[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:01.12,0:00:03.52,Default,,0000,0000,0000,,hello everyone welcome back to the blue
Dialogue: 0,0:00:03.52,0:00:05.44,Default,,0000,0000,0000,,team training series brought to you by
Dialogue: 0,0:00:05.44,0:00:08.16,Default,,0000,0000,0000,,linode and hackersploit in this video
Dialogue: 0,0:00:08.16,0:00:10.16,Default,,0000,0000,0000,,we're going to be taking a look at how
Dialogue: 0,0:00:10.16,0:00:12.16,Default,,0000,0000,0000,,to set up or how to perform security
Dialogue: 0,0:00:12.16,0:00:14.40,Default,,0000,0000,0000,,vent monitoring with splunk more
Dialogue: 0,0:00:14.40,0:00:16.80,Default,,0000,0000,0000,,specifically uh splunk enterprise
Dialogue: 0,0:00:16.80,0:00:18.64,Default,,0000,0000,0000,,security right so the objective here
Dialogue: 0,0:00:18.64,0:00:21.44,Default,,0000,0000,0000,,will be to monitor uh intrusions and
Dialogue: 0,0:00:21.44,0:00:23.52,Default,,0000,0000,0000,,threats with splunk and you might be
Dialogue: 0,0:00:23.52,0:00:25.12,Default,,0000,0000,0000,,asking yourself well how are we going to
Dialogue: 0,0:00:25.12,0:00:28.40,Default,,0000,0000,0000,,do this what setup are we using well the
Dialogue: 0,0:00:28.40,0:00:30.48,Default,,0000,0000,0000,,scenario that i've set up for this video
Dialogue: 0,0:00:30.48,0:00:32.56,Default,,0000,0000,0000,,is we're essentially going to
Dialogue: 0,0:00:32.56,0:00:34.32,Default,,0000,0000,0000,,take all the knowledge that we've
Dialogue: 0,0:00:34.32,0:00:37.68,Default,,0000,0000,0000,,learned during the snort video and we
Dialogue: 0,0:00:37.68,0:00:39.36,Default,,0000,0000,0000,,are going to essentially forward all of
Dialogue: 0,0:00:39.36,0:00:42.72,Default,,0000,0000,0000,,the snort logs uh into splunk or have
Dialogue: 0,0:00:42.72,0:00:44.48,Default,,0000,0000,0000,,that done automatically through the
Dialogue: 0,0:00:44.48,0:00:47.68,Default,,0000,0000,0000,,splunk universal folder so that we get
Dialogue: 0,0:00:47.68,0:00:50.32,Default,,0000,0000,0000,,the latest logs when snort is running on
Dialogue: 0,0:00:50.32,0:00:52.40,Default,,0000,0000,0000,,our ubuntu virtual machine
Dialogue: 0,0:00:52.40,0:00:55.04,Default,,0000,0000,0000,,and the objective here is to use splunk
Dialogue: 0,0:00:55.04,0:00:58.00,Default,,0000,0000,0000,,in conjunction with the splunk snort app
Dialogue: 0,0:00:58.00,0:01:01.04,Default,,0000,0000,0000,,to essentially visualize and identify or
Dialogue: 0,0:01:01.04,0:01:03.36,Default,,0000,0000,0000,,monitor network intrusions and any
Dialogue: 0,0:01:03.36,0:01:04.48,Default,,0000,0000,0000,,malicious
Dialogue: 0,0:01:04.48,0:01:06.72,Default,,0000,0000,0000,,network traffic you know within the
Dialogue: 0,0:01:06.72,0:01:08.98,Default,,0000,0000,0000,,network that i'm monitoring
Dialogue: 0,0:01:08.98,0:01:19.36,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:01:19.36,0:01:21.68,Default,,0000,0000,0000,,at a very high level what will we be
Dialogue: 0,0:01:21.68,0:01:23.28,Default,,0000,0000,0000,,covering well firstly we'll get an
Dialogue: 0,0:01:23.28,0:01:25.44,Default,,0000,0000,0000,,introduction to splunk now before we
Dialogue: 0,0:01:25.44,0:01:28.40,Default,,0000,0000,0000,,move any forward or we actually carry on
Dialogue: 0,0:01:28.40,0:01:30.72,Default,,0000,0000,0000,,i do want to note that this video is not
Dialogue: 0,0:01:30.72,0:01:32.40,Default,,0000,0000,0000,,going to be focused on splunk
Dialogue: 0,0:01:32.40,0:01:34.64,Default,,0000,0000,0000,,fundamentals i'm going to be i'm going
Dialogue: 0,0:01:34.64,0:01:36.40,Default,,0000,0000,0000,,to assume that you already know what
Dialogue: 0,0:01:36.40,0:01:37.76,Default,,0000,0000,0000,,splunk is
Dialogue: 0,0:01:37.76,0:01:40.40,Default,,0000,0000,0000,,and how it can be used you know
Dialogue: 0,0:01:40.40,0:01:42.08,Default,,0000,0000,0000,,and how it's used generally speaking
Dialogue: 0,0:01:42.08,0:01:44.72,Default,,0000,0000,0000,,because splunk is not really a tool uh
Dialogue: 0,0:01:44.72,0:01:48.32,Default,,0000,0000,0000,,that is specific to security for example
Dialogue: 0,0:01:48.32,0:01:49.76,Default,,0000,0000,0000,,that's why they have the splunk
Dialogue: 0,0:01:49.76,0:01:52.72,Default,,0000,0000,0000,,enterprise security version or edition
Dialogue: 0,0:01:52.72,0:01:54.32,Default,,0000,0000,0000,,and i'm just going to assume that you
Dialogue: 0,0:01:54.32,0:01:56.08,Default,,0000,0000,0000,,know how to use splunk at a very basic
Dialogue: 0,0:01:56.08,0:01:58.32,Default,,0000,0000,0000,,level so once we get an introduction to
Dialogue: 0,0:01:58.32,0:02:00.96,Default,,0000,0000,0000,,splunk we'll go over splunk enterprise
Dialogue: 0,0:02:00.96,0:02:02.96,Default,,0000,0000,0000,,uh security at the enterprise the
Dialogue: 0,0:02:02.96,0:02:05.12,Default,,0000,0000,0000,,enterprise security edition and how it
Dialogue: 0,0:02:05.12,0:02:06.64,Default,,0000,0000,0000,,can be used for security event
Dialogue: 0,0:02:06.64,0:02:08.40,Default,,0000,0000,0000,,monitoring especially in our case
Dialogue: 0,0:02:08.40,0:02:10.88,Default,,0000,0000,0000,,because we want to essentially monitor
Dialogue: 0,0:02:10.88,0:02:13.28,Default,,0000,0000,0000,,uh the intrusion detection logs
Dialogue: 0,0:02:13.28,0:02:15.36,Default,,0000,0000,0000,,generated by snort
Dialogue: 0,0:02:15.36,0:02:16.80,Default,,0000,0000,0000,,so we'll then move on to deploying
Dialogue: 0,0:02:16.80,0:02:18.72,Default,,0000,0000,0000,,splunk enterprise security on linux
Dialogue: 0,0:02:18.72,0:02:20.64,Default,,0000,0000,0000,,which is absolutely fantastic because
Dialogue: 0,0:02:20.64,0:02:22.56,Default,,0000,0000,0000,,they have a cloud image
Dialogue: 0,0:02:22.56,0:02:24.56,Default,,0000,0000,0000,,available for it that allows you to spin
Dialogue: 0,0:02:24.56,0:02:26.40,Default,,0000,0000,0000,,it up without going through the process
Dialogue: 0,0:02:26.40,0:02:28.72,Default,,0000,0000,0000,,of installing it and configuring it so
Dialogue: 0,0:02:28.72,0:02:30.72,Default,,0000,0000,0000,,that will set up that'll set it up for
Dialogue: 0,0:02:30.72,0:02:32.80,Default,,0000,0000,0000,,us we'll then take a look at how to
Dialogue: 0,0:02:32.80,0:02:35.28,Default,,0000,0000,0000,,configure splunk and how to set up the
Dialogue: 0,0:02:35.28,0:02:38.24,Default,,0000,0000,0000,,splunk universal folder on the ubuntu
Dialogue: 0,0:02:38.24,0:02:40.48,Default,,0000,0000,0000,,virtual machine that is running snot so
Dialogue: 0,0:02:40.48,0:02:42.32,Default,,0000,0000,0000,,that we can forward those logs into
Dialogue: 0,0:02:42.32,0:02:44.56,Default,,0000,0000,0000,,splunk uh and then of course we'll take
Dialogue: 0,0:02:44.56,0:02:46.72,Default,,0000,0000,0000,,a look at the splunk snot event uh
Dialogue: 0,0:02:46.72,0:02:49.52,Default,,0000,0000,0000,,dashboard that will be provided to us by
Dialogue: 0,0:02:49.52,0:02:50.40,Default,,0000,0000,0000,,the
Dialogue: 0,0:02:50.40,0:02:52.88,Default,,0000,0000,0000,,splunk snot app so if this sounds like a
Dialogue: 0,0:02:52.88,0:02:55.36,Default,,0000,0000,0000,,gibberish to you don't worry it'll make
Dialogue: 0,0:02:55.36,0:02:57.60,Default,,0000,0000,0000,,sense in a couple of uh in a couple of
Dialogue: 0,0:02:57.60,0:02:58.88,Default,,0000,0000,0000,,minutes
Dialogue: 0,0:02:58.88,0:03:00.96,Default,,0000,0000,0000,,with that being said uh given the fact
Dialogue: 0,0:03:00.96,0:03:02.80,Default,,0000,0000,0000,,that we're going to be using uh you know
Dialogue: 0,0:03:02.80,0:03:04.40,Default,,0000,0000,0000,,we're going to be using snort to
Dialogue: 0,0:03:04.40,0:03:06.96,Default,,0000,0000,0000,,generate alerts and monitor those alerts
Dialogue: 0,0:03:06.96,0:03:09.04,Default,,0000,0000,0000,,uh if you have not gone through these uh
Dialogue: 0,0:03:09.04,0:03:11.52,Default,,0000,0000,0000,,the actual snort video please do that as
Dialogue: 0,0:03:11.52,0:03:14.24,Default,,0000,0000,0000,,it will help you set up snot and you can
Dialogue: 0,0:03:14.24,0:03:16.40,Default,,0000,0000,0000,,then run through this demo with that
Dialogue: 0,0:03:16.40,0:03:19.28,Default,,0000,0000,0000,,being said this is not a holistic video
Dialogue: 0,0:03:19.28,0:03:20.80,Default,,0000,0000,0000,,that will cover everything you can do
Dialogue: 0,0:03:20.80,0:03:23.44,Default,,0000,0000,0000,,with splunk enterprise security we are
Dialogue: 0,0:03:23.44,0:03:25.12,Default,,0000,0000,0000,,just focused on
Dialogue: 0,0:03:25.12,0:03:27.76,Default,,0000,0000,0000,,the intrusion detection uh logs produced
Dialogue: 0,0:03:27.76,0:03:30.00,Default,,0000,0000,0000,,by snort and how they can be
Dialogue: 0,0:03:30.00,0:03:32.88,Default,,0000,0000,0000,,imported or forwarded to splunk for uh
Dialogue: 0,0:03:32.88,0:03:35.68,Default,,0000,0000,0000,,you know analysis and monitoring
Dialogue: 0,0:03:35.68,0:03:38.16,Default,,0000,0000,0000,,uh so the prerequisites are the same as
Dialogue: 0,0:03:38.16,0:03:39.76,Default,,0000,0000,0000,,the previous videos the only difference
Dialogue: 0,0:03:39.76,0:03:41.68,Default,,0000,0000,0000,,is uh you know that you need to have a
Dialogue: 0,0:03:41.68,0:03:43.84,Default,,0000,0000,0000,,basic familiarity with splunk and how to
Dialogue: 0,0:03:43.84,0:03:46.08,Default,,0000,0000,0000,,navigate around the various menu
Dialogue: 0,0:03:46.08,0:03:47.76,Default,,0000,0000,0000,,elements and
Dialogue: 0,0:03:47.76,0:03:49.68,Default,,0000,0000,0000,,essentially just how to use it at a very
Dialogue: 0,0:03:49.68,0:03:51.36,Default,,0000,0000,0000,,basic level if you're not familiar with
Dialogue: 0,0:03:51.36,0:03:54.24,Default,,0000,0000,0000,,splunk i'll give you a few resources at
Dialogue: 0,0:03:54.24,0:03:56.00,Default,,0000,0000,0000,,the end of the at the end of these
Dialogue: 0,0:03:56.00,0:03:58.16,Default,,0000,0000,0000,,slides uh that will help you out or help
Dialogue: 0,0:03:58.16,0:04:00.16,Default,,0000,0000,0000,,you get started
Dialogue: 0,0:04:00.16,0:04:01.76,Default,,0000,0000,0000,,all right so let's get an introduction
Dialogue: 0,0:04:01.76,0:04:04.24,Default,,0000,0000,0000,,to splunk so what is splunk that's the
Dialogue: 0,0:04:04.24,0:04:05.68,Default,,0000,0000,0000,,main question if you've never heard of
Dialogue: 0,0:04:05.68,0:04:08.48,Default,,0000,0000,0000,,splunk splunk is an extremely powerful
Dialogue: 0,0:04:08.48,0:04:10.40,Default,,0000,0000,0000,,platform that is used to analyze data
Dialogue: 0,0:04:10.40,0:04:13.36,Default,,0000,0000,0000,,and logs produced by systems or machines
Dialogue: 0,0:04:13.36,0:04:15.92,Default,,0000,0000,0000,,as splunk likes to call them so
Dialogue: 0,0:04:15.92,0:04:18.64,Default,,0000,0000,0000,,what problem is splunk trying to solve
Dialogue: 0,0:04:18.64,0:04:20.88,Default,,0000,0000,0000,,here well let's look at this from the
Dialogue: 0,0:04:20.88,0:04:24.88,Default,,0000,0000,0000,,perspective of web 2.0 or you know the
Dialogue: 0,0:04:24.88,0:04:26.72,Default,,0000,0000,0000,,the interconnected world we live in
Dialogue: 0,0:04:26.72,0:04:29.20,Default,,0000,0000,0000,,today and we're going to be looking at
Dialogue: 0,0:04:29.20,0:04:31.20,Default,,0000,0000,0000,,it from the context of from the
Dialogue: 0,0:04:31.20,0:04:33.36,Default,,0000,0000,0000,,perspective of security
Dialogue: 0,0:04:33.36,0:04:35.76,Default,,0000,0000,0000,,so if we take a simple system let's say
Dialogue: 0,0:04:35.76,0:04:38.72,Default,,0000,0000,0000,,we have a windows operating system or a
Dialogue: 0,0:04:38.72,0:04:41.36,Default,,0000,0000,0000,,system running windows well that windows
Dialogue: 0,0:04:41.36,0:04:44.88,Default,,0000,0000,0000,,system produces a lot of data or logs
Dialogue: 0,0:04:44.88,0:04:47.04,Default,,0000,0000,0000,,uh that you know that contain
Dialogue: 0,0:04:47.04,0:04:48.80,Default,,0000,0000,0000,,information that you know at a first
Dialogue: 0,0:04:48.80,0:04:51.60,Default,,0000,0000,0000,,glance might not seem that important but
Dialogue: 0,0:04:51.60,0:04:53.92,Default,,0000,0000,0000,,once you start getting into specific
Dialogue: 0,0:04:53.92,0:04:57.36,Default,,0000,0000,0000,,sectors like security those logs start
Dialogue: 0,0:04:57.36,0:04:59.68,Default,,0000,0000,0000,,uh you know those logs have uh you know
Dialogue: 0,0:04:59.68,0:05:02.08,Default,,0000,0000,0000,,very important value to organizations
Dialogue: 0,0:05:02.08,0:05:04.88,Default,,0000,0000,0000,,now multiply that by a thousand systems
Dialogue: 0,0:05:04.88,0:05:06.80,Default,,0000,0000,0000,,so let's say we have an organization
Dialogue: 0,0:05:06.80,0:05:08.56,Default,,0000,0000,0000,,they have a thousand computers within
Dialogue: 0,0:05:08.56,0:05:10.48,Default,,0000,0000,0000,,their network or you know distributed
Dialogue: 0,0:05:10.48,0:05:13.52,Default,,0000,0000,0000,,worldwide and all of these systems are
Dialogue: 0,0:05:13.52,0:05:14.96,Default,,0000,0000,0000,,you know need to be secured their
Dialogue: 0,0:05:14.96,0:05:17.92,Default,,0000,0000,0000,,security needs to be monitored so how do
Dialogue: 0,0:05:17.92,0:05:20.56,Default,,0000,0000,0000,,we monitor all of this well this is
Dialogue: 0,0:05:20.56,0:05:22.64,Default,,0000,0000,0000,,where splunk comes into play so splunk
Dialogue: 0,0:05:22.64,0:05:25.28,Default,,0000,0000,0000,,allows you to essentially funnel all of
Dialogue: 0,0:05:25.28,0:05:27.36,Default,,0000,0000,0000,,this data produced by systems or
Dialogue: 0,0:05:27.36,0:05:28.80,Default,,0000,0000,0000,,machines
Dialogue: 0,0:05:28.80,0:05:30.72,Default,,0000,0000,0000,,into splunk and then splunk allows you
Dialogue: 0,0:05:30.72,0:05:32.56,Default,,0000,0000,0000,,to monitor search and analyze this
Dialogue: 0,0:05:32.56,0:05:35.28,Default,,0000,0000,0000,,machine generated data and the logs
Dialogue: 0,0:05:35.28,0:05:37.84,Default,,0000,0000,0000,,through a web interface so in order to
Dialogue: 0,0:05:37.84,0:05:39.68,Default,,0000,0000,0000,,use splunk you'll need to import your
Dialogue: 0,0:05:39.68,0:05:42.48,Default,,0000,0000,0000,,own data or logs alternatively you can
Dialogue: 0,0:05:42.48,0:05:45.28,Default,,0000,0000,0000,,utilize the splunk universal folder to
Dialogue: 0,0:05:45.28,0:05:47.76,Default,,0000,0000,0000,,forward logs and data to splunk for
Dialogue: 0,0:05:47.76,0:05:51.36,Default,,0000,0000,0000,,analysis and of course visualization etc
Dialogue: 0,0:05:51.36,0:05:53.28,Default,,0000,0000,0000,,now splunk does so much more that i
Dialogue: 0,0:05:53.28,0:05:55.20,Default,,0000,0000,0000,,really can't go over all of the features
Dialogue: 0,0:05:55.20,0:05:56.88,Default,,0000,0000,0000,,here but as i said we're looking at this
Dialogue: 0,0:05:56.88,0:06:00.40,Default,,0000,0000,0000,,from the uh lens of a security engineer
Dialogue: 0,0:06:00.40,0:06:02.24,Default,,0000,0000,0000,,all right so splunk collates all the
Dialogue: 0,0:06:02.24,0:06:04.80,Default,,0000,0000,0000,,data and logs from various sources and
Dialogue: 0,0:06:04.80,0:06:06.72,Default,,0000,0000,0000,,provides you with a central index that
Dialogue: 0,0:06:06.72,0:06:08.80,Default,,0000,0000,0000,,you can search through splunk also
Dialogue: 0,0:06:08.80,0:06:11.04,Default,,0000,0000,0000,,provides you with robust visualization
Dialogue: 0,0:06:11.04,0:06:12.72,Default,,0000,0000,0000,,and reporting tools that allow you to
Dialogue: 0,0:06:12.72,0:06:15.36,Default,,0000,0000,0000,,identify the data that interests you
Dialogue: 0,0:06:15.36,0:06:17.44,Default,,0000,0000,0000,,transform the data into results and
Dialogue: 0,0:06:17.44,0:06:19.84,Default,,0000,0000,0000,,visualize the answers in the form of a
Dialogue: 0,0:06:19.84,0:06:23.28,Default,,0000,0000,0000,,report chart graph etc all right so what
Dialogue: 0,0:06:23.28,0:06:25.36,Default,,0000,0000,0000,,i'm saying here is that splunk allows
Dialogue: 0,0:06:25.36,0:06:28.08,Default,,0000,0000,0000,,you to take all of this security related
Dialogue: 0,0:06:28.08,0:06:31.60,Default,,0000,0000,0000,,logs and data and make sense of them and
Dialogue: 0,0:06:31.60,0:06:33.52,Default,,0000,0000,0000,,essentially get the answers that you're
Dialogue: 0,0:06:33.52,0:06:35.52,Default,,0000,0000,0000,,looking for so for example from the
Dialogue: 0,0:06:35.52,0:06:37.68,Default,,0000,0000,0000,,perspective of a security engineer what
Dialogue: 0,0:06:37.68,0:06:40.24,Default,,0000,0000,0000,,do you want from all of this data well
Dialogue: 0,0:06:40.24,0:06:42.16,Default,,0000,0000,0000,,at a very high level you want to know
Dialogue: 0,0:06:42.16,0:06:44.08,Default,,0000,0000,0000,,whether something is going wrong and
Dialogue: 0,0:06:44.08,0:06:46.40,Default,,0000,0000,0000,,what could go wrong in the context of
Dialogue: 0,0:06:46.40,0:06:48.80,Default,,0000,0000,0000,,security a network could be compromised
Dialogue: 0,0:06:48.80,0:06:50.56,Default,,0000,0000,0000,,there could be some malicious network
Dialogue: 0,0:06:50.56,0:06:53.12,Default,,0000,0000,0000,,traffic or activity going on a system
Dialogue: 0,0:06:53.12,0:06:55.92,Default,,0000,0000,0000,,could be compromised etc etc you get the
Dialogue: 0,0:06:55.92,0:06:58.16,Default,,0000,0000,0000,,idea so we need that data to be
Dialogue: 0,0:06:58.16,0:07:00.56,Default,,0000,0000,0000,,displayed to us as a security engineer
Dialogue: 0,0:07:00.56,0:07:02.56,Default,,0000,0000,0000,,and splunk is really one of the best
Dialogue: 0,0:07:02.56,0:07:04.96,Default,,0000,0000,0000,,tools uh you know when it comes down to
Dialogue: 0,0:07:04.96,0:07:08.00,Default,,0000,0000,0000,,you know taking a lot of data
Dialogue: 0,0:07:08.00,0:07:09.84,Default,,0000,0000,0000,,and then identifying the data that
Dialogue: 0,0:07:09.84,0:07:11.84,Default,,0000,0000,0000,,interests you transforming that data
Dialogue: 0,0:07:11.84,0:07:14.96,Default,,0000,0000,0000,,into results and then visualizing that
Dialogue: 0,0:07:14.96,0:07:17.36,Default,,0000,0000,0000,,data in the form of the report chart or
Dialogue: 0,0:07:17.36,0:07:19.76,Default,,0000,0000,0000,,graph right so that's really what we're
Dialogue: 0,0:07:19.76,0:07:21.60,Default,,0000,0000,0000,,going to be doing and as i said going
Dialogue: 0,0:07:21.60,0:07:23.52,Default,,0000,0000,0000,,back to the scenario we're going to be
Dialogue: 0,0:07:23.52,0:07:26.08,Default,,0000,0000,0000,,focusing on how to you know essentially
Dialogue: 0,0:07:26.08,0:07:28.80,Default,,0000,0000,0000,,get in or how to forward
Dialogue: 0,0:07:28.80,0:07:31.92,Default,,0000,0000,0000,,the logs created or the logs and alerts
Dialogue: 0,0:07:31.92,0:07:33.36,Default,,0000,0000,0000,,created by
Dialogue: 0,0:07:33.36,0:07:36.00,Default,,0000,0000,0000,,snort into splunk for analysis and
Dialogue: 0,0:07:36.00,0:07:39.28,Default,,0000,0000,0000,,luckily for us splunk has a snort app or
Dialogue: 0,0:07:39.28,0:07:40.96,Default,,0000,0000,0000,,plug-in if you will that that will
Dialogue: 0,0:07:40.96,0:07:43.68,Default,,0000,0000,0000,,essentially simplify this process
Dialogue: 0,0:07:43.68,0:07:44.80,Default,,0000,0000,0000,,so
Dialogue: 0,0:07:44.80,0:07:47.36,Default,,0000,0000,0000,,let's get an idea as to you know how we
Dialogue: 0,0:07:47.36,0:07:49.12,Default,,0000,0000,0000,,can use splunk for security when
Dialogue: 0,0:07:49.12,0:07:51.76,Default,,0000,0000,0000,,monitoring so splunk enterprise security
Dialogue: 0,0:07:51.76,0:07:54.80,Default,,0000,0000,0000,,also known as splunk es is a security
Dialogue: 0,0:07:54.80,0:07:56.80,Default,,0000,0000,0000,,information and event management
Dialogue: 0,0:07:56.80,0:07:59.20,Default,,0000,0000,0000,,solution also known as a seam
Dialogue: 0,0:07:59.20,0:08:01.36,Default,,0000,0000,0000,,it is used to but is used by security
Dialogue: 0,0:08:01.36,0:08:03.68,Default,,0000,0000,0000,,teams to quickly detect and respond to
Dialogue: 0,0:08:03.68,0:08:06.16,Default,,0000,0000,0000,,internal and external attacks or threats
Dialogue: 0,0:08:06.16,0:08:09.68,Default,,0000,0000,0000,,or intrusions so splunk es can be used
Dialogue: 0,0:08:09.68,0:08:11.76,Default,,0000,0000,0000,,for security when monitoring incident
Dialogue: 0,0:08:11.76,0:08:14.24,Default,,0000,0000,0000,,response and running a sock or security
Dialogue: 0,0:08:14.24,0:08:15.92,Default,,0000,0000,0000,,operations center
Dialogue: 0,0:08:15.92,0:08:18.08,Default,,0000,0000,0000,,in this video we'll be using splunk es
Dialogue: 0,0:08:18.08,0:08:20.00,Default,,0000,0000,0000,,to monitor and visualize the snort
Dialogue: 0,0:08:20.00,0:08:22.24,Default,,0000,0000,0000,,intrusion alerts this will be
Dialogue: 0,0:08:22.24,0:08:24.40,Default,,0000,0000,0000,,facilitated through the help of the snot
Dialogue: 0,0:08:24.40,0:08:26.64,Default,,0000,0000,0000,,app for splunk and the splunk universal
Dialogue: 0,0:08:26.64,0:08:29.28,Default,,0000,0000,0000,,folder now the splunk universal folder
Dialogue: 0,0:08:29.28,0:08:31.20,Default,,0000,0000,0000,,is pretty much the most important
Dialogue: 0,0:08:31.20,0:08:33.04,Default,,0000,0000,0000,,element of what we'll be exploring
Dialogue: 0,0:08:33.04,0:08:35.20,Default,,0000,0000,0000,,because what it does and this is really
Dialogue: 0,0:08:35.20,0:08:37.20,Default,,0000,0000,0000,,cool is it allow it automatically
Dialogue: 0,0:08:37.20,0:08:39.28,Default,,0000,0000,0000,,forwards the latest logs
Dialogue: 0,0:08:39.28,0:08:40.48,Default,,0000,0000,0000,,even when
Dialogue: 0,0:08:40.48,0:08:42.48,Default,,0000,0000,0000,,when snot is running it forwards those
Dialogue: 0,0:08:42.48,0:08:45.04,Default,,0000,0000,0000,,alerts and logs into splunk and you can
Dialogue: 0,0:08:45.04,0:08:46.56,Default,,0000,0000,0000,,see them in real time which is
Dialogue: 0,0:08:46.56,0:08:49.44,Default,,0000,0000,0000,,absolutely fantastic
Dialogue: 0,0:08:49.44,0:08:52.32,Default,,0000,0000,0000,,so as i said if you're new to splunk
Dialogue: 0,0:08:52.32,0:08:54.80,Default,,0000,0000,0000,,then these resources are really helpful
Dialogue: 0,0:08:54.80,0:08:57.12,Default,,0000,0000,0000,,for you so splunk offer really great
Dialogue: 0,0:08:57.12,0:08:59.04,Default,,0000,0000,0000,,tutorials and courses designed for
Dialogue: 0,0:08:59.04,0:09:00.72,Default,,0000,0000,0000,,absolute beginners you can check that
Dialogue: 0,0:09:00.72,0:09:02.96,Default,,0000,0000,0000,,out by clicking on the link within this
Dialogue: 0,0:09:02.96,0:09:05.60,Default,,0000,0000,0000,,slide and you can learn more about the
Dialogue: 0,0:09:05.60,0:09:08.16,Default,,0000,0000,0000,,splunk enterprise security edition from
Dialogue: 0,0:09:08.16,0:09:09.76,Default,,0000,0000,0000,,that particular link
Dialogue: 0,0:09:09.76,0:09:11.04,Default,,0000,0000,0000,,now as i said we're going to be
Dialogue: 0,0:09:11.04,0:09:12.24,Default,,0000,0000,0000,,deploying
Dialogue: 0,0:09:12.24,0:09:15.20,Default,,0000,0000,0000,,uh splunk on linux more specifically
Dialogue: 0,0:09:15.20,0:09:17.12,Default,,0000,0000,0000,,splunk es and this is the lab
Dialogue: 0,0:09:17.12,0:09:19.20,Default,,0000,0000,0000,,environment so we're going to spin up uh
Dialogue: 0,0:09:19.20,0:09:21.52,Default,,0000,0000,0000,,you know splunk yes on linux now again
Dialogue: 0,0:09:21.52,0:09:23.28,Default,,0000,0000,0000,,to follow through with this as uh you
Dialogue: 0,0:09:23.28,0:09:25.76,Default,,0000,0000,0000,,know linux has been absolutely fantastic
Dialogue: 0,0:09:25.76,0:09:28.32,Default,,0000,0000,0000,,with uh you know by providing uh all of
Dialogue: 0,0:09:28.32,0:09:30.96,Default,,0000,0000,0000,,you guys uh with a way to get a hundred
Dialogue: 0,0:09:30.96,0:09:33.28,Default,,0000,0000,0000,,dollars in free linux credit all you
Dialogue: 0,0:09:33.28,0:09:35.12,Default,,0000,0000,0000,,need to do is just click the link in the
Dialogue: 0,0:09:35.12,0:09:37.44,Default,,0000,0000,0000,,description section and sign up and a
Dialogue: 0,0:09:37.44,0:09:39.04,Default,,0000,0000,0000,,hundred dollars will be added to your
Dialogue: 0,0:09:39.04,0:09:40.96,Default,,0000,0000,0000,,account so that you can follow along
Dialogue: 0,0:09:40.96,0:09:43.28,Default,,0000,0000,0000,,with this series um so we're going to
Dialogue: 0,0:09:43.28,0:09:45.20,Default,,0000,0000,0000,,set up splunk yes on linux and then
Dialogue: 0,0:09:45.20,0:09:47.28,Default,,0000,0000,0000,,within my internal network uh we're just
Dialogue: 0,0:09:47.28,0:09:49.04,Default,,0000,0000,0000,,gonna have a very basic infrastructure
Dialogue: 0,0:09:49.04,0:09:50.40,Default,,0000,0000,0000,,we're going to have the ubuntu virtual
Dialogue: 0,0:09:50.40,0:09:52.88,Default,,0000,0000,0000,,machine that is running snot this is the
Dialogue: 0,0:09:52.88,0:09:54.88,Default,,0000,0000,0000,,same virtual machine that we had set up
Dialogue: 0,0:09:54.88,0:09:57.68,Default,,0000,0000,0000,,and used uh to set up snort and set up
Dialogue: 0,0:09:57.68,0:09:59.84,Default,,0000,0000,0000,,suricata and the one we had used with
Dialogue: 0,0:09:59.84,0:10:01.36,Default,,0000,0000,0000,,wazoo
Dialogue: 0,0:10:01.36,0:10:03.52,Default,,0000,0000,0000,,and yeah that's essentially it we're
Dialogue: 0,0:10:03.52,0:10:04.72,Default,,0000,0000,0000,,going to have a very basic
Dialogue: 0,0:10:04.72,0:10:06.40,Default,,0000,0000,0000,,infrastructure where we have an attacker
Dialogue: 0,0:10:06.40,0:10:08.56,Default,,0000,0000,0000,,system that i'm going to be using to
Dialogue: 0,0:10:08.56,0:10:09.52,Default,,0000,0000,0000,,perform
Dialogue: 0,0:10:09.52,0:10:11.60,Default,,0000,0000,0000,,uh a bit of uh you know network
Dialogue: 0,0:10:11.60,0:10:15.04,Default,,0000,0000,0000,,intrusion detection uh emulation whereby
Dialogue: 0,0:10:15.04,0:10:17.52,Default,,0000,0000,0000,,i will essentially perform or run a
Dialogue: 0,0:10:17.52,0:10:20.88,Default,,0000,0000,0000,,couple of commands or uh or scripts to
Dialogue: 0,0:10:20.88,0:10:23.28,Default,,0000,0000,0000,,essentially emulate malicious network
Dialogue: 0,0:10:23.28,0:10:26.16,Default,,0000,0000,0000,,activity so that these logs are uh are
Dialogue: 0,0:10:26.16,0:10:28.32,Default,,0000,0000,0000,,essentially or so so this traffic is
Dialogue: 0,0:10:28.32,0:10:29.84,Default,,0000,0000,0000,,essentially logged and that will provide
Dialogue: 0,0:10:29.84,0:10:32.80,Default,,0000,0000,0000,,us with a good idea as to how helpful
Dialogue: 0,0:10:32.80,0:10:35.28,Default,,0000,0000,0000,,splunk is for security event monitoring
Dialogue: 0,0:10:35.28,0:10:37.76,Default,,0000,0000,0000,,especially in the context of our network
Dialogue: 0,0:10:37.76,0:10:40.32,Default,,0000,0000,0000,,intrusions
Dialogue: 0,0:10:40.32,0:10:41.92,Default,,0000,0000,0000,,so as i said you don't really need to
Dialogue: 0,0:10:41.92,0:10:44.24,Default,,0000,0000,0000,,have a windows workstation you simply
Dialogue: 0,0:10:44.24,0:10:46.00,Default,,0000,0000,0000,,need to have the ubuntu vm and you can
Dialogue: 0,0:10:46.00,0:10:48.80,Default,,0000,0000,0000,,pretty much run everything from it and
Dialogue: 0,0:10:48.80,0:10:50.56,Default,,0000,0000,0000,,of course you can set up the splunk
Dialogue: 0,0:10:50.56,0:10:52.00,Default,,0000,0000,0000,,enterprise
Dialogue: 0,0:10:52.00,0:10:54.24,Default,,0000,0000,0000,,enterprise security server on linux
Dialogue: 0,0:10:54.24,0:10:56.48,Default,,0000,0000,0000,,without any issues
Dialogue: 0,0:10:56.48,0:10:58.40,Default,,0000,0000,0000,,so that's the lab environment we can now
Dialogue: 0,0:10:58.40,0:11:00.00,Default,,0000,0000,0000,,get started with the practical
Dialogue: 0,0:11:00.00,0:11:01.44,Default,,0000,0000,0000,,demonstration so i'm going to switch
Dialogue: 0,0:11:01.44,0:11:05.04,Default,,0000,0000,0000,,over to my ubuntu virtual machine
Dialogue: 0,0:11:05.04,0:11:07.60,Default,,0000,0000,0000,,all right so i'm back on my ubuntu
Dialogue: 0,0:11:07.60,0:11:09.36,Default,,0000,0000,0000,,virtual machine and you can see i have
Dialogue: 0,0:11:09.36,0:11:11.28,Default,,0000,0000,0000,,linux opened up here
Dialogue: 0,0:11:11.28,0:11:13.28,Default,,0000,0000,0000,,i haven't set anything up yet because
Dialogue: 0,0:11:13.28,0:11:14.64,Default,,0000,0000,0000,,we're going to be walking through the
Dialogue: 0,0:11:14.64,0:11:16.08,Default,,0000,0000,0000,,process together
Dialogue: 0,0:11:16.08,0:11:18.96,Default,,0000,0000,0000,,i then have the splunk.com website here
Dialogue: 0,0:11:18.96,0:11:21.04,Default,,0000,0000,0000,,so if you're new to splunk then you need
Dialogue: 0,0:11:21.04,0:11:22.64,Default,,0000,0000,0000,,to create a new account in order to
Dialogue: 0,0:11:22.64,0:11:25.04,Default,,0000,0000,0000,,follow along so uh just head over to
Dialogue: 0,0:11:25.04,0:11:27.28,Default,,0000,0000,0000,,head over to splunk.com and you know
Dialogue: 0,0:11:27.28,0:11:29.52,Default,,0000,0000,0000,,register for an account it's free
Dialogue: 0,0:11:29.52,0:11:31.12,Default,,0000,0000,0000,,once that is done
Dialogue: 0,0:11:31.12,0:11:33.12,Default,,0000,0000,0000,,you'll need to activate your account or
Dialogue: 0,0:11:33.12,0:11:35.12,Default,,0000,0000,0000,,verify your account through the email or
Dialogue: 0,0:11:35.12,0:11:36.88,Default,,0000,0000,0000,,the verification email
Dialogue: 0,0:11:36.88,0:11:39.68,Default,,0000,0000,0000,,they'll send you once that is done
Dialogue: 0,0:11:39.68,0:11:41.28,Default,,0000,0000,0000,,we can then move forward because in
Dialogue: 0,0:11:41.28,0:11:44.32,Default,,0000,0000,0000,,order to access the actual um
Dialogue: 0,0:11:44.32,0:11:46.80,Default,,0000,0000,0000,,splunk universal folder you'll need to
Dialogue: 0,0:11:46.80,0:11:48.72,Default,,0000,0000,0000,,have an account and of course um you
Dialogue: 0,0:11:48.72,0:11:50.64,Default,,0000,0000,0000,,know in this case i'll be going through
Dialogue: 0,0:11:50.64,0:11:52.80,Default,,0000,0000,0000,,everything as we move along in a
Dialogue: 0,0:11:52.80,0:11:55.52,Default,,0000,0000,0000,,structured uh in a structured manner and
Dialogue: 0,0:11:55.52,0:11:59.12,Default,,0000,0000,0000,,then to perform the actual nids
Dialogue: 0,0:11:59.12,0:12:00.16,Default,,0000,0000,0000,,tests
Dialogue: 0,0:12:00.16,0:12:01.92,Default,,0000,0000,0000,,we are going to be using the test
Dialogue: 0,0:12:01.92,0:12:03.84,Default,,0000,0000,0000,,mynids.org
Dialogue: 0,0:12:03.84,0:12:06.48,Default,,0000,0000,0000,,project which is on github so this is
Dialogue: 0,0:12:06.48,0:12:08.88,Default,,0000,0000,0000,,essentially a bash script
Dialogue: 0,0:12:08.88,0:12:11.44,Default,,0000,0000,0000,,that allows you to as you can see here
Dialogue: 0,0:12:11.44,0:12:13.28,Default,,0000,0000,0000,,it allows you to essentially emulate or
Dialogue: 0,0:12:13.28,0:12:16.80,Default,,0000,0000,0000,,simulate malicious network traffic so uh
Dialogue: 0,0:12:16.80,0:12:19.44,Default,,0000,0000,0000,,previously we had used the website uh
Dialogue: 0,0:12:19.44,0:12:21.28,Default,,0000,0000,0000,,the website technique to essentially get
Dialogue: 0,0:12:21.28,0:12:23.76,Default,,0000,0000,0000,,a linux uid and that traffic would be
Dialogue: 0,0:12:23.76,0:12:26.24,Default,,0000,0000,0000,,logged as malicious or
Dialogue: 0,0:12:26.24,0:12:27.76,Default,,0000,0000,0000,,it could be logged as a potential
Dialogue: 0,0:12:27.76,0:12:30.00,Default,,0000,0000,0000,,intrusion and we can run a few other
Dialogue: 0,0:12:30.00,0:12:33.36,Default,,0000,0000,0000,,checks like an http basic authentication
Dialogue: 0,0:12:33.36,0:12:35.52,Default,,0000,0000,0000,,bad certificate authorities
Dialogue: 0,0:12:35.52,0:12:38.64,Default,,0000,0000,0000,,uh an exe or dll download over http so
Dialogue: 0,0:12:38.64,0:12:40.72,Default,,0000,0000,0000,,you know just we can run tests that are
Dialogue: 0,0:12:40.72,0:12:42.96,Default,,0000,0000,0000,,you know will just make our
Dialogue: 0,0:12:42.96,0:12:45.44,Default,,0000,0000,0000,,intrusion detection system uh blow up in
Dialogue: 0,0:12:45.44,0:12:47.60,Default,,0000,0000,0000,,terms of alerts and that's what we want
Dialogue: 0,0:12:47.60,0:12:49.52,Default,,0000,0000,0000,,because we want to see how that data is
Dialogue: 0,0:12:49.52,0:12:52.16,Default,,0000,0000,0000,,presented to us as a security engineer
Dialogue: 0,0:12:52.16,0:12:55.04,Default,,0000,0000,0000,,on splunk with that being said the first
Dialogue: 0,0:12:55.04,0:12:57.68,Default,,0000,0000,0000,,step of course is to set up splunk es on
Dialogue: 0,0:12:57.68,0:12:58.88,Default,,0000,0000,0000,,linux so
Dialogue: 0,0:12:58.88,0:13:01.68,Default,,0000,0000,0000,,just click on uh click on create and a
Dialogue: 0,0:13:01.68,0:13:04.08,Default,,0000,0000,0000,,linux and click on marketplace
Dialogue: 0,0:13:04.08,0:13:06.40,Default,,0000,0000,0000,,and they already have splunk here so
Dialogue: 0,0:13:06.40,0:13:08.48,Default,,0000,0000,0000,,there we are you can click on that there
Dialogue: 0,0:13:08.48,0:13:10.24,Default,,0000,0000,0000,,and if you click on this little info
Dialogue: 0,0:13:10.24,0:13:12.40,Default,,0000,0000,0000,,button here it'll give you an idea as to
Dialogue: 0,0:13:12.40,0:13:14.32,Default,,0000,0000,0000,,how to deploy it on
Dialogue: 0,0:13:14.32,0:13:16.48,Default,,0000,0000,0000,,uh on linux and of course you have more
Dialogue: 0,0:13:16.48,0:13:18.40,Default,,0000,0000,0000,,information regarding splunk so you have
Dialogue: 0,0:13:18.40,0:13:20.48,Default,,0000,0000,0000,,the documentation link there so i'll
Dialogue: 0,0:13:20.48,0:13:22.96,Default,,0000,0000,0000,,just click on splunk
Dialogue: 0,0:13:22.96,0:13:24.64,Default,,0000,0000,0000,,once that is clicked we can then head
Dialogue: 0,0:13:24.64,0:13:26.72,Default,,0000,0000,0000,,over here you'll need to specify the
Dialogue: 0,0:13:26.72,0:13:28.96,Default,,0000,0000,0000,,splunk admin user i recommend using
Dialogue: 0,0:13:28.96,0:13:31.60,Default,,0000,0000,0000,,admin to begin with and then specify a
Dialogue: 0,0:13:31.60,0:13:33.44,Default,,0000,0000,0000,,password
Dialogue: 0,0:13:33.44,0:13:35.52,Default,,0000,0000,0000,,if you're setting up you know splunk on
Dialogue: 0,0:13:35.52,0:13:37.60,Default,,0000,0000,0000,,a domain then you can specify the
Dialogue: 0,0:13:37.60,0:13:39.84,Default,,0000,0000,0000,,lynnode api token to essentially create
Dialogue: 0,0:13:39.84,0:13:42.32,Default,,0000,0000,0000,,the dns records that's if you're using
Dialogue: 0,0:13:42.32,0:13:43.84,Default,,0000,0000,0000,,linux dns
Dialogue: 0,0:13:43.84,0:13:45.84,Default,,0000,0000,0000,,dns service
Dialogue: 0,0:13:45.84,0:13:47.52,Default,,0000,0000,0000,,uh and then of course you need to add
Dialogue: 0,0:13:47.52,0:13:49.52,Default,,0000,0000,0000,,the admin email for the server so in
Dialogue: 0,0:13:49.52,0:13:52.00,Default,,0000,0000,0000,,this case i can just say for example
Dialogue: 0,0:13:52.00,0:13:54.00,Default,,0000,0000,0000,,hackersploit
Dialogue: 0,0:13:54.00,0:13:55.52,Default,,0000,0000,0000,,gmail.com
Dialogue: 0,0:13:55.52,0:13:57.36,Default,,0000,0000,0000,,don't spam me on this email because i
Dialogue: 0,0:13:57.36,0:13:59.52,Default,,0000,0000,0000,,don't respond anyway so we can create
Dialogue: 0,0:13:59.52,0:14:01.04,Default,,0000,0000,0000,,another user
Dialogue: 0,0:14:01.04,0:14:02.48,Default,,0000,0000,0000,,uh so this is the username for the
Dialogue: 0,0:14:02.48,0:14:04.72,Default,,0000,0000,0000,,lynnode admins ssh user please ensure
Dialogue: 0,0:14:04.72,0:14:06.48,Default,,0000,0000,0000,,that the username does not contain any
Dialogue: 0,0:14:06.48,0:14:08.88,Default,,0000,0000,0000,,so we can just call this admin and then
Dialogue: 0,0:14:08.88,0:14:11.36,Default,,0000,0000,0000,,for the admin user we'll just say
Dialogue: 0,0:14:11.36,0:14:13.20,Default,,0000,0000,0000,,provide that there
Dialogue: 0,0:14:13.20,0:14:14.80,Default,,0000,0000,0000,,so the image we're going to set it up on
Dialogue: 0,0:14:14.80,0:14:18.08,Default,,0000,0000,0000,,ubuntu 20.04 the region i'll say london
Dialogue: 0,0:14:18.08,0:14:19.92,Default,,0000,0000,0000,,because that's closest to me
Dialogue: 0,0:14:19.92,0:14:22.24,Default,,0000,0000,0000,,as for the actual linux plan
Dialogue: 0,0:14:22.24,0:14:24.72,Default,,0000,0000,0000,,linux es doesn't require that many
Dialogue: 0,0:14:24.72,0:14:26.48,Default,,0000,0000,0000,,resources especially because you know
Dialogue: 0,0:14:26.48,0:14:28.72,Default,,0000,0000,0000,,the amount of data that we're processing
Dialogue: 0,0:14:28.72,0:14:30.96,Default,,0000,0000,0000,,on the logs that are being forwarded to
Dialogue: 0,0:14:30.96,0:14:34.32,Default,,0000,0000,0000,,splunk are relatively few so less than
Dialogue: 0,0:14:34.32,0:14:36.16,Default,,0000,0000,0000,,100 which if you've used splunk before
Dialogue: 0,0:14:36.16,0:14:37.92,Default,,0000,0000,0000,,for security vent monitoring you know
Dialogue: 0,0:14:37.92,0:14:39.04,Default,,0000,0000,0000,,that that is
Dialogue: 0,0:14:39.04,0:14:41.20,Default,,0000,0000,0000,,like really really small in fl in in
Dialogue: 0,0:14:41.20,0:14:43.20,Default,,0000,0000,0000,,fact splunk will actually tell you that
Dialogue: 0,0:14:43.20,0:14:44.96,Default,,0000,0000,0000,,you know the amount of data
Dialogue: 0,0:14:44.96,0:14:47.52,Default,,0000,0000,0000,,to begin with that you have imported or
Dialogue: 0,0:14:47.52,0:14:49.68,Default,,0000,0000,0000,,you afforded is too little to make any
Dialogue: 0,0:14:49.68,0:14:50.88,Default,,0000,0000,0000,,sense off
Dialogue: 0,0:14:50.88,0:14:52.48,Default,,0000,0000,0000,,but that's where the snort app for
Dialogue: 0,0:14:52.48,0:14:54.80,Default,,0000,0000,0000,,splunk comes into play so i'll just say
Dialogue: 0,0:14:54.80,0:14:56.00,Default,,0000,0000,0000,,splunk
Dialogue: 0,0:14:56.00,0:14:58.16,Default,,0000,0000,0000,,and i'll provide my root password for
Dialogue: 0,0:14:58.16,0:14:59.36,Default,,0000,0000,0000,,the server
Dialogue: 0,0:14:59.36,0:15:02.08,Default,,0000,0000,0000,,and we can click on create
Dialogue: 0,0:15:02.08,0:15:03.36,Default,,0000,0000,0000,,all right now
Dialogue: 0,0:15:03.36,0:15:06.08,Default,,0000,0000,0000,,uh once this is set up and provisioned
Dialogue: 0,0:15:06.08,0:15:08.08,Default,,0000,0000,0000,,the actual installer is going to begin
Dialogue: 0,0:15:08.08,0:15:10.08,Default,,0000,0000,0000,,so it's going to set up because there is
Dialogue: 0,0:15:10.08,0:15:12.80,Default,,0000,0000,0000,,an auto installer setup that will set up
Dialogue: 0,0:15:12.80,0:15:15.20,Default,,0000,0000,0000,,splunk yes for you so uh let it
Dialogue: 0,0:15:15.20,0:15:16.88,Default,,0000,0000,0000,,provision after that's done you can
Dialogue: 0,0:15:16.88,0:15:19.20,Default,,0000,0000,0000,,launch the lish console to avoid logging
Dialogue: 0,0:15:19.20,0:15:22.16,Default,,0000,0000,0000,,in via ssh and of course one thing that
Dialogue: 0,0:15:22.16,0:15:24.00,Default,,0000,0000,0000,,i need to that i don't need to tell you
Dialogue: 0,0:15:24.00,0:15:25.68,Default,,0000,0000,0000,,is if you're setting this up for
Dialogue: 0,0:15:25.68,0:15:27.68,Default,,0000,0000,0000,,production then you need to make sure
Dialogue: 0,0:15:27.68,0:15:29.76,Default,,0000,0000,0000,,you're securing your server so do only
Dialogue: 0,0:15:29.76,0:15:32.72,Default,,0000,0000,0000,,use ssh keys for authentication with the
Dialogue: 0,0:15:32.72,0:15:33.76,Default,,0000,0000,0000,,server
Dialogue: 0,0:15:33.76,0:15:35.92,Default,,0000,0000,0000,,if you're new to hardening and securing
Dialogue: 0,0:15:35.92,0:15:37.76,Default,,0000,0000,0000,,a linux server you can check out the
Dialogue: 0,0:15:37.76,0:15:39.36,Default,,0000,0000,0000,,previous series
Dialogue: 0,0:15:39.36,0:15:41.92,Default,,0000,0000,0000,,that we did with linux the linux server
Dialogue: 0,0:15:41.92,0:15:44.80,Default,,0000,0000,0000,,security series uh that'll give you uh
Dialogue: 0,0:15:44.80,0:15:46.96,Default,,0000,0000,0000,,you know all the information you need to
Dialogue: 0,0:15:46.96,0:15:49.76,Default,,0000,0000,0000,,secure a linux server for production
Dialogue: 0,0:15:49.76,0:15:50.96,Default,,0000,0000,0000,,with that being said i'm just going to
Dialogue: 0,0:15:50.96,0:15:52.80,Default,,0000,0000,0000,,let it provision after which we can
Dialogue: 0,0:15:52.80,0:15:54.56,Default,,0000,0000,0000,,launch the english console to see what's
Dialogue: 0,0:15:54.56,0:15:56.64,Default,,0000,0000,0000,,going on in the background and we can
Dialogue: 0,0:15:56.64,0:15:58.80,Default,,0000,0000,0000,,then get started uh you know officially
Dialogue: 0,0:15:58.80,0:16:00.00,Default,,0000,0000,0000,,with um
Dialogue: 0,0:16:00.00,0:16:01.84,Default,,0000,0000,0000,,with how to set up splunk we then need
Dialogue: 0,0:16:01.84,0:16:04.72,Default,,0000,0000,0000,,to set up the universal folder
Dialogue: 0,0:16:04.72,0:16:08.64,Default,,0000,0000,0000,,so uh this is booting now
Dialogue: 0,0:16:08.64,0:16:11.12,Default,,0000,0000,0000,,all right so the server is booted and
Dialogue: 0,0:16:11.12,0:16:12.80,Default,,0000,0000,0000,,you can see i've just opened up the lish
Dialogue: 0,0:16:12.80,0:16:14.32,Default,,0000,0000,0000,,console here
Dialogue: 0,0:16:14.32,0:16:15.92,Default,,0000,0000,0000,,to essentially view what's going on as
Dialogue: 0,0:16:15.92,0:16:18.00,Default,,0000,0000,0000,,you can see it's begun setting up a
Dialogue: 0,0:16:18.00,0:16:20.40,Default,,0000,0000,0000,,splunk yes so just give this a couple of
Dialogue: 0,0:16:20.40,0:16:21.52,Default,,0000,0000,0000,,minutes
Dialogue: 0,0:16:21.52,0:16:23.28,Default,,0000,0000,0000,,to essentially begin
Dialogue: 0,0:16:23.28,0:16:25.60,Default,,0000,0000,0000,,um and once it's done it'll actually
Dialogue: 0,0:16:25.60,0:16:27.36,Default,,0000,0000,0000,,tell you that it'll provide you with the
Dialogue: 0,0:16:27.36,0:16:28.80,Default,,0000,0000,0000,,login prompt
Dialogue: 0,0:16:28.80,0:16:30.40,Default,,0000,0000,0000,,but it's probably logged in as the root
Dialogue: 0,0:16:30.40,0:16:32.00,Default,,0000,0000,0000,,user already so
Dialogue: 0,0:16:32.00,0:16:33.76,Default,,0000,0000,0000,,uh just let this complete i'm just gonna
Dialogue: 0,0:16:33.76,0:16:36.88,Default,,0000,0000,0000,,wait for this to actually conclude
Dialogue: 0,0:16:36.88,0:16:40.00,Default,,0000,0000,0000,,all right so once uh splunk es is done
Dialogue: 0,0:16:40.00,0:16:42.88,Default,,0000,0000,0000,,uh or the actual uh linode is done here
Dialogue: 0,0:16:42.88,0:16:44.32,Default,,0000,0000,0000,,with the setup you can see it's gonna
Dialogue: 0,0:16:44.32,0:16:46.24,Default,,0000,0000,0000,,tell you installation complete
Dialogue: 0,0:16:46.24,0:16:48.16,Default,,0000,0000,0000,,and you can then log in uh keep this
Dialogue: 0,0:16:48.16,0:16:49.52,Default,,0000,0000,0000,,window open because this is going to be
Dialogue: 0,0:16:49.52,0:16:50.88,Default,,0000,0000,0000,,very important as we'll need to
Dialogue: 0,0:16:50.88,0:16:53.44,Default,,0000,0000,0000,,configure a few firewall rules because
Dialogue: 0,0:16:53.44,0:16:56.32,Default,,0000,0000,0000,,uh by default this linux comes with ufw
Dialogue: 0,0:16:56.32,0:16:58.72,Default,,0000,0000,0000,,which is the uncomplicated firewall for
Dialogue: 0,0:16:58.72,0:17:00.08,Default,,0000,0000,0000,,debian or
Dialogue: 0,0:17:00.08,0:17:02.00,Default,,0000,0000,0000,,it typically comes pre-packaged with
Dialogue: 0,0:17:02.00,0:17:04.96,Default,,0000,0000,0000,,debian-based distributions like ubuntu
Dialogue: 0,0:17:04.96,0:17:06.56,Default,,0000,0000,0000,,in this case it's already added the
Dialogue: 0,0:17:06.56,0:17:08.40,Default,,0000,0000,0000,,firewall rule for the port that we
Dialogue: 0,0:17:08.40,0:17:10.00,Default,,0000,0000,0000,,wanted but just keep it open because
Dialogue: 0,0:17:10.00,0:17:12.56,Default,,0000,0000,0000,,we'll need to run a few checks um so you
Dialogue: 0,0:17:12.56,0:17:14.00,Default,,0000,0000,0000,,can log in there so i'm just going to
Dialogue: 0,0:17:14.00,0:17:15.68,Default,,0000,0000,0000,,log in with the credentials that i
Dialogue: 0,0:17:15.68,0:17:18.72,Default,,0000,0000,0000,,specified as the root user and i can
Dialogue: 0,0:17:18.72,0:17:22.16,Default,,0000,0000,0000,,just say sudo ufw status
Dialogue: 0,0:17:22.16,0:17:23.84,Default,,0000,0000,0000,,um
Dialogue: 0,0:17:23.84,0:17:25.44,Default,,0000,0000,0000,,and you can see these are all the
Dialogue: 0,0:17:25.44,0:17:28.16,Default,,0000,0000,0000,,allowed rules or the actual rules
Dialogue: 0,0:17:28.16,0:17:30.40,Default,,0000,0000,0000,,configured for the firewall which is
Dialogue: 0,0:17:30.40,0:17:32.40,Default,,0000,0000,0000,,looking good uh so far
Dialogue: 0,0:17:32.40,0:17:35.68,Default,,0000,0000,0000,,so we can access the splunk es instance
Dialogue: 0,0:17:35.68,0:17:37.84,Default,,0000,0000,0000,,that we set up by pasting in the ip of
Dialogue: 0,0:17:37.84,0:17:42.08,Default,,0000,0000,0000,,the server and and opening up port 8000
Dialogue: 0,0:17:42.08,0:17:44.08,Default,,0000,0000,0000,,that's going to open up splunk yes for
Dialogue: 0,0:17:44.08,0:17:45.76,Default,,0000,0000,0000,,you so just give this a couple of
Dialogue: 0,0:17:45.76,0:17:48.24,Default,,0000,0000,0000,,seconds there we are and the credentials
Dialogue: 0,0:17:48.24,0:17:50.88,Default,,0000,0000,0000,,that we had used were admin and the
Dialogue: 0,0:17:50.88,0:17:53.28,Default,,0000,0000,0000,,password that i created uh that you know
Dialogue: 0,0:17:53.28,0:17:54.56,Default,,0000,0000,0000,,of course you'll you'll be able to
Dialogue: 0,0:17:54.56,0:17:57.20,Default,,0000,0000,0000,,specify yourself so just sign in
Dialogue: 0,0:17:57.20,0:17:59.92,Default,,0000,0000,0000,,um and once that is done you'll be
Dialogue: 0,0:17:59.92,0:18:03.36,Default,,0000,0000,0000,,brought to splunk enterprise
Dialogue: 0,0:18:03.36,0:18:05.36,Default,,0000,0000,0000,,security here so there we are explore
Dialogue: 0,0:18:05.36,0:18:07.20,Default,,0000,0000,0000,,splunk enterprise
Dialogue: 0,0:18:07.20,0:18:10.00,Default,,0000,0000,0000,,uh and um
Dialogue: 0,0:18:10.00,0:18:11.36,Default,,0000,0000,0000,,in this case what we're going to be
Dialogue: 0,0:18:11.36,0:18:14.08,Default,,0000,0000,0000,,doing what we're going to start off with
Dialogue: 0,0:18:14.08,0:18:16.24,Default,,0000,0000,0000,,is we need to go through a few
Dialogue: 0,0:18:16.24,0:18:18.72,Default,,0000,0000,0000,,configuration uh changes with splunk
Dialogue: 0,0:18:18.72,0:18:19.76,Default,,0000,0000,0000,,itself
Dialogue: 0,0:18:19.76,0:18:22.88,Default,,0000,0000,0000,,so the idea firstly is to configure
Dialogue: 0,0:18:22.88,0:18:25.60,Default,,0000,0000,0000,,uh the actual uh rece the receiving of
Dialogue: 0,0:18:25.60,0:18:27.36,Default,,0000,0000,0000,,data so if you head over into settings
Dialogue: 0,0:18:27.36,0:18:29.44,Default,,0000,0000,0000,,you can click on under data just click
Dialogue: 0,0:18:29.44,0:18:31.84,Default,,0000,0000,0000,,on forwarding and receiving
Dialogue: 0,0:18:31.84,0:18:34.40,Default,,0000,0000,0000,,uh and once that is done once that is
Dialogue: 0,0:18:34.40,0:18:35.76,Default,,0000,0000,0000,,loaded up
Dialogue: 0,0:18:35.76,0:18:38.08,Default,,0000,0000,0000,,um under received data we need to
Dialogue: 0,0:18:38.08,0:18:40.00,Default,,0000,0000,0000,,configure this instance to receive data
Dialogue: 0,0:18:40.00,0:18:41.60,Default,,0000,0000,0000,,forwarded from other instances so we
Dialogue: 0,0:18:41.60,0:18:43.52,Default,,0000,0000,0000,,want to configure receiving
Dialogue: 0,0:18:43.52,0:18:45.12,Default,,0000,0000,0000,,and we just want to set the default
Dialogue: 0,0:18:45.12,0:18:46.80,Default,,0000,0000,0000,,receiving port
Dialogue: 0,0:18:46.80,0:18:50.40,Default,,0000,0000,0000,,so we can say new receiving port
Dialogue: 0,0:18:50.40,0:18:52.16,Default,,0000,0000,0000,,and the port is of course going to be
Dialogue: 0,0:18:52.16,0:18:54.80,Default,,0000,0000,0000,,the default which is 9997 which is why
Dialogue: 0,0:18:54.80,0:18:56.64,Default,,0000,0000,0000,,that firewall rule was added so i'll
Dialogue: 0,0:18:56.64,0:18:58.88,Default,,0000,0000,0000,,click on save
Dialogue: 0,0:18:58.88,0:19:01.20,Default,,0000,0000,0000,,all right so once that is done we can
Dialogue: 0,0:19:01.20,0:19:03.52,Default,,0000,0000,0000,,now install the snot
Dialogue: 0,0:19:03.52,0:19:06.24,Default,,0000,0000,0000,,app for splunk so click on apps and head
Dialogue: 0,0:19:06.24,0:19:08.48,Default,,0000,0000,0000,,over into find more apps
Dialogue: 0,0:19:08.48,0:19:11.36,Default,,0000,0000,0000,,and because the ubuntu server is running
Dialogue: 0,0:19:11.36,0:19:13.12,Default,,0000,0000,0000,,or the ubuntu vm that i'm currently
Dialogue: 0,0:19:13.12,0:19:15.92,Default,,0000,0000,0000,,working on is running snot 2 we'll need
Dialogue: 0,0:19:15.92,0:19:18.16,Default,,0000,0000,0000,,the appropriate uh app here so i'll just
Dialogue: 0,0:19:18.16,0:19:20.16,Default,,0000,0000,0000,,search for snot there and we're not
Dialogue: 0,0:19:20.16,0:19:22.32,Default,,0000,0000,0000,,looking for these note 3 json alerts
Dialogue: 0,0:19:22.32,0:19:24.32,Default,,0000,0000,0000,,although that you know could be quite
Dialogue: 0,0:19:24.32,0:19:26.48,Default,,0000,0000,0000,,useful but we want the snort alert for
Dialogue: 0,0:19:26.48,0:19:28.72,Default,,0000,0000,0000,,splunk all right so this app provides
Dialogue: 0,0:19:28.72,0:19:30.88,Default,,0000,0000,0000,,field extraction so that's really great
Dialogue: 0,0:19:30.88,0:19:32.40,Default,,0000,0000,0000,,because performing your own field
Dialogue: 0,0:19:32.40,0:19:34.96,Default,,0000,0000,0000,,extractions uh you know using rejects
Dialogue: 0,0:19:34.96,0:19:36.40,Default,,0000,0000,0000,,can be quite difficult if you're a
Dialogue: 0,0:19:36.40,0:19:39.36,Default,,0000,0000,0000,,beginner so fast and full
Dialogue: 0,0:19:39.36,0:19:42.40,Default,,0000,0000,0000,,as well as dashboards uh saved searches
Dialogue: 0,0:19:42.40,0:19:45.60,Default,,0000,0000,0000,,reports event types tags and event
Dialogue: 0,0:19:45.60,0:19:48.08,Default,,0000,0000,0000,,search interfaces so we'll install that
Dialogue: 0,0:19:48.08,0:19:50.24,Default,,0000,0000,0000,,now you'll need to log in with the spa
Dialogue: 0,0:19:50.24,0:19:52.40,Default,,0000,0000,0000,,your splunk account credentials that you
Dialogue: 0,0:19:52.40,0:19:55.12,Default,,0000,0000,0000,,uh you know that you actually created on
Dialogue: 0,0:19:55.12,0:19:57.76,Default,,0000,0000,0000,,splunk.com so i'll just fill in my
Dialogue: 0,0:19:57.76,0:20:00.40,Default,,0000,0000,0000,,information really quickly
Dialogue: 0,0:20:00.40,0:20:02.24,Default,,0000,0000,0000,,all right so i've put in my username and
Dialogue: 0,0:20:02.24,0:20:04.24,Default,,0000,0000,0000,,password so i'll just say i'll accept
Dialogue: 0,0:20:04.24,0:20:06.32,Default,,0000,0000,0000,,the terms and conditions there so log in
Dialogue: 0,0:20:06.32,0:20:07.60,Default,,0000,0000,0000,,and install
Dialogue: 0,0:20:07.60,0:20:09.28,Default,,0000,0000,0000,,that's going to install it there we are
Dialogue: 0,0:20:09.28,0:20:10.88,Default,,0000,0000,0000,,so we'll just hit done
Dialogue: 0,0:20:10.88,0:20:13.36,Default,,0000,0000,0000,,now that is done if we head back over
Dialogue: 0,0:20:13.36,0:20:16.40,Default,,0000,0000,0000,,into our dashboard so i'll just click on
Dialogue: 0,0:20:16.40,0:20:18.40,Default,,0000,0000,0000,,splunk enterprise there
Dialogue: 0,0:20:18.40,0:20:20.72,Default,,0000,0000,0000,,and you can now see we have snot alert
Dialogue: 0,0:20:20.72,0:20:23.04,Default,,0000,0000,0000,,force for splunk so that's it already
Dialogue: 0,0:20:23.04,0:20:25.60,Default,,0000,0000,0000,,comes pre-configured with a dashboard
Dialogue: 0,0:20:25.60,0:20:28.00,Default,,0000,0000,0000,,um so we'll just let this uh load up
Dialogue: 0,0:20:28.00,0:20:30.00,Default,,0000,0000,0000,,here and you can see that we don't have
Dialogue: 0,0:20:30.00,0:20:32.48,Default,,0000,0000,0000,,any data yet so uh this will display
Dialogue: 0,0:20:32.48,0:20:34.56,Default,,0000,0000,0000,,your events and sources top source
Dialogue: 0,0:20:34.56,0:20:36.48,Default,,0000,0000,0000,,countries the events this is very
Dialogue: 0,0:20:36.48,0:20:38.48,Default,,0000,0000,0000,,important the sources top 10
Dialogue: 0,0:20:38.48,0:20:41.04,Default,,0000,0000,0000,,classifications so that will classify uh
Dialogue: 0,0:20:41.04,0:20:44.40,Default,,0000,0000,0000,,your alerts uh in in terms of uh the
Dialogue: 0,0:20:44.40,0:20:46.64,Default,,0000,0000,0000,,type which again will make sense uh in a
Dialogue: 0,0:20:46.64,0:20:49.28,Default,,0000,0000,0000,,couple of seconds uh so now that that is
Dialogue: 0,0:20:49.28,0:20:51.60,Default,,0000,0000,0000,,done we actually need to configure
Dialogue: 0,0:20:51.60,0:20:54.48,Default,,0000,0000,0000,,the actual splunk universal folder so
Dialogue: 0,0:20:54.48,0:20:56.48,Default,,0000,0000,0000,,i'll just open that up in a new tab it's
Dialogue: 0,0:20:56.48,0:20:59.12,Default,,0000,0000,0000,,absolutely free to download the debian
Dialogue: 0,0:20:59.12,0:21:01.84,Default,,0000,0000,0000,,client or the uh the splunk universal
Dialogue: 0,0:21:01.84,0:21:04.16,Default,,0000,0000,0000,,ford debian package so universal
Dialogue: 0,0:21:04.16,0:21:06.96,Default,,0000,0000,0000,,forwarders uh provide reliable secure
Dialogue: 0,0:21:06.96,0:21:09.44,Default,,0000,0000,0000,,data collection from remote from remote
Dialogue: 0,0:21:09.44,0:21:11.52,Default,,0000,0000,0000,,sources and forward that data into
Dialogue: 0,0:21:11.52,0:21:14.16,Default,,0000,0000,0000,,splunk software for indexing and
Dialogue: 0,0:21:14.16,0:21:16.88,Default,,0000,0000,0000,,consolidation they can scale to tens of
Dialogue: 0,0:21:16.88,0:21:18.80,Default,,0000,0000,0000,,thousands of remote systems collecting
Dialogue: 0,0:21:18.80,0:21:20.72,Default,,0000,0000,0000,,terabytes of data so
Dialogue: 0,0:21:20.72,0:21:23.04,Default,,0000,0000,0000,,again you can actually see why splunk is
Dialogue: 0,0:21:23.04,0:21:25.36,Default,,0000,0000,0000,,so powerful and why it's widely uh used
Dialogue: 0,0:21:25.36,0:21:27.44,Default,,0000,0000,0000,,and deployed because of the fact that
Dialogue: 0,0:21:27.44,0:21:30.48,Default,,0000,0000,0000,,you can literally uh you know be you can
Dialogue: 0,0:21:30.48,0:21:32.64,Default,,0000,0000,0000,,literally forward a ton of data from a
Dialogue: 0,0:21:32.64,0:21:35.84,Default,,0000,0000,0000,,ton of systems into splunk so because
Dialogue: 0,0:21:35.84,0:21:38.48,Default,,0000,0000,0000,,the uh because snot is running on this
Dialogue: 0,0:21:38.48,0:21:40.48,Default,,0000,0000,0000,,ubuntu vm we need the debian package so
Dialogue: 0,0:21:40.48,0:21:41.92,Default,,0000,0000,0000,,i'll click on linux and we want the
Dialogue: 0,0:21:41.92,0:21:45.04,Default,,0000,0000,0000,,64-bit version again you can choose one
Dialogue: 0,0:21:45.04,0:21:46.56,Default,,0000,0000,0000,,based on your requirements so if you're
Dialogue: 0,0:21:46.56,0:21:49.84,Default,,0000,0000,0000,,running on red at fedora or centos you
Dialogue: 0,0:21:49.84,0:21:51.52,Default,,0000,0000,0000,,can use the rpm package so i'll just
Dialogue: 0,0:21:51.52,0:21:54.56,Default,,0000,0000,0000,,download the debian package here
Dialogue: 0,0:21:54.56,0:21:56.08,Default,,0000,0000,0000,,give that a couple of seconds it's then
Dialogue: 0,0:21:56.08,0:21:58.24,Default,,0000,0000,0000,,going to begin downloading it and then
Dialogue: 0,0:21:58.24,0:22:00.00,Default,,0000,0000,0000,,i'll walk you through the setup process
Dialogue: 0,0:22:00.00,0:22:01.84,Default,,0000,0000,0000,,so there we are
Dialogue: 0,0:22:01.84,0:22:05.12,Default,,0000,0000,0000,,it's begun the setup
Dialogue: 0,0:22:07.36,0:22:09.44,Default,,0000,0000,0000,,and once that is done i'll open up my
Dialogue: 0,0:22:09.44,0:22:10.80,Default,,0000,0000,0000,,terminal so that's saved in the
Dialogue: 0,0:22:10.80,0:22:12.96,Default,,0000,0000,0000,,downloads directory so
Dialogue: 0,0:22:12.96,0:22:14.32,Default,,0000,0000,0000,,if we check if we head over into the
Dialogue: 0,0:22:14.32,0:22:15.84,Default,,0000,0000,0000,,downloads directory you can see we have
Dialogue: 0,0:22:15.84,0:22:17.92,Default,,0000,0000,0000,,the splunk forwarder debian package
Dialogue: 0,0:22:17.92,0:22:19.20,Default,,0000,0000,0000,,there
Dialogue: 0,0:22:19.20,0:22:21.68,Default,,0000,0000,0000,,so what we want to do firstly is we want
Dialogue: 0,0:22:21.68,0:22:25.12,Default,,0000,0000,0000,,to move this package uh into the actual
Dialogue: 0,0:22:25.12,0:22:28.08,Default,,0000,0000,0000,,opt directory on linux uh which will
Dialogue: 0,0:22:28.08,0:22:30.88,Default,,0000,0000,0000,,essentially allow us to uh you know to
Dialogue: 0,0:22:30.88,0:22:33.36,Default,,0000,0000,0000,,to set it up as as optional software and
Dialogue: 0,0:22:33.36,0:22:35.28,Default,,0000,0000,0000,,it's really good to have all that
Dialogue: 0,0:22:35.28,0:22:38.24,Default,,0000,0000,0000,,optional software stored in the opt
Dialogue: 0,0:22:38.24,0:22:42.24,Default,,0000,0000,0000,,directory so uh once that is done uh
Dialogue: 0,0:22:42.24,0:22:44.32,Default,,0000,0000,0000,,once that's downloaded we can say uh
Dialogue: 0,0:22:44.32,0:22:45.60,Default,,0000,0000,0000,,move
Dialogue: 0,0:22:45.60,0:22:48.48,Default,,0000,0000,0000,,splunk forwarder into opt
Dialogue: 0,0:22:48.48,0:22:50.40,Default,,0000,0000,0000,,and we'll need sudo privileges so i'll
Dialogue: 0,0:22:50.40,0:22:52.56,Default,,0000,0000,0000,,say sudo move there we are and i'll just
Dialogue: 0,0:22:52.56,0:22:55.12,Default,,0000,0000,0000,,type in my password fantastic so we'll
Dialogue: 0,0:22:55.12,0:22:57.36,Default,,0000,0000,0000,,now navigate to the opt directory and to
Dialogue: 0,0:22:57.36,0:23:00.32,Default,,0000,0000,0000,,install this we can say sudo apt
Dialogue: 0,0:23:00.32,0:23:02.96,Default,,0000,0000,0000,,and then we can specify install so we
Dialogue: 0,0:23:02.96,0:23:05.12,Default,,0000,0000,0000,,can say sudo apt install
Dialogue: 0,0:23:05.12,0:23:06.96,Default,,0000,0000,0000,,and then we specify the package itself
Dialogue: 0,0:23:06.96,0:23:09.44,Default,,0000,0000,0000,,so splunk folder
Dialogue: 0,0:23:09.44,0:23:11.44,Default,,0000,0000,0000,,and we're just going to hit enter that's
Dialogue: 0,0:23:11.44,0:23:13.52,Default,,0000,0000,0000,,going to install it for you
Dialogue: 0,0:23:13.52,0:23:16.88,Default,,0000,0000,0000,,give that a couple of seconds
Dialogue: 0,0:23:19.44,0:23:21.52,Default,,0000,0000,0000,,all right so once that is installed if
Dialogue: 0,0:23:21.52,0:23:23.04,Default,,0000,0000,0000,,you list out the contents of this
Dialogue: 0,0:23:23.04,0:23:24.56,Default,,0000,0000,0000,,directory you're going to have a splunk
Dialogue: 0,0:23:24.56,0:23:26.56,Default,,0000,0000,0000,,for the directory here so i'll say cd
Dialogue: 0,0:23:26.56,0:23:29.20,Default,,0000,0000,0000,,splunk folder and under the binary
Dialogue: 0,0:23:29.20,0:23:31.20,Default,,0000,0000,0000,,directory we can navigate to that here
Dialogue: 0,0:23:31.20,0:23:32.72,Default,,0000,0000,0000,,we'll need to start
Dialogue: 0,0:23:32.72,0:23:35.60,Default,,0000,0000,0000,,us we'll need to start splunk so we will
Dialogue: 0,0:23:35.60,0:23:37.28,Default,,0000,0000,0000,,say uh sudo
Dialogue: 0,0:23:37.28,0:23:39.04,Default,,0000,0000,0000,,and a binary we want to run is called
Dialogue: 0,0:23:39.04,0:23:41.28,Default,,0000,0000,0000,,splunk and we'll accept the license uh
Dialogue: 0,0:23:41.28,0:23:42.80,Default,,0000,0000,0000,,the reason we're doing this is because
Dialogue: 0,0:23:42.80,0:23:44.80,Default,,0000,0000,0000,,we need to configure it so we need to
Dialogue: 0,0:23:44.80,0:23:46.80,Default,,0000,0000,0000,,specify the username and password or you
Dialogue: 0,0:23:46.80,0:23:49.28,Default,,0000,0000,0000,,know create a username and password
Dialogue: 0,0:23:49.28,0:23:52.00,Default,,0000,0000,0000,,and once that is done uh you'll actually
Dialogue: 0,0:23:52.00,0:23:53.36,Default,,0000,0000,0000,,see what that looks like so i'll just
Dialogue: 0,0:23:53.36,0:23:55.68,Default,,0000,0000,0000,,say accept the license
Dialogue: 0,0:23:55.68,0:23:56.64,Default,,0000,0000,0000,,and
Dialogue: 0,0:23:56.64,0:23:59.20,Default,,0000,0000,0000,,you can see in this case let's see if i
Dialogue: 0,0:23:59.20,0:24:01.20,Default,,0000,0000,0000,,typed that in correctly that should
Dialogue: 0,0:24:01.20,0:24:03.60,Default,,0000,0000,0000,,actually start so splunk start i did not
Dialogue: 0,0:24:03.60,0:24:05.44,Default,,0000,0000,0000,,specify start there
Dialogue: 0,0:24:05.44,0:24:06.80,Default,,0000,0000,0000,,there we are so please enter an
Dialogue: 0,0:24:06.80,0:24:09.68,Default,,0000,0000,0000,,administrator name i'll just say admin
Dialogue: 0,0:24:09.68,0:24:12.00,Default,,0000,0000,0000,,so again splunk software must create an
Dialogue: 0,0:24:12.00,0:24:14.32,Default,,0000,0000,0000,,administrator account during startup
Dialogue: 0,0:24:14.32,0:24:16.56,Default,,0000,0000,0000,,otherwise you cannot log in so create
Dialogue: 0,0:24:16.56,0:24:18.16,Default,,0000,0000,0000,,credentials for the administrator
Dialogue: 0,0:24:18.16,0:24:19.28,Default,,0000,0000,0000,,account
Dialogue: 0,0:24:19.28,0:24:20.64,Default,,0000,0000,0000,,um
Dialogue: 0,0:24:20.64,0:24:22.32,Default,,0000,0000,0000,,so in this case uh you know you can
Dialogue: 0,0:24:22.32,0:24:23.60,Default,,0000,0000,0000,,create whatever you want i'm just going
Dialogue: 0,0:24:23.60,0:24:26.00,Default,,0000,0000,0000,,to fill in my credentials here
Dialogue: 0,0:24:26.00,0:24:28.64,Default,,0000,0000,0000,,all right so i've just entered my
Dialogue: 0,0:24:28.64,0:24:30.32,Default,,0000,0000,0000,,administrator username and then of
Dialogue: 0,0:24:30.32,0:24:32.40,Default,,0000,0000,0000,,course my password so
Dialogue: 0,0:24:32.40,0:24:33.84,Default,,0000,0000,0000,,that is done
Dialogue: 0,0:24:33.84,0:24:36.24,Default,,0000,0000,0000,,uh so it'll go through um
Dialogue: 0,0:24:36.24,0:24:37.76,Default,,0000,0000,0000,,it'll essentially go through and check
Dialogue: 0,0:24:37.76,0:24:40.40,Default,,0000,0000,0000,,the prerequisites uh new certs have been
Dialogue: 0,0:24:40.40,0:24:42.96,Default,,0000,0000,0000,,generated in the following directory
Dialogue: 0,0:24:42.96,0:24:45.20,Default,,0000,0000,0000,,and all the preliminary checks have
Dialogue: 0,0:24:45.20,0:24:47.52,Default,,0000,0000,0000,,passed so starting the splunk server
Dialogue: 0,0:24:47.52,0:24:49.44,Default,,0000,0000,0000,,daemon so that's started you can also
Dialogue: 0,0:24:49.44,0:24:52.16,Default,,0000,0000,0000,,enable it to run on system startup so if
Dialogue: 0,0:24:52.16,0:24:55.44,Default,,0000,0000,0000,,i say you know for example sudo system
Dialogue: 0,0:24:55.44,0:24:56.72,Default,,0000,0000,0000,,ctl
Dialogue: 0,0:24:56.72,0:24:59.52,Default,,0000,0000,0000,,status splunk
Dialogue: 0,0:24:59.52,0:25:01.84,Default,,0000,0000,0000,,let me type that in correctly here so
Dialogue: 0,0:25:01.84,0:25:03.36,Default,,0000,0000,0000,,splunk
Dialogue: 0,0:25:03.36,0:25:07.52,Default,,0000,0000,0000,,sorry systems pseudosystem ctl
Dialogue: 0,0:25:07.52,0:25:10.24,Default,,0000,0000,0000,,and we can say splunk d
Dialogue: 0,0:25:10.24,0:25:12.88,Default,,0000,0000,0000,,uh sorry so we can say splunk i'm not
Dialogue: 0,0:25:12.88,0:25:15.04,Default,,0000,0000,0000,,really sure why that's not loading here
Dialogue: 0,0:25:15.04,0:25:17.52,Default,,0000,0000,0000,,but i do know that the daemon is running
Dialogue: 0,0:25:17.52,0:25:21.44,Default,,0000,0000,0000,,and there should be a an init
Dialogue: 0,0:25:21.44,0:25:24.80,Default,,0000,0000,0000,,an init demon for that but in any case
Dialogue: 0,0:25:24.80,0:25:27.36,Default,,0000,0000,0000,,you can always start it that way
Dialogue: 0,0:25:27.36,0:25:29.84,Default,,0000,0000,0000,,once that is done we will need to add
Dialogue: 0,0:25:29.84,0:25:32.32,Default,,0000,0000,0000,,our ford server so the we need to add
Dialogue: 0,0:25:32.32,0:25:34.96,Default,,0000,0000,0000,,the the address of the server uh the
Dialogue: 0,0:25:34.96,0:25:37.04,Default,,0000,0000,0000,,splunk server that we're forwarding our
Dialogue: 0,0:25:37.04,0:25:39.60,Default,,0000,0000,0000,,logs to we'll go we'll move on to what
Dialogue: 0,0:25:39.60,0:25:42.48,Default,,0000,0000,0000,,logs we want to forward in a second but
Dialogue: 0,0:25:42.48,0:25:44.16,Default,,0000,0000,0000,,let's do that first so again we're going
Dialogue: 0,0:25:44.16,0:25:46.72,Default,,0000,0000,0000,,to use the
Dialogue: 0,0:25:47.52,0:25:49.36,Default,,0000,0000,0000,,the splunk binary and we're going to say
Dialogue: 0,0:25:49.36,0:25:50.48,Default,,0000,0000,0000,,forward
Dialogue: 0,0:25:50.48,0:25:52.56,Default,,0000,0000,0000,,server and we'll just copy the ip
Dialogue: 0,0:25:52.56,0:25:54.80,Default,,0000,0000,0000,,address of your
Dialogue: 0,0:25:54.80,0:25:57.60,Default,,0000,0000,0000,,your splunk server here so there we are
Dialogue: 0,0:25:57.60,0:26:00.64,Default,,0000,0000,0000,,and i'll paste that in there
Dialogue: 0,0:26:00.64,0:26:03.32,Default,,0000,0000,0000,,and then you need to type in the port so
Dialogue: 0,0:26:03.32,0:26:07.20,Default,,0000,0000,0000,,9997 that's the port to connect to hit
Dialogue: 0,0:26:07.20,0:26:08.40,Default,,0000,0000,0000,,enter
Dialogue: 0,0:26:08.40,0:26:11.28,Default,,0000,0000,0000,,um so splunk ford uh
Dialogue: 0,0:26:11.28,0:26:13.28,Default,,0000,0000,0000,,yeah we need to add it i keep forgetting
Dialogue: 0,0:26:13.28,0:26:15.76,Default,,0000,0000,0000,,the the preliminary command so add ford
Dialogue: 0,0:26:15.76,0:26:18.32,Default,,0000,0000,0000,,server splunk username
Dialogue: 0,0:26:18.32,0:26:21.92,Default,,0000,0000,0000,,um so in this case uh let me just uh put
Dialogue: 0,0:26:21.92,0:26:25.84,Default,,0000,0000,0000,,in my credentials here
Dialogue: 0,0:26:26.64,0:26:29.44,Default,,0000,0000,0000,,all right and it's going to then add the
Dialogue: 0,0:26:29.44,0:26:31.76,Default,,0000,0000,0000,,forwarding to that particular address
Dialogue: 0,0:26:31.76,0:26:33.76,Default,,0000,0000,0000,,all right now that that is done
Dialogue: 0,0:26:33.76,0:26:35.44,Default,,0000,0000,0000,,we can actually we actually need to
Dialogue: 0,0:26:35.44,0:26:37.92,Default,,0000,0000,0000,,configure a particular file
Dialogue: 0,0:26:37.92,0:26:40.72,Default,,0000,0000,0000,,and that is going to be the outputs.conf
Dialogue: 0,0:26:40.72,0:26:43.04,Default,,0000,0000,0000,,directory if it's already set up for us
Dialogue: 0,0:26:43.04,0:26:45.04,Default,,0000,0000,0000,,which it should be
Dialogue: 0,0:26:45.04,0:26:46.88,Default,,0000,0000,0000,,then we do not need to go through the
Dialogue: 0,0:26:46.88,0:26:49.36,Default,,0000,0000,0000,,initial setup so
Dialogue: 0,0:26:49.36,0:26:51.12,Default,,0000,0000,0000,,if we head over into the following
Dialogue: 0,0:26:51.12,0:26:52.64,Default,,0000,0000,0000,,directory so i'll just take a step back
Dialogue: 0,0:26:52.64,0:26:54.08,Default,,0000,0000,0000,,we're still in the splunk for the
Dialogue: 0,0:26:54.08,0:26:55.28,Default,,0000,0000,0000,,directory
Dialogue: 0,0:26:55.28,0:26:58.16,Default,,0000,0000,0000,,uh we'll head over into
Dialogue: 0,0:26:58.16,0:27:01.68,Default,,0000,0000,0000,,the etsy directory and under system
Dialogue: 0,0:27:01.68,0:27:05.04,Default,,0000,0000,0000,,we have a file under local i think it is
Dialogue: 0,0:27:05.04,0:27:06.64,Default,,0000,0000,0000,,called outputs right so i'm going to say
Dialogue: 0,0:27:06.64,0:27:08.72,Default,,0000,0000,0000,,sudo vim outputs
Dialogue: 0,0:27:08.72,0:27:09.84,Default,,0000,0000,0000,,dot conf
Dialogue: 0,0:27:09.84,0:27:11.84,Default,,0000,0000,0000,,and really the only thing that is
Dialogue: 0,0:27:11.84,0:27:13.84,Default,,0000,0000,0000,,required here
Dialogue: 0,0:27:13.84,0:27:16.16,Default,,0000,0000,0000,,is of course just leave the default
Dialogue: 0,0:27:16.16,0:27:18.32,Default,,0000,0000,0000,,configuration as is the default group is
Dialogue: 0,0:27:18.32,0:27:21.76,Default,,0000,0000,0000,,fine so tcp out default auto lb group
Dialogue: 0,0:27:21.76,0:27:23.28,Default,,0000,0000,0000,,that's fine so you make sure that the
Dialogue: 0,0:27:23.28,0:27:25.84,Default,,0000,0000,0000,,server option here is configured that's
Dialogue: 0,0:27:25.84,0:27:28.48,Default,,0000,0000,0000,,the most important and the tcp out
Dialogue: 0,0:27:28.48,0:27:30.32,Default,,0000,0000,0000,,server address is also configured in
Dialogue: 0,0:27:30.32,0:27:32.00,Default,,0000,0000,0000,,this format so we don't need to make any
Dialogue: 0,0:27:32.00,0:27:33.76,Default,,0000,0000,0000,,changes there so i'll just say quit and
Dialogue: 0,0:27:33.76,0:27:35.12,Default,,0000,0000,0000,,exit
Dialogue: 0,0:27:35.12,0:27:38.64,Default,,0000,0000,0000,,once that is done we also need to check
Dialogue: 0,0:27:38.64,0:27:41.28,Default,,0000,0000,0000,,uh the actual inputs configuration file
Dialogue: 0,0:27:41.28,0:27:43.20,Default,,0000,0000,0000,,but before we do that
Dialogue: 0,0:27:43.20,0:27:45.28,Default,,0000,0000,0000,,let's take a look so if you revisit the
Dialogue: 0,0:27:45.28,0:27:46.88,Default,,0000,0000,0000,,snort video
Dialogue: 0,0:27:46.88,0:27:48.88,Default,,0000,0000,0000,,you know that all the logs are stored
Dialogue: 0,0:27:48.88,0:27:51.84,Default,,0000,0000,0000,,under var uh log
Dialogue: 0,0:27:51.84,0:27:55.76,Default,,0000,0000,0000,,and snot right so we have the alert log
Dialogue: 0,0:27:55.76,0:27:59.28,Default,,0000,0000,0000,,um and we also have uh so again based on
Dialogue: 0,0:27:59.28,0:28:01.12,Default,,0000,0000,0000,,the type of um
Dialogue: 0,0:28:01.12,0:28:03.20,Default,,0000,0000,0000,,of alerts you want generated so you know
Dialogue: 0,0:28:03.20,0:28:05.44,Default,,0000,0000,0000,,if i say man snort here
Dialogue: 0,0:28:05.44,0:28:07.44,Default,,0000,0000,0000,,uh you can see that we have the alert
Dialogue: 0,0:28:07.44,0:28:09.44,Default,,0000,0000,0000,,mode so you can use the fast mode or the
Dialogue: 0,0:28:09.44,0:28:11.36,Default,,0000,0000,0000,,full mode in this case i'll be using the
Dialogue: 0,0:28:11.36,0:28:12.56,Default,,0000,0000,0000,,fast mode
Dialogue: 0,0:28:12.56,0:28:13.76,Default,,0000,0000,0000,,um
Dialogue: 0,0:28:13.76,0:28:15.28,Default,,0000,0000,0000,,and i'll give you a description of what
Dialogue: 0,0:28:15.28,0:28:17.28,Default,,0000,0000,0000,,what's going on here right so
Dialogue: 0,0:28:17.28,0:28:19.92,Default,,0000,0000,0000,,uh full writes the alert to the alert
Dialogue: 0,0:28:19.92,0:28:21.92,Default,,0000,0000,0000,,file with the full decoded header as
Dialogue: 0,0:28:21.92,0:28:24.72,Default,,0000,0000,0000,,well as the alert message which might be
Dialogue: 0,0:28:24.72,0:28:27.28,Default,,0000,0000,0000,,important so we can also do that as well
Dialogue: 0,0:28:27.28,0:28:29.60,Default,,0000,0000,0000,,so this was from the previous uh from
Dialogue: 0,0:28:29.60,0:28:31.76,Default,,0000,0000,0000,,the from from the snort video where we
Dialogue: 0,0:28:31.76,0:28:33.36,Default,,0000,0000,0000,,had ran uh you know where we had
Dialogue: 0,0:28:33.36,0:28:35.84,Default,,0000,0000,0000,,essentially run snot and uh you know
Dialogue: 0,0:28:35.84,0:28:38.48,Default,,0000,0000,0000,,where we were identifying various alerts
Dialogue: 0,0:28:38.48,0:28:41.92,Default,,0000,0000,0000,,so uh what we can do is uh again we will
Dialogue: 0,0:28:41.92,0:28:43.76,Default,,0000,0000,0000,,go through what needs to be created but
Dialogue: 0,0:28:43.76,0:28:45.60,Default,,0000,0000,0000,,we can run a quick test command just to
Dialogue: 0,0:28:45.60,0:28:46.88,Default,,0000,0000,0000,,see whether
Dialogue: 0,0:28:46.88,0:28:48.80,Default,,0000,0000,0000,,the the actual alerts are being logged
Dialogue: 0,0:28:48.80,0:28:50.32,Default,,0000,0000,0000,,within the alert file because we have
Dialogue: 0,0:28:50.32,0:28:53.04,Default,,0000,0000,0000,,alert dot one ideally we would only want
Dialogue: 0,0:28:53.04,0:28:55.76,Default,,0000,0000,0000,,to forward this file into splunk
Dialogue: 0,0:28:55.76,0:28:58.08,Default,,0000,0000,0000,,so uh in order to do this what i'm going
Dialogue: 0,0:28:58.08,0:29:00.08,Default,,0000,0000,0000,,to do now is i'm just going to run snot
Dialogue: 0,0:29:00.08,0:29:01.60,Default,,0000,0000,0000,,really quickly so i'm going to say sudo
Dialogue: 0,0:29:01.60,0:29:02.56,Default,,0000,0000,0000,,snort
Dialogue: 0,0:29:02.56,0:29:03.92,Default,,0000,0000,0000,,queue
Dialogue: 0,0:29:03.92,0:29:06.00,Default,,0000,0000,0000,,for quiet and then
Dialogue: 0,0:29:06.00,0:29:09.36,Default,,0000,0000,0000,,the actual directory for the logs is var
Dialogue: 0,0:29:09.36,0:29:11.36,Default,,0000,0000,0000,,log snot
Dialogue: 0,0:29:11.36,0:29:12.88,Default,,0000,0000,0000,,and then we can say the interface is
Dialogue: 0,0:29:12.88,0:29:14.64,Default,,0000,0000,0000,,enp0s3
Dialogue: 0,0:29:14.64,0:29:16.24,Default,,0000,0000,0000,,again make sure to replace that with
Dialogue: 0,0:29:16.24,0:29:19.04,Default,,0000,0000,0000,,your own interface uh the alert we can
Dialogue: 0,0:29:19.04,0:29:20.32,Default,,0000,0000,0000,,say full
Dialogue: 0,0:29:20.32,0:29:23.36,Default,,0000,0000,0000,,and the configuration is sc
Dialogue: 0,0:29:23.36,0:29:25.04,Default,,0000,0000,0000,,snort
Dialogue: 0,0:29:25.04,0:29:26.40,Default,,0000,0000,0000,,dot conf
Dialogue: 0,0:29:26.40,0:29:28.32,Default,,0000,0000,0000,,i believe we had another configuration
Dialogue: 0,0:29:28.32,0:29:30.72,Default,,0000,0000,0000,,file yeah we had used the snot.com file
Dialogue: 0,0:29:30.72,0:29:32.40,Default,,0000,0000,0000,,so i'll hit enter
Dialogue: 0,0:29:32.40,0:29:34.88,Default,,0000,0000,0000,,and now let me open up my file explorer
Dialogue: 0,0:29:34.88,0:29:35.84,Default,,0000,0000,0000,,here
Dialogue: 0,0:29:35.84,0:29:38.72,Default,,0000,0000,0000,,we take a look at the var directory
Dialogue: 0,0:29:38.72,0:29:42.24,Default,,0000,0000,0000,,under log and under snort
Dialogue: 0,0:29:42.24,0:29:44.96,Default,,0000,0000,0000,,we have alert there we are so
Dialogue: 0,0:29:44.96,0:29:47.96,Default,,0000,0000,0000,,that has been modified the last was
Dialogue: 0,0:29:47.96,0:29:51.20,Default,,0000,0000,0000,,modified uh
Dialogue: 0,0:29:51.20,0:29:53.92,Default,,0000,0000,0000,,right over there okay so that's 19 yeah
Dialogue: 0,0:29:53.92,0:29:55.68,Default,,0000,0000,0000,,so this is the last modified so i know
Dialogue: 0,0:29:55.68,0:29:58.00,Default,,0000,0000,0000,,this file is not human readable uh we
Dialogue: 0,0:29:58.00,0:30:00.40,Default,,0000,0000,0000,,are not going to be folding this dot log
Dialogue: 0,0:30:00.40,0:30:02.96,Default,,0000,0000,0000,,file so i'll just close that there
Dialogue: 0,0:30:02.96,0:30:05.84,Default,,0000,0000,0000,,so i'm just going to try and uh
Dialogue: 0,0:30:05.84,0:30:07.44,Default,,0000,0000,0000,,i'm just going to try and perform a few
Dialogue: 0,0:30:07.44,0:30:09.68,Default,,0000,0000,0000,,checks on the networks like a few pings
Dialogue: 0,0:30:09.68,0:30:11.76,Default,,0000,0000,0000,,just to see if that's detected
Dialogue: 0,0:30:11.76,0:30:14.08,Default,,0000,0000,0000,,uh so i'll just you know perform a ping
Dialogue: 0,0:30:14.08,0:30:15.68,Default,,0000,0000,0000,,really quickly
Dialogue: 0,0:30:15.68,0:30:17.52,Default,,0000,0000,0000,,again the alerts will not be logged on
Dialogue: 0,0:30:17.52,0:30:18.96,Default,,0000,0000,0000,,our terminal because they're being
Dialogue: 0,0:30:18.96,0:30:21.20,Default,,0000,0000,0000,,logged uh you know into the respective
Dialogue: 0,0:30:21.20,0:30:24.16,Default,,0000,0000,0000,,alert file or the alert log file so i'll
Dialogue: 0,0:30:24.16,0:30:26.08,Default,,0000,0000,0000,,just perform uh you know a few pings as
Dialogue: 0,0:30:26.08,0:30:27.68,Default,,0000,0000,0000,,i was saying which i'm doing right now
Dialogue: 0,0:30:27.68,0:30:29.52,Default,,0000,0000,0000,,on the attacker system
Dialogue: 0,0:30:29.52,0:30:31.76,Default,,0000,0000,0000,,uh once that is done let's see whether
Dialogue: 0,0:30:31.76,0:30:33.76,Default,,0000,0000,0000,,those changes are being highlighted in
Dialogue: 0,0:30:33.76,0:30:37.60,Default,,0000,0000,0000,,alet indeed they are okay so now this is
Dialogue: 0,0:30:37.60,0:30:39.92,Default,,0000,0000,0000,,um
Dialogue: 0,0:30:40.16,0:30:42.40,Default,,0000,0000,0000,,as you can see here
Dialogue: 0,0:30:42.40,0:30:45.28,Default,,0000,0000,0000,,this is the full
Dialogue: 0,0:30:45.36,0:30:48.00,Default,,0000,0000,0000,,these are so to begin with we had used
Dialogue: 0,0:30:48.00,0:30:50.40,Default,,0000,0000,0000,,the fast alert
Dialogue: 0,0:30:50.40,0:30:54.00,Default,,0000,0000,0000,,we had used the fast alert output mode
Dialogue: 0,0:30:54.00,0:30:56.08,Default,,0000,0000,0000,,and right over here we then have the
Dialogue: 0,0:30:56.08,0:30:57.04,Default,,0000,0000,0000,,full
Dialogue: 0,0:30:57.04,0:31:00.16,Default,,0000,0000,0000,,alert mode which i'm not really sure how
Dialogue: 0,0:31:00.16,0:31:01.92,Default,,0000,0000,0000,,we want to
Dialogue: 0,0:31:01.92,0:31:05.36,Default,,0000,0000,0000,,go about doing this but you can see
Dialogue: 0,0:31:05.36,0:31:07.36,Default,,0000,0000,0000,,we can actually make a few changes but
Dialogue: 0,0:31:07.36,0:31:09.60,Default,,0000,0000,0000,,what we can do is we can get rid of this
Dialogue: 0,0:31:09.60,0:31:11.44,Default,,0000,0000,0000,,traffic here
Dialogue: 0,0:31:11.44,0:31:13.52,Default,,0000,0000,0000,,but you can see the messages actually
Dialogue: 0,0:31:13.52,0:31:15.28,Default,,0000,0000,0000,,being logged so
Dialogue: 0,0:31:15.28,0:31:17.76,Default,,0000,0000,0000,,we can get rid of this here
Dialogue: 0,0:31:17.76,0:31:20.40,Default,,0000,0000,0000,,because we don't want to mix fast um we
Dialogue: 0,0:31:20.40,0:31:22.56,Default,,0000,0000,0000,,don't mix fast alerts
Dialogue: 0,0:31:22.56,0:31:24.48,Default,,0000,0000,0000,,with um
Dialogue: 0,0:31:24.48,0:31:26.08,Default,,0000,0000,0000,,we don't want to mix the alerts that
Dialogue: 0,0:31:26.08,0:31:28.80,Default,,0000,0000,0000,,were output in the fast mode uh with the
Dialogue: 0,0:31:28.80,0:31:31.52,Default,,0000,0000,0000,,full mode so we can just get rid of that
Dialogue: 0,0:31:31.52,0:31:34.16,Default,,0000,0000,0000,,there and save that
Dialogue: 0,0:31:34.16,0:31:37.84,Default,,0000,0000,0000,,so once that is done i'll just say
Dialogue: 0,0:31:37.84,0:31:40.32,Default,,0000,0000,0000,,we actually need permissions to modify
Dialogue: 0,0:31:40.32,0:31:42.00,Default,,0000,0000,0000,,that file
Dialogue: 0,0:31:42.00,0:31:45.60,Default,,0000,0000,0000,,but you know what we can do is what i am
Dialogue: 0,0:31:45.60,0:31:47.28,Default,,0000,0000,0000,,going to do actually is close without
Dialogue: 0,0:31:47.28,0:31:49.52,Default,,0000,0000,0000,,saving is i'm just going to stop snort
Dialogue: 0,0:31:49.52,0:31:50.40,Default,,0000,0000,0000,,there
Dialogue: 0,0:31:50.40,0:31:52.08,Default,,0000,0000,0000,,and i'm just going to say
Dialogue: 0,0:31:52.08,0:31:54.48,Default,,0000,0000,0000,,sudo remove var
Dialogue: 0,0:31:54.48,0:31:56.80,Default,,0000,0000,0000,,log
Dialogue: 0,0:31:56.96,0:31:59.12,Default,,0000,0000,0000,,and snort and we're going to remove
Dialogue: 0,0:31:59.12,0:32:01.36,Default,,0000,0000,0000,,alert
Dialogue: 0,0:32:01.36,0:32:02.72,Default,,0000,0000,0000,,all right and we're also going to remove
Dialogue: 0,0:32:02.72,0:32:04.24,Default,,0000,0000,0000,,alert dot one
Dialogue: 0,0:32:04.24,0:32:05.44,Default,,0000,0000,0000,,all right so i'm just going to run this
Dialogue: 0,0:32:05.44,0:32:07.04,Default,,0000,0000,0000,,again just to see if that file is
Dialogue: 0,0:32:07.04,0:32:08.24,Default,,0000,0000,0000,,generated
Dialogue: 0,0:32:08.24,0:32:11.12,Default,,0000,0000,0000,,so there we are we have alert there
Dialogue: 0,0:32:11.12,0:32:12.56,Default,,0000,0000,0000,,so now it's much cleaner so i'll just
Dialogue: 0,0:32:12.56,0:32:14.24,Default,,0000,0000,0000,,run a few pings just to make sure that
Dialogue: 0,0:32:14.24,0:32:16.48,Default,,0000,0000,0000,,the traffic is being locked all those
Dialogue: 0,0:32:16.48,0:32:18.48,Default,,0000,0000,0000,,alerts are being logged
Dialogue: 0,0:32:18.48,0:32:20.40,Default,,0000,0000,0000,,uh so there we are we have a few pings
Dialogue: 0,0:32:20.40,0:32:21.52,Default,,0000,0000,0000,,there
Dialogue: 0,0:32:21.52,0:32:24.64,Default,,0000,0000,0000,,and we can also you know just run a few
Dialogue: 0,0:32:24.64,0:32:26.96,Default,,0000,0000,0000,,checks there okay so there we are we can
Dialogue: 0,0:32:26.96,0:32:29.36,Default,,0000,0000,0000,,see that those are now being logged and
Dialogue: 0,0:32:29.36,0:32:31.52,Default,,0000,0000,0000,,of course we can change the format based
Dialogue: 0,0:32:31.52,0:32:32.32,Default,,0000,0000,0000,,on
Dialogue: 0,0:32:32.32,0:32:33.52,Default,,0000,0000,0000,,you can change it based on your
Dialogue: 0,0:32:33.52,0:32:35.04,Default,,0000,0000,0000,,requirements right
Dialogue: 0,0:32:35.04,0:32:37.84,Default,,0000,0000,0000,,so um
Dialogue: 0,0:32:38.00,0:32:39.92,Default,,0000,0000,0000,,now that that is done
Dialogue: 0,0:32:39.92,0:32:42.00,Default,,0000,0000,0000,,what we can do is we can close that up
Dialogue: 0,0:32:42.00,0:32:44.96,Default,,0000,0000,0000,,and we can actually leave snort running
Dialogue: 0,0:32:44.96,0:32:46.32,Default,,0000,0000,0000,,as is
Dialogue: 0,0:32:46.32,0:32:48.96,Default,,0000,0000,0000,,so what i'll do is i'm just going to
Dialogue: 0,0:32:48.96,0:32:51.12,Default,,0000,0000,0000,,open up another tab
Dialogue: 0,0:32:51.12,0:32:53.12,Default,,0000,0000,0000,,so i'll just you know i can say control
Dialogue: 0,0:32:53.12,0:32:54.88,Default,,0000,0000,0000,,shift d there we are
Dialogue: 0,0:32:54.88,0:32:56.80,Default,,0000,0000,0000,,and we're currently within the following
Dialogue: 0,0:32:56.80,0:33:00.16,Default,,0000,0000,0000,,directory so opt opt splunk forward etsy
Dialogue: 0,0:33:00.16,0:33:01.52,Default,,0000,0000,0000,,system local
Dialogue: 0,0:33:01.52,0:33:03.12,Default,,0000,0000,0000,,so
Dialogue: 0,0:33:03.12,0:33:06.00,Default,,0000,0000,0000,,once that is done we now need to add
Dialogue: 0,0:33:06.00,0:33:08.08,Default,,0000,0000,0000,,uh we now need to add the files that we
Dialogue: 0,0:33:08.08,0:33:09.92,Default,,0000,0000,0000,,would like to monitor or that we would
Dialogue: 0,0:33:09.92,0:33:12.24,Default,,0000,0000,0000,,like to forward right so the log files
Dialogue: 0,0:33:12.24,0:33:15.36,Default,,0000,0000,0000,,so i'll go back into the bin directory
Dialogue: 0,0:33:15.36,0:33:17.68,Default,,0000,0000,0000,,so there we are cd bin because that's
Dialogue: 0,0:33:17.68,0:33:19.36,Default,,0000,0000,0000,,where we have the splunk binary so i'll
Dialogue: 0,0:33:19.36,0:33:20.96,Default,,0000,0000,0000,,say sudo
Dialogue: 0,0:33:20.96,0:33:22.00,Default,,0000,0000,0000,,um
Dialogue: 0,0:33:22.00,0:33:24.40,Default,,0000,0000,0000,,splunk
Dialogue: 0,0:33:24.40,0:33:28.32,Default,,0000,0000,0000,,and we can say add monitor
Dialogue: 0,0:33:28.32,0:33:30.72,Default,,0000,0000,0000,,and the file that we want to forward is
Dialogue: 0,0:33:30.72,0:33:34.40,Default,,0000,0000,0000,,under var log snot and it is just alert
Dialogue: 0,0:33:34.40,0:33:36.56,Default,,0000,0000,0000,,right so that's all that's really all
Dialogue: 0,0:33:36.56,0:33:38.72,Default,,0000,0000,0000,,that we want to do right
Dialogue: 0,0:33:38.72,0:33:41.60,Default,,0000,0000,0000,,and we can also utilize the fast alerts
Dialogue: 0,0:33:41.60,0:33:44.40,Default,,0000,0000,0000,,but let's just do this for now
Dialogue: 0,0:33:44.40,0:33:46.40,Default,,0000,0000,0000,,and we only want the alerts we don't
Dialogue: 0,0:33:46.40,0:33:48.32,Default,,0000,0000,0000,,want the actual log files that contain
Dialogue: 0,0:33:48.32,0:33:53.84,Default,,0000,0000,0000,,the packets themselves so i'll hit enter
Dialogue: 0,0:33:54.48,0:33:56.40,Default,,0000,0000,0000,,all right so it's now going to forward
Dialogue: 0,0:33:56.40,0:33:58.96,Default,,0000,0000,0000,,those alerts into splunk which pretty
Dialogue: 0,0:33:58.96,0:34:02.16,Default,,0000,0000,0000,,much means that on our end we are done
Dialogue: 0,0:34:02.16,0:34:04.00,Default,,0000,0000,0000,,however we still need to check one more
Dialogue: 0,0:34:04.00,0:34:05.84,Default,,0000,0000,0000,,configuration file so i'll just take a
Dialogue: 0,0:34:05.84,0:34:08.00,Default,,0000,0000,0000,,step back here and we'll head over into
Dialogue: 0,0:34:08.00,0:34:10.88,Default,,0000,0000,0000,,the etsy directory under apps
Dialogue: 0,0:34:10.88,0:34:13.12,Default,,0000,0000,0000,,and search
Dialogue: 0,0:34:13.12,0:34:15.52,Default,,0000,0000,0000,,and then into local
Dialogue: 0,0:34:15.52,0:34:16.72,Default,,0000,0000,0000,,when you think we'll need to root
Dialogue: 0,0:34:16.72,0:34:18.32,Default,,0000,0000,0000,,permissions to access this so i'll just
Dialogue: 0,0:34:18.32,0:34:20.08,Default,,0000,0000,0000,,switch to the root user and head over
Dialogue: 0,0:34:20.08,0:34:21.52,Default,,0000,0000,0000,,into local
Dialogue: 0,0:34:21.52,0:34:24.40,Default,,0000,0000,0000,,and we're looking for the inputs dot
Dialogue: 0,0:34:24.40,0:34:26.56,Default,,0000,0000,0000,,conf file
Dialogue: 0,0:34:26.56,0:34:28.08,Default,,0000,0000,0000,,uh right so we need to actually
Dialogue: 0,0:34:28.08,0:34:29.76,Default,,0000,0000,0000,,configure this because this is very
Dialogue: 0,0:34:29.76,0:34:31.04,Default,,0000,0000,0000,,important so
Dialogue: 0,0:34:31.04,0:34:35.12,Default,,0000,0000,0000,,uh the first thing we want to do is let
Dialogue: 0,0:34:35.12,0:34:35.92,Default,,0000,0000,0000,,us
Dialogue: 0,0:34:35.92,0:34:38.64,Default,,0000,0000,0000,,add a new line here and within the
Dialogue: 0,0:34:38.64,0:34:41.44,Default,,0000,0000,0000,,square brackets i'll just say splunk
Dialogue: 0,0:34:41.44,0:34:44.24,Default,,0000,0000,0000,,uh tcp
Dialogue: 0,0:34:44.24,0:34:46.40,Default,,0000,0000,0000,,and we then want to specify the port so
Dialogue: 0,0:34:46.40,0:34:48.40,Default,,0000,0000,0000,,9997
Dialogue: 0,0:34:48.40,0:34:49.68,Default,,0000,0000,0000,,let me make sure i type that in
Dialogue: 0,0:34:49.68,0:34:51.52,Default,,0000,0000,0000,,correctly
Dialogue: 0,0:34:51.52,0:34:54.24,Default,,0000,0000,0000,,we then need to actually put in the
Dialogue: 0,0:34:54.24,0:34:56.96,Default,,0000,0000,0000,,connection
Dialogue: 0,0:34:56.96,0:35:01.20,Default,,0000,0000,0000,,um so the connection host so connection
Dialogue: 0,0:35:01.20,0:35:03.44,Default,,0000,0000,0000,,host is going to be equal to the ip
Dialogue: 0,0:35:03.44,0:35:05.28,Default,,0000,0000,0000,,address of the splunk
Dialogue: 0,0:35:05.28,0:35:06.56,Default,,0000,0000,0000,,server
Dialogue: 0,0:35:06.56,0:35:08.96,Default,,0000,0000,0000,,so i'll just copy that there paste that
Dialogue: 0,0:35:08.96,0:35:11.28,Default,,0000,0000,0000,,in there
Dialogue: 0,0:35:11.28,0:35:14.00,Default,,0000,0000,0000,,once that is done
Dialogue: 0,0:35:14.00,0:35:16.32,Default,,0000,0000,0000,,this is fine here disabled is set to
Dialogue: 0,0:35:16.32,0:35:19.04,Default,,0000,0000,0000,,false we want index is going to be equal
Dialogue: 0,0:35:19.04,0:35:20.32,Default,,0000,0000,0000,,to main
Dialogue: 0,0:35:20.32,0:35:23.68,Default,,0000,0000,0000,,and then the source type
Dialogue: 0,0:35:23.68,0:35:26.56,Default,,0000,0000,0000,,is going to be equal to snot
Dialogue: 0,0:35:26.56,0:35:27.52,Default,,0000,0000,0000,,alert
Dialogue: 0,0:35:27.52,0:35:28.96,Default,,0000,0000,0000,,full
Dialogue: 0,0:35:28.96,0:35:31.28,Default,,0000,0000,0000,,and we can then say the source is equal
Dialogue: 0,0:35:31.28,0:35:33.04,Default,,0000,0000,0000,,to snort all right so this is a very
Dialogue: 0,0:35:33.04,0:35:35.28,Default,,0000,0000,0000,,important configuration so let me just
Dialogue: 0,0:35:35.28,0:35:36.64,Default,,0000,0000,0000,,go through those options or
Dialogue: 0,0:35:36.64,0:35:38.64,Default,,0000,0000,0000,,configurations again we have the splunk
Dialogue: 0,0:35:38.64,0:35:40.32,Default,,0000,0000,0000,,tcp option
Dialogue: 0,0:35:40.32,0:35:42.88,Default,,0000,0000,0000,,uh we then have the actual connection
Dialogue: 0,0:35:42.88,0:35:45.52,Default,,0000,0000,0000,,host the monitor is set correctly to
Dialogue: 0,0:35:45.52,0:35:46.64,Default,,0000,0000,0000,,that file
Dialogue: 0,0:35:46.64,0:35:49.52,Default,,0000,0000,0000,,uh it's enabled index equals main source
Dialogue: 0,0:35:49.52,0:35:51.68,Default,,0000,0000,0000,,type equals snorter that full source is
Dialogue: 0,0:35:51.68,0:35:53.68,Default,,0000,0000,0000,,equal to snot fantastic so we'll write
Dialogue: 0,0:35:53.68,0:35:54.72,Default,,0000,0000,0000,,in quit
Dialogue: 0,0:35:54.72,0:35:57.04,Default,,0000,0000,0000,,uh once this is done
Dialogue: 0,0:35:57.04,0:35:58.72,Default,,0000,0000,0000,,we'll need to restart splunk so i'll
Dialogue: 0,0:35:58.72,0:36:00.80,Default,,0000,0000,0000,,switch back to my user lexis here and
Dialogue: 0,0:36:00.80,0:36:04.56,Default,,0000,0000,0000,,we'll navigate back to the bin directory
Dialogue: 0,0:36:04.56,0:36:06.40,Default,,0000,0000,0000,,so i'll say cd bin
Dialogue: 0,0:36:06.40,0:36:08.80,Default,,0000,0000,0000,,and we'll say sudo
Dialogue: 0,0:36:08.80,0:36:11.68,Default,,0000,0000,0000,,let me say splunk and we can then say
Dialogue: 0,0:36:11.68,0:36:13.44,Default,,0000,0000,0000,,restart
Dialogue: 0,0:36:13.44,0:36:15.68,Default,,0000,0000,0000,,all right hit enter
Dialogue: 0,0:36:15.68,0:36:18.32,Default,,0000,0000,0000,,it's going to stop the splunk daemon
Dialogue: 0,0:36:18.32,0:36:19.68,Default,,0000,0000,0000,,shutting it down
Dialogue: 0,0:36:19.68,0:36:22.16,Default,,0000,0000,0000,,restart it and it's done successfully so
Dialogue: 0,0:36:22.16,0:36:24.56,Default,,0000,0000,0000,,all the checks were completed without
Dialogue: 0,0:36:24.56,0:36:27.12,Default,,0000,0000,0000,,any issue all right so
Dialogue: 0,0:36:27.12,0:36:29.04,Default,,0000,0000,0000,,now that this is done we can actually go
Dialogue: 0,0:36:29.04,0:36:31.44,Default,,0000,0000,0000,,back into splunk here and we'll navigate
Dialogue: 0,0:36:31.44,0:36:33.28,Default,,0000,0000,0000,,to the dashboard
Dialogue: 0,0:36:33.28,0:36:35.84,Default,,0000,0000,0000,,uh this is your splunk server right
Dialogue: 0,0:36:35.84,0:36:37.44,Default,,0000,0000,0000,,and let's take a look at the messages
Dialogue: 0,0:36:37.44,0:36:39.92,Default,,0000,0000,0000,,here that's just uh a few updates we
Dialogue: 0,0:36:39.92,0:36:41.92,Default,,0000,0000,0000,,don't need to do anything there so if we
Dialogue: 0,0:36:41.92,0:36:43.12,Default,,0000,0000,0000,,click on
Dialogue: 0,0:36:43.12,0:36:45.60,Default,,0000,0000,0000,,search and reporting just to verify that
Dialogue: 0,0:36:45.60,0:36:47.84,Default,,0000,0000,0000,,that data has indeed been for that i'll
Dialogue: 0,0:36:47.84,0:36:49.28,Default,,0000,0000,0000,,just skip through this if we click on
Dialogue: 0,0:36:49.28,0:36:51.04,Default,,0000,0000,0000,,data summary
Dialogue: 0,0:36:51.04,0:36:52.88,Default,,0000,0000,0000,,under sources you should see that we
Dialogue: 0,0:36:52.88,0:36:55.68,Default,,0000,0000,0000,,have the host and in my case the name of
Dialogue: 0,0:36:55.68,0:36:58.64,Default,,0000,0000,0000,,the system is black box so that should
Dialogue: 0,0:36:58.64,0:37:01.12,Default,,0000,0000,0000,,be reflected there so there we are black
Dialogue: 0,0:37:01.12,0:37:03.28,Default,,0000,0000,0000,,box we have 42
Dialogue: 0,0:37:03.28,0:37:06.80,Default,,0000,0000,0000,,logs or alerts if you will sources 42 we
Dialogue: 0,0:37:06.80,0:37:08.64,Default,,0000,0000,0000,,can click on that there to just see the
Dialogue: 0,0:37:08.64,0:37:11.28,Default,,0000,0000,0000,,data that has been logged indeed we can
Dialogue: 0,0:37:11.28,0:37:13.04,Default,,0000,0000,0000,,see that has been done correctly so
Dialogue: 0,0:37:13.04,0:37:14.88,Default,,0000,0000,0000,,source type is alert
Dialogue: 0,0:37:14.88,0:37:17.28,Default,,0000,0000,0000,,uh we can see that it's imported you
Dialogue: 0,0:37:17.28,0:37:19.44,Default,,0000,0000,0000,,know pretty much all the data or the you
Dialogue: 0,0:37:19.44,0:37:21.12,Default,,0000,0000,0000,,know these are the this is the full log
Dialogue: 0,0:37:21.12,0:37:23.60,Default,,0000,0000,0000,,whereby we have the reference to that
Dialogue: 0,0:37:23.60,0:37:24.88,Default,,0000,0000,0000,,there
Dialogue: 0,0:37:24.88,0:37:26.80,Default,,0000,0000,0000,,uh that's weird i didn't actually run
Dialogue: 0,0:37:26.80,0:37:30.24,Default,,0000,0000,0000,,anything weird uh but uh there you go
Dialogue: 0,0:37:30.24,0:37:32.72,Default,,0000,0000,0000,,um so now that this is done uh you can
Dialogue: 0,0:37:32.72,0:37:34.88,Default,,0000,0000,0000,,use splunk to essentially visualize this
Dialogue: 0,0:37:34.88,0:37:36.80,Default,,0000,0000,0000,,data you know however you want so you
Dialogue: 0,0:37:36.80,0:37:39.36,Default,,0000,0000,0000,,know i can go into visualization
Dialogue: 0,0:37:39.36,0:37:42.24,Default,,0000,0000,0000,,uh and we can click on maybe we can
Dialogue: 0,0:37:42.24,0:37:44.72,Default,,0000,0000,0000,,create a um
Dialogue: 0,0:37:44.72,0:37:46.88,Default,,0000,0000,0000,,we can select a few fields so if i go
Dialogue: 0,0:37:46.88,0:37:50.24,Default,,0000,0000,0000,,back into the events here i can select a
Dialogue: 0,0:37:50.24,0:37:52.24,Default,,0000,0000,0000,,few fields that i want displayed here
Dialogue: 0,0:37:52.24,0:37:54.32,Default,,0000,0000,0000,,and i can you know essentially extract
Dialogue: 0,0:37:54.32,0:37:57.04,Default,,0000,0000,0000,,the fields that i want with rejects
Dialogue: 0,0:37:57.04,0:37:57.92,Default,,0000,0000,0000,,but
Dialogue: 0,0:37:57.92,0:37:59.68,Default,,0000,0000,0000,,i don't think this is necessary in this
Dialogue: 0,0:37:59.68,0:38:01.52,Default,,0000,0000,0000,,point because if we actually go back to
Dialogue: 0,0:38:01.52,0:38:03.60,Default,,0000,0000,0000,,the dashboard
Dialogue: 0,0:38:03.60,0:38:06.16,Default,,0000,0000,0000,,and we click on
Dialogue: 0,0:38:06.16,0:38:10.08,Default,,0000,0000,0000,,let's see splunk snot alert for splunk
Dialogue: 0,0:38:10.08,0:38:11.44,Default,,0000,0000,0000,,let's see if this is actually whether
Dialogue: 0,0:38:11.44,0:38:15.20,Default,,0000,0000,0000,,this automates that process for us
Dialogue: 0,0:38:15.20,0:38:17.28,Default,,0000,0000,0000,,uh there we are actually it looks like
Dialogue: 0,0:38:17.28,0:38:21.60,Default,,0000,0000,0000,,it does so um classification bad traffic
Dialogue: 0,0:38:21.60,0:38:24.16,Default,,0000,0000,0000,,so it looks like that is working
Dialogue: 0,0:38:24.16,0:38:26.40,Default,,0000,0000,0000,,so what we can do now
Dialogue: 0,0:38:26.40,0:38:28.72,Default,,0000,0000,0000,,is run a few
Dialogue: 0,0:38:28.72,0:38:31.28,Default,,0000,0000,0000,,uh we can actually utilize this script
Dialogue: 0,0:38:31.28,0:38:33.52,Default,,0000,0000,0000,,here the
Dialogue: 0,0:38:33.52,0:38:37.12,Default,,0000,0000,0000,,uh the test my nids script here so all
Dialogue: 0,0:38:37.12,0:38:39.44,Default,,0000,0000,0000,,you need to do to run it is just copy
Dialogue: 0,0:38:39.44,0:38:41.52,Default,,0000,0000,0000,,this one liner script here or this
Dialogue: 0,0:38:41.52,0:38:43.20,Default,,0000,0000,0000,,command that will download it into your
Dialogue: 0,0:38:43.20,0:38:46.00,Default,,0000,0000,0000,,tmp directory and will then execute it
Dialogue: 0,0:38:46.00,0:38:49.20,Default,,0000,0000,0000,,so you know to execute it within your
Dialogue: 0,0:38:49.20,0:38:51.60,Default,,0000,0000,0000,,temp directory you can just uh execute
Dialogue: 0,0:38:51.60,0:38:53.04,Default,,0000,0000,0000,,the actual
Dialogue: 0,0:38:53.04,0:38:54.40,Default,,0000,0000,0000,,um
Dialogue: 0,0:38:54.40,0:38:56.24,Default,,0000,0000,0000,,you know the actual binary there it is a
Dialogue: 0,0:38:56.24,0:38:58.80,Default,,0000,0000,0000,,binary not a script
Dialogue: 0,0:38:58.80,0:39:01.28,Default,,0000,0000,0000,,and uh once that is done you can then
Dialogue: 0,0:39:01.28,0:39:03.52,Default,,0000,0000,0000,,select the option here so let me just do
Dialogue: 0,0:39:03.52,0:39:05.92,Default,,0000,0000,0000,,that on my attacker system
Dialogue: 0,0:39:05.92,0:39:08.88,Default,,0000,0000,0000,,i'm just gonna run it one more time so
Dialogue: 0,0:39:08.88,0:39:14.36,Default,,0000,0000,0000,,um just going to say ls here and
Dialogue: 0,0:39:16.16,0:39:18.96,Default,,0000,0000,0000,,if i uh open up the documentation so
Dialogue: 0,0:39:18.96,0:39:21.84,Default,,0000,0000,0000,,firstly i will
Dialogue: 0,0:39:21.84,0:39:23.44,Default,,0000,0000,0000,,i will run
Dialogue: 0,0:39:23.44,0:39:26.64,Default,,0000,0000,0000,,a quick linux uid check so
Dialogue: 0,0:39:26.64,0:39:28.96,Default,,0000,0000,0000,,i'll just hit enter
Dialogue: 0,0:39:28.96,0:39:31.28,Default,,0000,0000,0000,,okay that is done i'll then perform a
Dialogue: 0,0:39:31.28,0:39:35.12,Default,,0000,0000,0000,,http basic authentication
Dialogue: 0,0:39:35.12,0:39:37.84,Default,,0000,0000,0000,,and a malware user agent so i'm doing
Dialogue: 0,0:39:37.84,0:39:40.64,Default,,0000,0000,0000,,that right now
Dialogue: 0,0:39:40.84,0:39:46.00,Default,,0000,0000,0000,,okay and we can run one more here so
Dialogue: 0,0:39:46.00,0:39:48.72,Default,,0000,0000,0000,,uh let's see let's see let's see uh we
Dialogue: 0,0:39:48.72,0:39:51.52,Default,,0000,0000,0000,,can try exe or dll download over http
Dialogue: 0,0:39:51.52,0:39:55.28,Default,,0000,0000,0000,,that is surely going to be um
Dialogue: 0,0:39:55.28,0:39:57.04,Default,,0000,0000,0000,,logged
Dialogue: 0,0:39:57.04,0:39:59.84,Default,,0000,0000,0000,,or that's going to trigger an alert
Dialogue: 0,0:39:59.84,0:40:00.64,Default,,0000,0000,0000,,so
Dialogue: 0,0:40:00.64,0:40:03.04,Default,,0000,0000,0000,,uh do we have uh that is running all
Dialogue: 0,0:40:03.04,0:40:05.28,Default,,0000,0000,0000,,right so snot is running that's great
Dialogue: 0,0:40:05.28,0:40:08.08,Default,,0000,0000,0000,,uh so we know that the log is being uh
Dialogue: 0,0:40:08.08,0:40:10.24,Default,,0000,0000,0000,,the actual alerts are being forwarded
Dialogue: 0,0:40:10.24,0:40:12.96,Default,,0000,0000,0000,,absolutely fantastic so let's go back in
Dialogue: 0,0:40:12.96,0:40:15.04,Default,,0000,0000,0000,,here i've already run those
Dialogue: 0,0:40:15.04,0:40:18.40,Default,,0000,0000,0000,,uh those particular checks
Dialogue: 0,0:40:18.40,0:40:20.16,Default,,0000,0000,0000,,so let me just refresh this i know it
Dialogue: 0,0:40:20.16,0:40:22.16,Default,,0000,0000,0000,,usually takes a couple of seconds to a
Dialogue: 0,0:40:22.16,0:40:24.40,Default,,0000,0000,0000,,couple of minutes but that data should
Dialogue: 0,0:40:24.40,0:40:26.24,Default,,0000,0000,0000,,start should actually be reflected there
Dialogue: 0,0:40:26.24,0:40:28.16,Default,,0000,0000,0000,,we are fantastic so
Dialogue: 0,0:40:28.16,0:40:31.12,Default,,0000,0000,0000,,uh we can see that uh you know firstly
Dialogue: 0,0:40:31.12,0:40:32.88,Default,,0000,0000,0000,,i'll just explain the dashboard here
Dialogue: 0,0:40:32.88,0:40:33.76,Default,,0000,0000,0000,,because
Dialogue: 0,0:40:33.76,0:40:36.16,Default,,0000,0000,0000,,uh this dashboard is automatically you
Dialogue: 0,0:40:36.16,0:40:38.00,Default,,0000,0000,0000,,know set up for you by the snort app
Dialogue: 0,0:40:38.00,0:40:39.92,Default,,0000,0000,0000,,which is really awesome as i said you
Dialogue: 0,0:40:39.92,0:40:41.44,Default,,0000,0000,0000,,don't need to go through that process
Dialogue: 0,0:40:41.44,0:40:42.56,Default,,0000,0000,0000,,yourself
Dialogue: 0,0:40:42.56,0:40:44.56,Default,,0000,0000,0000,,so the first graph here essentially
Dialogue: 0,0:40:44.56,0:40:46.40,Default,,0000,0000,0000,,tells you your events
Dialogue: 0,0:40:46.40,0:40:48.56,Default,,0000,0000,0000,,uh and and it also displays uh you know
Dialogue: 0,0:40:48.56,0:40:50.40,Default,,0000,0000,0000,,the total number of sources so you can
Dialogue: 0,0:40:50.40,0:40:52.56,Default,,0000,0000,0000,,see that there you also have the time
Dialogue: 0,0:40:52.56,0:40:54.48,Default,,0000,0000,0000,,uh and you saw you have your events and
Dialogue: 0,0:40:54.48,0:40:56.08,Default,,0000,0000,0000,,then the timeline here and you can
Dialogue: 0,0:40:56.08,0:40:58.88,Default,,0000,0000,0000,,essentially you know view a trend or the
Dialogue: 0,0:40:58.88,0:41:01.68,Default,,0000,0000,0000,,trend of uh of events there you then
Dialogue: 0,0:41:01.68,0:41:04.88,Default,,0000,0000,0000,,have the top uh the top source countries
Dialogue: 0,0:41:04.88,0:41:07.04,Default,,0000,0000,0000,,right over here and if i just run
Dialogue: 0,0:41:07.04,0:41:08.72,Default,,0000,0000,0000,,another check really quickly here
Dialogue: 0,0:41:08.72,0:41:11.12,Default,,0000,0000,0000,,through the nids website
Dialogue: 0,0:41:11.12,0:41:14.72,Default,,0000,0000,0000,,so uh let me just run the curl command
Dialogue: 0,0:41:14.72,0:41:16.64,Default,,0000,0000,0000,,uh you should actually see that because
Dialogue: 0,0:41:16.64,0:41:19.28,Default,,0000,0000,0000,,we are reaching out to uh you know a
Dialogue: 0,0:41:19.28,0:41:21.28,Default,,0000,0000,0000,,connection made to an external server
Dialogue: 0,0:41:21.28,0:41:23.68,Default,,0000,0000,0000,,that it should reflect that info under
Dialogue: 0,0:41:23.68,0:41:25.76,Default,,0000,0000,0000,,the top countries the top source
Dialogue: 0,0:41:25.76,0:41:26.80,Default,,0000,0000,0000,,countries
Dialogue: 0,0:41:26.80,0:41:28.80,Default,,0000,0000,0000,,so uh we then have the events here which
Dialogue: 0,0:41:28.80,0:41:31.28,Default,,0000,0000,0000,,uh you know you can click on um and then
Dialogue: 0,0:41:31.28,0:41:33.12,Default,,0000,0000,0000,,of course you have the sources
Dialogue: 0,0:41:33.12,0:41:36.08,Default,,0000,0000,0000,,so these are the uh snort event types
Dialogue: 0,0:41:36.08,0:41:37.76,Default,,0000,0000,0000,,and these are actually the
Dialogue: 0,0:41:37.76,0:41:39.68,Default,,0000,0000,0000,,classification so we can see potentially
Dialogue: 0,0:41:39.68,0:41:42.64,Default,,0000,0000,0000,,bad traffic attempted information leak
Dialogue: 0,0:41:42.64,0:41:44.72,Default,,0000,0000,0000,,and you know you can just refresh your
Dialogue: 0,0:41:44.72,0:41:47.44,Default,,0000,0000,0000,,dashboard to get the latest
Dialogue: 0,0:41:47.44,0:41:49.36,Default,,0000,0000,0000,,so we'll give that a couple of seconds
Dialogue: 0,0:41:49.36,0:41:52.00,Default,,0000,0000,0000,,and you can also specify the actual uh
Dialogue: 0,0:41:52.00,0:41:53.60,Default,,0000,0000,0000,,interval period
Dialogue: 0,0:41:53.60,0:41:56.40,Default,,0000,0000,0000,,so uh i'll just wait for this uh let's
Dialogue: 0,0:41:56.40,0:41:58.88,Default,,0000,0000,0000,,see if it's actually being logged or
Dialogue: 0,0:41:58.88,0:42:00.32,Default,,0000,0000,0000,,whether we can see all of that so i'll
Dialogue: 0,0:42:00.32,0:42:04.00,Default,,0000,0000,0000,,just go back into the dashboard here
Dialogue: 0,0:42:04.00,0:42:04.80,Default,,0000,0000,0000,,and
Dialogue: 0,0:42:04.80,0:42:07.36,Default,,0000,0000,0000,,we'll go into search and reporting and
Dialogue: 0,0:42:07.36,0:42:09.92,Default,,0000,0000,0000,,if we click on the actual
Dialogue: 0,0:42:09.92,0:42:13.04,Default,,0000,0000,0000,,data summary and the sources uh we can
Dialogue: 0,0:42:13.04,0:42:15.36,Default,,0000,0000,0000,,see we have snort there and then vast
Dialogue: 0,0:42:15.36,0:42:19.52,Default,,0000,0000,0000,,not alert so we click on snot there
Dialogue: 0,0:42:19.52,0:42:22.00,Default,,0000,0000,0000,,okay so this is bad traffic that's
Dialogue: 0,0:42:22.00,0:42:25.44,Default,,0000,0000,0000,,really weird because
Dialogue: 0,0:42:26.08,0:42:27.92,Default,,0000,0000,0000,,the source is not we had added two
Dialogue: 0,0:42:27.92,0:42:29.52,Default,,0000,0000,0000,,sources there
Dialogue: 0,0:42:29.52,0:42:32.72,Default,,0000,0000,0000,,so data summary
Dialogue: 0,0:42:32.72,0:42:34.80,Default,,0000,0000,0000,,let me just click on that there and if
Dialogue: 0,0:42:34.80,0:42:36.96,Default,,0000,0000,0000,,we click on these sources there this is
Dialogue: 0,0:42:36.96,0:42:40.80,Default,,0000,0000,0000,,the one that we want ideally
Dialogue: 0,0:42:43.20,0:42:46.08,Default,,0000,0000,0000,,yeah so that looks like uh the correct
Dialogue: 0,0:42:46.08,0:42:48.72,Default,,0000,0000,0000,,one there
Dialogue: 0,0:42:49.60,0:42:51.68,Default,,0000,0000,0000,,yeah that's the correct traffic um uh i
Dialogue: 0,0:42:51.68,0:42:55.12,Default,,0000,0000,0000,,think that's why uh the actual uh let me
Dialogue: 0,0:42:55.12,0:42:56.96,Default,,0000,0000,0000,,see if i can find so snot alert for
Dialogue: 0,0:42:56.96,0:43:00.64,Default,,0000,0000,0000,,splunk let me click on the app there
Dialogue: 0,0:43:02.48,0:43:04.16,Default,,0000,0000,0000,,show filters it should be displaying
Dialogue: 0,0:43:04.16,0:43:06.40,Default,,0000,0000,0000,,much more than that because i know yeah
Dialogue: 0,0:43:06.40,0:43:08.32,Default,,0000,0000,0000,,they're not just four
Dialogue: 0,0:43:08.32,0:43:09.92,Default,,0000,0000,0000,,so
Dialogue: 0,0:43:09.92,0:43:12.64,Default,,0000,0000,0000,,uh if we actually head over into the
Dialogue: 0,0:43:12.64,0:43:16.56,Default,,0000,0000,0000,,uh snot event search here
Dialogue: 0,0:43:18.48,0:43:20.80,Default,,0000,0000,0000,,we can actually search for uh you know
Dialogue: 0,0:43:20.80,0:43:25.36,Default,,0000,0000,0000,,we can utilize uh yeah so these are only
Dialogue: 0,0:43:25.36,0:43:28.40,Default,,0000,0000,0000,,this is only monitoring the pings so
Dialogue: 0,0:43:28.40,0:43:30.24,Default,,0000,0000,0000,,that's weird i'm not really sure why we
Dialogue: 0,0:43:30.24,0:43:32.32,Default,,0000,0000,0000,,have two data sources i think it's to do
Dialogue: 0,0:43:32.32,0:43:33.84,Default,,0000,0000,0000,,with the fact
Dialogue: 0,0:43:33.84,0:43:37.04,Default,,0000,0000,0000,,uh that uh you know we had so let me
Dialogue: 0,0:43:37.04,0:43:39.52,Default,,0000,0000,0000,,just go back here
Dialogue: 0,0:43:39.52,0:43:42.64,Default,,0000,0000,0000,,apps search and sudo root
Dialogue: 0,0:43:42.64,0:43:46.72,Default,,0000,0000,0000,,let me just check that here so cd local
Dialogue: 0,0:43:46.72,0:43:47.84,Default,,0000,0000,0000,,vim
Dialogue: 0,0:43:47.84,0:43:50.64,Default,,0000,0000,0000,,inputs dot look so there we are so the
Dialogue: 0,0:43:50.64,0:43:53.28,Default,,0000,0000,0000,,source is snort
Dialogue: 0,0:43:53.28,0:43:56.08,Default,,0000,0000,0000,,we already specified the source as not
Dialogue: 0,0:43:56.08,0:43:57.60,Default,,0000,0000,0000,,there
Dialogue: 0,0:43:57.60,0:43:59.52,Default,,0000,0000,0000,,but it's all it's adding
Dialogue: 0,0:43:59.52,0:44:02.32,Default,,0000,0000,0000,,this particular you know the alert as uh
Dialogue: 0,0:44:02.32,0:44:04.16,Default,,0000,0000,0000,,as a source as well
Dialogue: 0,0:44:04.16,0:44:06.40,Default,,0000,0000,0000,,and then this the source type is not
Dialogue: 0,0:44:06.40,0:44:09.04,Default,,0000,0000,0000,,alert full index main yeah that that
Dialogue: 0,0:44:09.04,0:44:10.56,Default,,0000,0000,0000,,should be working that should be working
Dialogue: 0,0:44:10.56,0:44:12.32,Default,,0000,0000,0000,,without any issues i'm not really sure
Dialogue: 0,0:44:12.32,0:44:14.08,Default,,0000,0000,0000,,why that is the case but
Dialogue: 0,0:44:14.08,0:44:16.48,Default,,0000,0000,0000,,we can actually customize what data set
Dialogue: 0,0:44:16.48,0:44:18.00,Default,,0000,0000,0000,,we want to use
Dialogue: 0,0:44:18.00,0:44:19.36,Default,,0000,0000,0000,,so uh
Dialogue: 0,0:44:19.36,0:44:21.52,Default,,0000,0000,0000,,i think let me actually showcase how to
Dialogue: 0,0:44:21.52,0:44:23.36,Default,,0000,0000,0000,,do that right now
Dialogue: 0,0:44:23.36,0:44:25.84,Default,,0000,0000,0000,,um so apologies about that i actually
Dialogue: 0,0:44:25.84,0:44:27.60,Default,,0000,0000,0000,,figured out what the issue was it was
Dialogue: 0,0:44:27.60,0:44:30.32,Default,,0000,0000,0000,,because the system i was running
Dialogue: 0,0:44:30.32,0:44:32.08,Default,,0000,0000,0000,,uh this particular
Dialogue: 0,0:44:32.08,0:44:34.56,Default,,0000,0000,0000,,attacks from wasn't even connected to
Dialogue: 0,0:44:34.56,0:44:36.80,Default,,0000,0000,0000,,the local network
Dialogue: 0,0:44:36.80,0:44:38.88,Default,,0000,0000,0000,,and even though i was running these
Dialogue: 0,0:44:38.88,0:44:41.04,Default,,0000,0000,0000,,these attacks i did realize that of
Dialogue: 0,0:44:41.04,0:44:42.64,Default,,0000,0000,0000,,course they weren't working so i'm just
Dialogue: 0,0:44:42.64,0:44:44.88,Default,,0000,0000,0000,,gonna i've just reconnected it
Dialogue: 0,0:44:44.88,0:44:47.36,Default,,0000,0000,0000,,and what i'm gonna do is i'm just gonna
Dialogue: 0,0:44:47.36,0:44:49.60,Default,,0000,0000,0000,,run this one more time
Dialogue: 0,0:44:49.60,0:44:53.36,Default,,0000,0000,0000,,so just give me a second here and i'll
Dialogue: 0,0:44:53.36,0:44:56.32,Default,,0000,0000,0000,,be able to do that one more time so
Dialogue: 0,0:44:56.32,0:44:58.56,Default,,0000,0000,0000,,let me just navigate to that particular
Dialogue: 0,0:44:58.56,0:45:00.08,Default,,0000,0000,0000,,directory
Dialogue: 0,0:45:00.08,0:45:01.04,Default,,0000,0000,0000,,and
Dialogue: 0,0:45:01.04,0:45:02.48,Default,,0000,0000,0000,,we'll actually see whether this will
Dialogue: 0,0:45:02.48,0:45:04.40,Default,,0000,0000,0000,,work so
Dialogue: 0,0:45:04.40,0:45:06.00,Default,,0000,0000,0000,,you can actually see there's much more
Dialogue: 0,0:45:06.00,0:45:07.92,Default,,0000,0000,0000,,uh that's been captured in regards to
Dialogue: 0,0:45:07.92,0:45:10.16,Default,,0000,0000,0000,,events and i'll be explaining this
Dialogue: 0,0:45:10.16,0:45:12.48,Default,,0000,0000,0000,,dashboard in a couple of seconds
Dialogue: 0,0:45:12.48,0:45:13.36,Default,,0000,0000,0000,,so
Dialogue: 0,0:45:13.36,0:45:14.96,Default,,0000,0000,0000,,let me just uh
Dialogue: 0,0:45:14.96,0:45:17.36,Default,,0000,0000,0000,,launch that first attack there so that
Dialogue: 0,0:45:17.36,0:45:19.44,Default,,0000,0000,0000,,you know let me just launch that first
Dialogue: 0,0:45:19.44,0:45:22.24,Default,,0000,0000,0000,,uh type of check and of course i'm using
Dialogue: 0,0:45:22.24,0:45:26.40,Default,,0000,0000,0000,,test my nids here so uh unfortunately
Dialogue: 0,0:45:26.40,0:45:28.00,Default,,0000,0000,0000,,that wasn't even being logged which is
Dialogue: 0,0:45:28.00,0:45:30.00,Default,,0000,0000,0000,,why i was a bit confused as to why those
Dialogue: 0,0:45:30.00,0:45:32.80,Default,,0000,0000,0000,,logs are not being displayed here
Dialogue: 0,0:45:32.80,0:45:35.52,Default,,0000,0000,0000,,so i'll give that a couple of seconds
Dialogue: 0,0:45:35.52,0:45:36.80,Default,,0000,0000,0000,,and
Dialogue: 0,0:45:36.80,0:45:38.88,Default,,0000,0000,0000,,we'll be able to see this happen
Dialogue: 0,0:45:38.88,0:45:41.92,Default,,0000,0000,0000,,in real time as well
Dialogue: 0,0:45:41.92,0:45:44.56,Default,,0000,0000,0000,,all right so that is done so i've
Dialogue: 0,0:45:44.56,0:45:46.32,Default,,0000,0000,0000,,essentially launched a couple of those
Dialogue: 0,0:45:46.32,0:45:48.32,Default,,0000,0000,0000,,tests and uh
Dialogue: 0,0:45:48.32,0:45:50.64,Default,,0000,0000,0000,,this as i said this is your default uh
Dialogue: 0,0:45:50.64,0:45:52.56,Default,,0000,0000,0000,,dashboard that you're provided with here
Dialogue: 0,0:45:52.56,0:45:53.52,Default,,0000,0000,0000,,so
Dialogue: 0,0:45:53.52,0:45:55.76,Default,,0000,0000,0000,,um you know you can actually refresh uh
Dialogue: 0,0:45:55.76,0:45:58.72,Default,,0000,0000,0000,,all of these um all of these panels here
Dialogue: 0,0:45:58.72,0:46:00.80,Default,,0000,0000,0000,,if you will so that'll display the
Dialogue: 0,0:46:00.80,0:46:03.92,Default,,0000,0000,0000,,latest and as i said here because i'd
Dialogue: 0,0:46:03.92,0:46:05.84,Default,,0000,0000,0000,,had performed the actual
Dialogue: 0,0:46:05.84,0:46:07.68,Default,,0000,0000,0000,,uh you know i'd perform the actual check
Dialogue: 0,0:46:07.68,0:46:09.52,Default,,0000,0000,0000,,and then connected to an external server
Dialogue: 0,0:46:09.52,0:46:11.68,Default,,0000,0000,0000,,you can see that you know the top source
Dialogue: 0,0:46:11.68,0:46:13.68,Default,,0000,0000,0000,,countries are highlighted there
Dialogue: 0,0:46:13.68,0:46:15.84,Default,,0000,0000,0000,,you can also refresh the number of
Dialogue: 0,0:46:15.84,0:46:18.16,Default,,0000,0000,0000,,events as you can see here
Dialogue: 0,0:46:18.16,0:46:20.32,Default,,0000,0000,0000,,and the number of sources so
Dialogue: 0,0:46:20.32,0:46:22.32,Default,,0000,0000,0000,,uh you can also do that for the rest of
Dialogue: 0,0:46:22.32,0:46:24.48,Default,,0000,0000,0000,,the panel so these are the top 10
Dialogue: 0,0:46:24.48,0:46:26.80,Default,,0000,0000,0000,,classifications
Dialogue: 0,0:46:26.80,0:46:28.96,Default,,0000,0000,0000,,in terms of events if you will and then
Dialogue: 0,0:46:28.96,0:46:31.36,Default,,0000,0000,0000,,the snort event types as you can see
Dialogue: 0,0:46:31.36,0:46:32.32,Default,,0000,0000,0000,,here
Dialogue: 0,0:46:32.32,0:46:33.84,Default,,0000,0000,0000,,so for example in this case we have the
Dialogue: 0,0:46:33.84,0:46:36.16,Default,,0000,0000,0000,,attack response id check which if we
Dialogue: 0,0:46:36.16,0:46:37.52,Default,,0000,0000,0000,,click on
Dialogue: 0,0:46:37.52,0:46:40.32,Default,,0000,0000,0000,,right over here
Dialogue: 0,0:46:41.12,0:46:42.64,Default,,0000,0000,0000,,you can see that it actually displays
Dialogue: 0,0:46:42.64,0:46:44.40,Default,,0000,0000,0000,,that and you can then uh you can then
Dialogue: 0,0:46:44.40,0:46:46.40,Default,,0000,0000,0000,,click on the signature itself and this
Dialogue: 0,0:46:46.40,0:46:48.88,Default,,0000,0000,0000,,is for statistics now if you click on
Dialogue: 0,0:46:48.88,0:46:52.00,Default,,0000,0000,0000,,the snort event search tab right over
Dialogue: 0,0:46:52.00,0:46:53.04,Default,,0000,0000,0000,,here
Dialogue: 0,0:46:53.04,0:46:54.88,Default,,0000,0000,0000,,you can see that this allows you to
Dialogue: 0,0:46:54.88,0:46:57.12,Default,,0000,0000,0000,,search based on the source ip the source
Dialogue: 0,0:46:57.12,0:46:59.68,Default,,0000,0000,0000,,port the destination ip destination port
Dialogue: 0,0:46:59.68,0:47:02.24,Default,,0000,0000,0000,,and the event type so i can check for
Dialogue: 0,0:47:02.24,0:47:04.40,Default,,0000,0000,0000,,attack responses based on the rule set
Dialogue: 0,0:47:04.40,0:47:06.48,Default,,0000,0000,0000,,that we had used previously
Dialogue: 0,0:47:06.48,0:47:09.36,Default,,0000,0000,0000,,and i can also specify the timing right
Dialogue: 0,0:47:09.36,0:47:12.08,Default,,0000,0000,0000,,so that's really fantastic there
Dialogue: 0,0:47:12.08,0:47:14.64,Default,,0000,0000,0000,,so you can see that right over here we
Dialogue: 0,0:47:14.64,0:47:16.24,Default,,0000,0000,0000,,have that logged
Dialogue: 0,0:47:16.24,0:47:19.04,Default,,0000,0000,0000,,which is fantastic and
Dialogue: 0,0:47:19.04,0:47:21.92,Default,,0000,0000,0000,,if we click on the snort world map
Dialogue: 0,0:47:21.92,0:47:24.00,Default,,0000,0000,0000,,that'll essentially as you'll see in a
Dialogue: 0,0:47:24.00,0:47:26.16,Default,,0000,0000,0000,,couple of seconds this will essentially
Dialogue: 0,0:47:26.16,0:47:28.56,Default,,0000,0000,0000,,display the countries by the source ips
Dialogue: 0,0:47:28.56,0:47:29.84,Default,,0000,0000,0000,,in this case it should display the
Dialogue: 0,0:47:29.84,0:47:32.08,Default,,0000,0000,0000,,united states which makes sense
Dialogue: 0,0:47:32.08,0:47:34.80,Default,,0000,0000,0000,,uh and there we are so again this is
Dialogue: 0,0:47:34.80,0:47:37.12,Default,,0000,0000,0000,,extremely helpful especially if you work
Dialogue: 0,0:47:37.12,0:47:39.84,Default,,0000,0000,0000,,in a sock and as i said there's multiple
Dialogue: 0,0:47:39.84,0:47:41.92,Default,,0000,0000,0000,,uh you know security tools you can
Dialogue: 0,0:47:41.92,0:47:45.04,Default,,0000,0000,0000,,integrate with uh with splunk
Dialogue: 0,0:47:45.04,0:47:46.88,Default,,0000,0000,0000,,now one thing that i wanted to highlight
Dialogue: 0,0:47:46.88,0:47:49.44,Default,,0000,0000,0000,,is you can if you click on edit i'll
Dialogue: 0,0:47:49.44,0:47:51.20,Default,,0000,0000,0000,,just go back to the
Dialogue: 0,0:47:51.20,0:47:53.20,Default,,0000,0000,0000,,event summary here because this is very
Dialogue: 0,0:47:53.20,0:47:55.12,Default,,0000,0000,0000,,important
Dialogue: 0,0:47:55.12,0:47:57.28,Default,,0000,0000,0000,,you can set this as your main dashboard
Dialogue: 0,0:47:57.28,0:47:58.96,Default,,0000,0000,0000,,so if you right click here you can set
Dialogue: 0,0:47:58.96,0:48:01.52,Default,,0000,0000,0000,,this as your home dashboard
Dialogue: 0,0:48:01.52,0:48:03.60,Default,,0000,0000,0000,,so i'll just click on that there
Dialogue: 0,0:48:03.60,0:48:05.44,Default,,0000,0000,0000,,and now you'll see on your dashboard
Dialogue: 0,0:48:05.44,0:48:08.24,Default,,0000,0000,0000,,here if i just close that top menu
Dialogue: 0,0:48:08.24,0:48:10.24,Default,,0000,0000,0000,,that will actually be displayed there so
Dialogue: 0,0:48:10.24,0:48:12.32,Default,,0000,0000,0000,,give it a couple of seconds
Dialogue: 0,0:48:12.32,0:48:14.08,Default,,0000,0000,0000,,and of course you can click on the cog
Dialogue: 0,0:48:14.08,0:48:16.24,Default,,0000,0000,0000,,wheel here
Dialogue: 0,0:48:16.24,0:48:19.28,Default,,0000,0000,0000,,and essentially display whatever
Dialogue: 0,0:48:19.28,0:48:21.52,Default,,0000,0000,0000,,you know you can specify your default
Dialogue: 0,0:48:21.52,0:48:23.20,Default,,0000,0000,0000,,dashboard now there are a couple of
Dialogue: 0,0:48:23.20,0:48:25.60,Default,,0000,0000,0000,,other ones that are created by default
Dialogue: 0,0:48:25.60,0:48:27.12,Default,,0000,0000,0000,,uh but yeah you can have that on your
Dialogue: 0,0:48:27.12,0:48:28.40,Default,,0000,0000,0000,,dashboard
Dialogue: 0,0:48:28.40,0:48:31.04,Default,,0000,0000,0000,,uh and uh you know if you actually click
Dialogue: 0,0:48:31.04,0:48:33.84,Default,,0000,0000,0000,,on snot the snot alert for splunk here
Dialogue: 0,0:48:33.84,0:48:36.24,Default,,0000,0000,0000,,and we'll just go back into that snot
Dialogue: 0,0:48:36.24,0:48:38.24,Default,,0000,0000,0000,,event summary tab
Dialogue: 0,0:48:38.24,0:48:40.88,Default,,0000,0000,0000,,uh you can actually edit the way these
Dialogue: 0,0:48:40.88,0:48:44.24,Default,,0000,0000,0000,,um these particular panels are tiled so
Dialogue: 0,0:48:44.24,0:48:46.08,Default,,0000,0000,0000,,uh you know you can convert it to a
Dialogue: 0,0:48:46.08,0:48:48.88,Default,,0000,0000,0000,,pre-built panel or you know
Dialogue: 0,0:48:48.88,0:48:50.40,Default,,0000,0000,0000,,you can you can actually convert it to a
Dialogue: 0,0:48:50.40,0:48:52.96,Default,,0000,0000,0000,,pre-built panel you can get rid of it
Dialogue: 0,0:48:52.96,0:48:54.72,Default,,0000,0000,0000,,uh you can also move them around based
Dialogue: 0,0:48:54.72,0:48:57.44,Default,,0000,0000,0000,,on your own requirements and uh in this
Dialogue: 0,0:48:57.44,0:48:59.68,Default,,0000,0000,0000,,case you can actually let's see if i can
Dialogue: 0,0:48:59.68,0:49:00.88,Default,,0000,0000,0000,,show you can actually select the
Dialogue: 0,0:49:00.88,0:49:02.48,Default,,0000,0000,0000,,visualization
Dialogue: 0,0:49:02.48,0:49:04.24,Default,,0000,0000,0000,,uh so in this case i think the default
Dialogue: 0,0:49:04.24,0:49:06.08,Default,,0000,0000,0000,,one is fine and you can then view the
Dialogue: 0,0:49:06.08,0:49:07.92,Default,,0000,0000,0000,,report here so
Dialogue: 0,0:49:07.92,0:49:08.96,Default,,0000,0000,0000,,um
Dialogue: 0,0:49:08.96,0:49:11.36,Default,,0000,0000,0000,,if we click on this one here for example
Dialogue: 0,0:49:11.36,0:49:13.28,Default,,0000,0000,0000,,we could actually use the bar graph to
Dialogue: 0,0:49:13.28,0:49:15.28,Default,,0000,0000,0000,,display the you know the number of the
Dialogue: 0,0:49:15.28,0:49:17.20,Default,,0000,0000,0000,,actual um
Dialogue: 0,0:49:17.20,0:49:19.44,Default,,0000,0000,0000,,the top source countries uh and have
Dialogue: 0,0:49:19.44,0:49:21.60,Default,,0000,0000,0000,,them displayed in a bar graph style but
Dialogue: 0,0:49:21.60,0:49:23.28,Default,,0000,0000,0000,,we can just take it back into the pie
Dialogue: 0,0:49:23.28,0:49:25.60,Default,,0000,0000,0000,,chart there and you can also change this
Dialogue: 0,0:49:25.60,0:49:27.44,Default,,0000,0000,0000,,for the events as well
Dialogue: 0,0:49:27.44,0:49:29.36,Default,,0000,0000,0000,,so uh you know if we wanted to view a
Dialogue: 0,0:49:29.36,0:49:31.44,Default,,0000,0000,0000,,trend we can click on the bar graph
Dialogue: 0,0:49:31.44,0:49:32.24,Default,,0000,0000,0000,,there
Dialogue: 0,0:49:32.24,0:49:34.00,Default,,0000,0000,0000,,uh in this case i don't think that's
Dialogue: 0,0:49:34.00,0:49:37.04,Default,,0000,0000,0000,,formatted correctly so uh if we just use
Dialogue: 0,0:49:37.04,0:49:39.44,Default,,0000,0000,0000,,the the default one
Dialogue: 0,0:49:39.44,0:49:42.88,Default,,0000,0000,0000,,uh which i believe was i think it was no
Dialogue: 0,0:49:42.88,0:49:46.16,Default,,0000,0000,0000,,that wasn't the one i believe it was uh
Dialogue: 0,0:49:46.16,0:49:47.92,Default,,0000,0000,0000,,let's see if i can identify it here it
Dialogue: 0,0:49:47.92,0:49:50.80,Default,,0000,0000,0000,,was the number there we are so 26 uh so
Dialogue: 0,0:49:50.80,0:49:52.64,Default,,0000,0000,0000,,as i said you can customize this based
Dialogue: 0,0:49:52.64,0:49:53.84,Default,,0000,0000,0000,,on your own
Dialogue: 0,0:49:53.84,0:49:55.44,Default,,0000,0000,0000,,uh you know
Dialogue: 0,0:49:55.44,0:49:57.44,Default,,0000,0000,0000,,your own requirements so for example
Dialogue: 0,0:49:57.44,0:49:59.84,Default,,0000,0000,0000,,this one might do well if it was in the
Dialogue: 0,0:49:59.84,0:50:02.24,Default,,0000,0000,0000,,form of a bar graph so you know
Dialogue: 0,0:50:02.24,0:50:04.24,Default,,0000,0000,0000,,you can utilize that if you feel that
Dialogue: 0,0:50:04.24,0:50:06.32,Default,,0000,0000,0000,,that is appropriate
Dialogue: 0,0:50:06.32,0:50:08.32,Default,,0000,0000,0000,,uh in this case uh you know we can also
Dialogue: 0,0:50:08.32,0:50:11.92,Default,,0000,0000,0000,,specify uh the actual um you know we can
Dialogue: 0,0:50:11.92,0:50:14.56,Default,,0000,0000,0000,,actually list the events themselves
Dialogue: 0,0:50:14.56,0:50:16.08,Default,,0000,0000,0000,,uh let's see which other ones look
Dialogue: 0,0:50:16.08,0:50:17.92,Default,,0000,0000,0000,,really good here
Dialogue: 0,0:50:17.92,0:50:19.76,Default,,0000,0000,0000,,uh and uh yeah once you're done with the
Dialogue: 0,0:50:19.76,0:50:22.08,Default,,0000,0000,0000,,customization you can then cancel or
Dialogue: 0,0:50:22.08,0:50:24.56,Default,,0000,0000,0000,,save based on your requirements and you
Dialogue: 0,0:50:24.56,0:50:27.20,Default,,0000,0000,0000,,can also filter on this particular tab
Dialogue: 0,0:50:27.20,0:50:28.96,Default,,0000,0000,0000,,here you know through the source ip
Dialogue: 0,0:50:28.96,0:50:31.28,Default,,0000,0000,0000,,destination ip etc
Dialogue: 0,0:50:31.28,0:50:33.84,Default,,0000,0000,0000,,um let's see what else did i wanted to
Dialogue: 0,0:50:33.84,0:50:35.60,Default,,0000,0000,0000,,did i want to highlight let me just
Dialogue: 0,0:50:35.60,0:50:38.00,Default,,0000,0000,0000,,refresh this once more
Dialogue: 0,0:50:38.00,0:50:39.76,Default,,0000,0000,0000,,and you know to essentially get the
Dialogue: 0,0:50:39.76,0:50:42.48,Default,,0000,0000,0000,,latest data
Dialogue: 0,0:50:42.48,0:50:44.48,Default,,0000,0000,0000,,and uh you can see uh in terms of the
Dialogue: 0,0:50:44.48,0:50:46.48,Default,,0000,0000,0000,,fan the in terms of the panels this will
Dialogue: 0,0:50:46.48,0:50:49.52,Default,,0000,0000,0000,,display the last 100 attempts
Dialogue: 0,0:50:49.52,0:50:51.76,Default,,0000,0000,0000,,uh and uh you know you can go through
Dialogue: 0,0:50:51.76,0:50:53.60,Default,,0000,0000,0000,,them like so
Dialogue: 0,0:50:53.60,0:50:55.84,Default,,0000,0000,0000,,uh you can also view i think we've gone
Dialogue: 0,0:50:55.84,0:50:57.12,Default,,0000,0000,0000,,through all of them but you have the
Dialogue: 0,0:50:57.12,0:50:59.44,Default,,0000,0000,0000,,persistent sources so two or more days
Dialogue: 0,0:50:59.44,0:51:01.36,Default,,0000,0000,0000,,of activity in the last 30 days so you
Dialogue: 0,0:51:01.36,0:51:03.04,Default,,0000,0000,0000,,actually need a lot of data for that to
Dialogue: 0,0:51:03.04,0:51:05.20,Default,,0000,0000,0000,,be displayed or to give you anything
Dialogue: 0,0:51:05.20,0:51:06.40,Default,,0000,0000,0000,,useful
Dialogue: 0,0:51:06.40,0:51:07.52,Default,,0000,0000,0000,,um
Dialogue: 0,0:51:07.52,0:51:09.76,Default,,0000,0000,0000,,yeah so that is
Dialogue: 0,0:51:09.76,0:51:11.68,Default,,0000,0000,0000,,what i wanted to highlight in regards to
Dialogue: 0,0:51:11.68,0:51:14.08,Default,,0000,0000,0000,,the snot alert for splunk app and the
Dialogue: 0,0:51:14.08,0:51:15.84,Default,,0000,0000,0000,,actual dashboards which i said it
Dialogue: 0,0:51:15.84,0:51:17.36,Default,,0000,0000,0000,,already does for you
Dialogue: 0,0:51:17.36,0:51:19.12,Default,,0000,0000,0000,,now you can create your own dashboard as
Dialogue: 0,0:51:19.12,0:51:21.20,Default,,0000,0000,0000,,i said if i go back into apps and search
Dialogue: 0,0:51:21.20,0:51:22.72,Default,,0000,0000,0000,,and reporting
Dialogue: 0,0:51:22.72,0:51:25.20,Default,,0000,0000,0000,,based on your own sources so i'll just
Dialogue: 0,0:51:25.20,0:51:27.28,Default,,0000,0000,0000,,click on data summary there and if i
Dialogue: 0,0:51:27.28,0:51:29.28,Default,,0000,0000,0000,,click on sources
Dialogue: 0,0:51:29.28,0:51:30.96,Default,,0000,0000,0000,,you can click on the
Dialogue: 0,0:51:30.96,0:51:33.84,Default,,0000,0000,0000,,this source here for example and
Dialogue: 0,0:51:33.84,0:51:36.64,Default,,0000,0000,0000,,you know in this case we can actually uh
Dialogue: 0,0:51:36.64,0:51:39.68,Default,,0000,0000,0000,,just click on that there and i can click
Dialogue: 0,0:51:39.68,0:51:41.92,Default,,0000,0000,0000,,on extract fields
Dialogue: 0,0:51:41.92,0:51:43.36,Default,,0000,0000,0000,,and you can extract the fields with
Dialogue: 0,0:51:43.36,0:51:46.32,Default,,0000,0000,0000,,rejects so i'll click on next there
Dialogue: 0,0:51:46.32,0:51:47.76,Default,,0000,0000,0000,,and you can then select the fields that
Dialogue: 0,0:51:47.76,0:51:50.40,Default,,0000,0000,0000,,you want so for example in this case we
Dialogue: 0,0:51:50.40,0:51:52.72,Default,,0000,0000,0000,,would want the date and time
Dialogue: 0,0:51:52.72,0:51:55.28,Default,,0000,0000,0000,,so i can just highlight that there so i
Dialogue: 0,0:51:55.28,0:51:56.32,Default,,0000,0000,0000,,can say
Dialogue: 0,0:51:56.32,0:51:59.52,Default,,0000,0000,0000,,time for example add the extraction
Dialogue: 0,0:51:59.52,0:52:02.00,Default,,0000,0000,0000,,and then of course we have the source ip
Dialogue: 0,0:52:02.00,0:52:03.84,Default,,0000,0000,0000,,and the port but i'll just highlight
Dialogue: 0,0:52:03.84,0:52:05.68,Default,,0000,0000,0000,,them together but i think it's actually
Dialogue: 0,0:52:05.68,0:52:07.44,Default,,0000,0000,0000,,recommended just to highlight the source
Dialogue: 0,0:52:07.44,0:52:08.88,Default,,0000,0000,0000,,ip there
Dialogue: 0,0:52:08.88,0:52:13.20,Default,,0000,0000,0000,,so source we can say crc src
Dialogue: 0,0:52:13.20,0:52:14.56,Default,,0000,0000,0000,,underscore
Dialogue: 0,0:52:14.56,0:52:15.52,Default,,0000,0000,0000,,ip
Dialogue: 0,0:52:15.52,0:52:18.48,Default,,0000,0000,0000,,add that extraction and we then have the
Dialogue: 0,0:52:18.48,0:52:20.80,Default,,0000,0000,0000,,destination ip which in this case uh
Dialogue: 0,0:52:20.80,0:52:22.56,Default,,0000,0000,0000,,because this is uh
Dialogue: 0,0:52:22.56,0:52:25.52,Default,,0000,0000,0000,,an sm snmp broadcast
Dialogue: 0,0:52:25.52,0:52:27.52,Default,,0000,0000,0000,,request we can we know that that's the
Dialogue: 0,0:52:27.52,0:52:30.88,Default,,0000,0000,0000,,destination ip so i'll say dst
Dialogue: 0,0:52:30.88,0:52:33.04,Default,,0000,0000,0000,,underscore ip
Dialogue: 0,0:52:33.04,0:52:36.72,Default,,0000,0000,0000,,add the extraction let's see what else
Dialogue: 0,0:52:36.72,0:52:40.08,Default,,0000,0000,0000,,we can do um
Dialogue: 0,0:52:40.08,0:52:41.44,Default,,0000,0000,0000,,in this case it's saying the extraction
Dialogue: 0,0:52:41.44,0:52:42.96,Default,,0000,0000,0000,,field you're extracting if you're
Dialogue: 0,0:52:42.96,0:52:45.04,Default,,0000,0000,0000,,extracting multiple fields try removing
Dialogue: 0,0:52:45.04,0:52:47.04,Default,,0000,0000,0000,,one or more fields start with the
Dialogue: 0,0:52:47.04,0:52:48.72,Default,,0000,0000,0000,,extractions that are embedded within
Dialogue: 0,0:52:48.72,0:52:51.68,Default,,0000,0000,0000,,longer strings okay so let's try and use
Dialogue: 0,0:52:51.68,0:52:54.40,Default,,0000,0000,0000,,another alert here
Dialogue: 0,0:52:54.40,0:52:57.60,Default,,0000,0000,0000,,that was kind of interesting um let's
Dialogue: 0,0:52:57.60,0:52:58.32,Default,,0000,0000,0000,,see
Dialogue: 0,0:52:58.32,0:53:00.48,Default,,0000,0000,0000,,it's not displaying all of them here but
Dialogue: 0,0:53:00.48,0:53:02.80,Default,,0000,0000,0000,,you get the idea once you're done
Dialogue: 0,0:53:02.80,0:53:04.48,Default,,0000,0000,0000,,uh you know for example i can remove
Dialogue: 0,0:53:04.48,0:53:06.08,Default,,0000,0000,0000,,that field here i'm just giving you an
Dialogue: 0,0:53:06.08,0:53:08.72,Default,,0000,0000,0000,,example of that so remove that field
Dialogue: 0,0:53:08.72,0:53:12.00,Default,,0000,0000,0000,,uh there we are i can then say next and
Dialogue: 0,0:53:12.00,0:53:15.44,Default,,0000,0000,0000,,i can click on validate and save based
Dialogue: 0,0:53:15.44,0:53:18.24,Default,,0000,0000,0000,,on those fields there hit finish
Dialogue: 0,0:53:18.24,0:53:20.80,Default,,0000,0000,0000,,and then you know i can go back to
Dialogue: 0,0:53:20.80,0:53:23.36,Default,,0000,0000,0000,,uh you know search and reporting
Dialogue: 0,0:53:23.36,0:53:25.28,Default,,0000,0000,0000,,and if i wanted to create a very simple
Dialogue: 0,0:53:25.28,0:53:27.04,Default,,0000,0000,0000,,visualization which i'll show you right
Dialogue: 0,0:53:27.04,0:53:27.84,Default,,0000,0000,0000,,now
Dialogue: 0,0:53:27.84,0:53:30.00,Default,,0000,0000,0000,,even though i don't really need those
Dialogue: 0,0:53:30.00,0:53:31.92,Default,,0000,0000,0000,,extracted fields although they might be
Dialogue: 0,0:53:31.92,0:53:33.28,Default,,0000,0000,0000,,useful so
Dialogue: 0,0:53:33.28,0:53:36.08,Default,,0000,0000,0000,,i can click on those extracted fields
Dialogue: 0,0:53:36.08,0:53:38.56,Default,,0000,0000,0000,,now i believe they should have been
Dialogue: 0,0:53:38.56,0:53:39.76,Default,,0000,0000,0000,,added
Dialogue: 0,0:53:39.76,0:53:41.20,Default,,0000,0000,0000,,i'm not really sure why they aren't
Dialogue: 0,0:53:41.20,0:53:43.44,Default,,0000,0000,0000,,being highlighted here there we are so
Dialogue: 0,0:53:43.44,0:53:45.20,Default,,0000,0000,0000,,source ip
Dialogue: 0,0:53:45.20,0:53:47.76,Default,,0000,0000,0000,,uh we can also specify the source port
Dialogue: 0,0:53:47.76,0:53:50.24,Default,,0000,0000,0000,,uh we all there there they are so i had
Dialogue: 0,0:53:50.24,0:53:51.76,Default,,0000,0000,0000,,actually they took a while to be
Dialogue: 0,0:53:51.76,0:53:53.60,Default,,0000,0000,0000,,displayed there so
Dialogue: 0,0:53:53.60,0:53:56.56,Default,,0000,0000,0000,,uh so support that why why not we can
Dialogue: 0,0:53:56.56,0:53:59.92,Default,,0000,0000,0000,,yeah i think that's pretty much it so
Dialogue: 0,0:53:59.92,0:54:02.08,Default,,0000,0000,0000,,uh based on those we can actually build
Dialogue: 0,0:54:02.08,0:54:04.48,Default,,0000,0000,0000,,an event type however if we go to
Dialogue: 0,0:54:04.48,0:54:07.52,Default,,0000,0000,0000,,visualization and click on pivot here
Dialogue: 0,0:54:07.52,0:54:10.64,Default,,0000,0000,0000,,selected fields is five hit ok
Dialogue: 0,0:54:10.64,0:54:12.56,Default,,0000,0000,0000,,we can actually you know visualize this
Dialogue: 0,0:54:12.56,0:54:14.32,Default,,0000,0000,0000,,however we want so for example if i
Dialogue: 0,0:54:14.32,0:54:17.12,Default,,0000,0000,0000,,wanted a column chart here
Dialogue: 0,0:54:17.12,0:54:19.68,Default,,0000,0000,0000,,number one will display the count
Dialogue: 0,0:54:19.68,0:54:22.08,Default,,0000,0000,0000,,i can just add the
Dialogue: 0,0:54:22.08,0:54:24.08,Default,,0000,0000,0000,,events
Dialogue: 0,0:54:24.08,0:54:26.32,Default,,0000,0000,0000,,because that's the count and we should
Dialogue: 0,0:54:26.32,0:54:28.72,Default,,0000,0000,0000,,have at the bottom the time which i did
Dialogue: 0,0:54:28.72,0:54:32.56,Default,,0000,0000,0000,,specify uh we believe within that range
Dialogue: 0,0:54:32.56,0:54:34.00,Default,,0000,0000,0000,,there
Dialogue: 0,0:54:34.00,0:54:36.72,Default,,0000,0000,0000,,but that's not being highlighted here so
Dialogue: 0,0:54:36.72,0:54:39.28,Default,,0000,0000,0000,,the number of events and you know you
Dialogue: 0,0:54:39.28,0:54:41.84,Default,,0000,0000,0000,,can go ahead and click as you can
Dialogue: 0,0:54:41.84,0:54:43.44,Default,,0000,0000,0000,,essentially save it
Dialogue: 0,0:54:43.44,0:54:45.28,Default,,0000,0000,0000,,so you get the idea you don't really
Dialogue: 0,0:54:45.28,0:54:46.88,Default,,0000,0000,0000,,need to do this because we have the
Dialogue: 0,0:54:46.88,0:54:48.48,Default,,0000,0000,0000,,snort app here
Dialogue: 0,0:54:48.48,0:54:50.08,Default,,0000,0000,0000,,which pretty much gives you the
Dialogue: 0,0:54:50.08,0:54:52.88,Default,,0000,0000,0000,,summaries that are useful to you or for
Dialogue: 0,0:54:52.88,0:54:53.84,Default,,0000,0000,0000,,you
Dialogue: 0,0:54:53.84,0:54:56.56,Default,,0000,0000,0000,,and there we are so fantastic so that's
Dialogue: 0,0:54:56.56,0:54:57.92,Default,,0000,0000,0000,,going to conclude the practical
Dialogue: 0,0:54:57.92,0:55:01.12,Default,,0000,0000,0000,,demonstration side of this video
Dialogue: 0,0:55:01.12,0:55:02.80,Default,,0000,0000,0000,,so uh thank you very much for watching
Dialogue: 0,0:55:02.80,0:55:04.56,Default,,0000,0000,0000,,this video if you have any questions or
Dialogue: 0,0:55:04.56,0:55:06.24,Default,,0000,0000,0000,,suggestions leave them in the comments
Dialogue: 0,0:55:06.24,0:55:07.20,Default,,0000,0000,0000,,section
Dialogue: 0,0:55:07.20,0:55:08.56,Default,,0000,0000,0000,,if you want to reach out to me you can
Dialogue: 0,0:55:08.56,0:55:10.16,Default,,0000,0000,0000,,do so via
Dialogue: 0,0:55:10.16,0:55:12.32,Default,,0000,0000,0000,,twitter or the discord server the links
Dialogue: 0,0:55:12.32,0:55:14.24,Default,,0000,0000,0000,,to both of those are in the description
Dialogue: 0,0:55:14.24,0:55:16.72,Default,,0000,0000,0000,,section furthermore we are now moving on
Dialogue: 0,0:55:16.72,0:55:18.72,Default,,0000,0000,0000,,to part two so this will conclude part
Dialogue: 0,0:55:18.72,0:55:21.04,Default,,0000,0000,0000,,one so part two will be available on the
Dialogue: 0,0:55:21.04,0:55:24.56,Default,,0000,0000,0000,,lynnodes on 24 platform so uh the videos
Dialogue: 0,0:55:24.56,0:55:26.56,Default,,0000,0000,0000,,are available uh on demand so all you
Dialogue: 0,0:55:26.56,0:55:28.56,Default,,0000,0000,0000,,need to do just click uh click the link
Dialogue: 0,0:55:28.56,0:55:31.60,Default,,0000,0000,0000,,in the description register for part two
Dialogue: 0,0:55:31.60,0:55:33.52,Default,,0000,0000,0000,,after which an email will be sent to you
Dialogue: 0,0:55:33.52,0:55:34.72,Default,,0000,0000,0000,,and you'll be given uh you know
Dialogue: 0,0:55:34.72,0:55:37.20,Default,,0000,0000,0000,,immediate access to to the videos uh
Dialogue: 0,0:55:37.20,0:55:40.00,Default,,0000,0000,0000,,within part two so uh thank you very
Dialogue: 0,0:55:40.00,0:55:42.80,Default,,0000,0000,0000,,much uh for watching part one uh in the
Dialogue: 0,0:55:42.80,0:55:45.04,Default,,0000,0000,0000,,next video in part two we'll get started
Dialogue: 0,0:55:45.04,0:55:46.64,Default,,0000,0000,0000,,or we'll take a look at host intrusion
Dialogue: 0,0:55:46.64,0:55:49.52,Default,,0000,0000,0000,,detection with os sec so i'll be seeing
Dialogue: 0,0:55:49.52,0:55:53.64,Default,,0000,0000,0000,,you in the next video
Dialogue: 0,0:55:59.13,0:56:12.24,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:56:12.24,0:56:14.32,Default,,0000,0000,0000,,you