54:28,720 --> 00:54:32,559 specify uh we believe within that range 1455 00:54:32,559 --> 00:54:34,000 there 1456 00:54:34,000 --> 00:54:36,720 but that's not being highlighted here so 1457 00:54:36,720 --> 00:54:39,280 the number of events and you know you 1458 00:54:39,280 --> 00:54:41,839 can go ahead and click as you can 1459 00:54:41,839 --> 00:54:43,440 essentially save it 1460 00:54:43,440 --> 00:54:45,280 so you get the idea you don't really 1461 00:54:45,280 --> 00:54:46,880 need to do this because we have the 1462 00:54:46,880 --> 00:54:48,480 snort app here 1463 00:54:48,480 --> 00:54:50,079 which pretty much gives you the 1464 00:54:50,079 --> 00:54:52,880 summaries that are useful to you or for 1465 00:54:52,880 --> 00:54:53,839 you 1466 00:54:53,839 --> 00:54:56,559 and there we are so fantastic so that's 1467 00:54:56,559 --> 00:54:57,920 going to conclude the practical 1468 00:54:57,920 --> 00:55:01,119 demonstration side of this video 1469 00:55:01,119 --> 00:55:02,799 so uh thank you very much for watching 1470 00:55:02,799 --> 00:55:04,559 this video if you have any questions or 1471 00:55:04,559 --> 00:55:06,240 suggestions leave them in the comments 1472 00:55:06,240 --> 00:55:07,200 section 1473 00:55:07,200 --> 00:55:08,559 if you want to reach out to me you can 1474 00:55:08,559 --> 00:55:10,160 do so via 1475 00:55:10,160 --> 00:55:12,319 twitter or the discord server the links 1476 00:55:12,319 --> 00:55:14,240 to both of those are in the description 1477 00:55:14,240 --> 00:55:16,720 section furthermore we are now moving on 1478 00:55:16,720 --> 00:55:18,720 to part two so this will conclude part 1479 00:55:18,720 --> 00:55:21,040 one so part two will be available on the 1480 00:55:21,040 --> 00:55:24,559 lynnodes on 24 platform so uh the videos 1481 00:55:24,559 --> 00:55:26,559 are available uh on demand so all you 1482 00:55:26,559 --> 00:55:28,559 need to do just click uh click the link 1483 00:55:28,559 --> 00:55:31,599 in the description register for part two 1484 00:55:31,599 --> 00:55:33,520 after which an email will be sent to you 1485 00:55:33,520 --> 00:55:34,720 and you'll be given uh you know 1486 00:55:34,720 --> 00:55:37,200 immediate access to to the videos uh 1487 00:55:37,200 --> 00:55:40,000 within part two so uh thank you very 1488 00:55:40,000 --> 00:55:42,799 much uh for watching part one uh in the 1489 00:55:42,799 --> 00:55:45,040 next video in part two we'll get started 1490 00:55:45,040 --> 00:55:46,640 or we'll take a look at host intrusion 1491 00:55:46,640 --> 00:55:49,520 detection with os sec so i'll be seeing 1492 00:55:49,520 --> 00:55:53,640 you in the next video 1493 00:55:59,130 --> 00:56:12,240 [Music] 1494 00:56:12,240 --> 00:56:14,319 you