hello everyone welcome back to the blue team training series brought to you by linode and hackersploit in this video we're going to be taking a look at how to set up or how to perform security vent monitoring with splunk more specifically uh splunk enterprise security right so the objective here will be to monitor uh intrusions and threats with splunk and you might be asking yourself well how are we going to do this what setup are we using well the scenario that i've set up for this video is we're essentially going to take all the knowledge that we've learned during the snort video and we are going to essentially forward all of the snort logs uh into splunk or have that done automatically through the splunk universal folder so that we get the latest logs when snort is running on our ubuntu virtual machine and the objective here is to use splunk in conjunction with the splunk snort app to essentially visualize and identify or monitor network intrusions and any malicious network traffic you know within the network that i'm monitoring [Music] at a very high level what will we be covering well firstly we'll get an introduction to splunk now before we move any forward or we actually carry on i do want to note that this video is not going to be focused on splunk fundamentals i'm going to be i'm going to assume that you already know what splunk is and how it can be used you know and how it's used generally speaking because splunk is not really a tool uh that is specific to security for example that's why they have the splunk enterprise security version or edition and i'm just going to assume that you know how to use splunk at a very basic level so once we get an introduction to splunk we'll go over splunk enterprise uh security at the enterprise the enterprise security edition and how it can be used for security event monitoring especially in our case because we want to essentially monitor uh the intrusion detection logs generated by snort so we'll then move on to deploying splunk enterprise security on linux which is absolutely fantastic because they have a cloud image available for it that allows you to spin it up without going through the process of installing it and configuring it so that will set up that'll set it up for us we'll then take a look at how to configure splunk and how to set up the splunk universal folder on the ubuntu virtual machine that is running snot so that we can forward those logs into splunk uh and then of course we'll take a look at the splunk snot event uh dashboard that will be provided to us by the splunk snot app so if this sounds like a gibberish to you don't worry it'll make sense in a couple of uh in a couple of minutes with that being said uh given the fact that we're going to be using uh you know we're going to be using snort to generate alerts and monitor those alerts uh if you have not gone through these uh the actual snort video please do that as it will help you set up snot and you can then run through this demo with that being said this is not a holistic video that will cover everything you can do with splunk enterprise security we are just focused on the intrusion detection uh logs produced by snort and how they can be imported or forwarded to splunk for uh you know analysis and monitoring uh so the prerequisites are the same as the previous videos the only difference is uh you know that you need to have a basic familiarity with splunk and how to navigate around the various menu elements and essentially just how to use it at a very basic level if you're not familiar with splunk i'll give you a few resources at the end of the at the end of these slides uh that will help you out or help you get started all right so let's get an introduction to splunk so what is splunk that's the main question if you've never heard of splunk splunk is an extremely powerful platform that is used to analyze data and logs produced by systems or machines as splunk likes to call them so what problem is splunk trying to solve here well let's look at this from the perspective of web 2.0 or you know the the interconnected world we live in today and we're going to be looking at it from the context of from the perspective of security so if we take a simple system let's say we have a windows operating system or a system running windows well that windows system produces a lot of data or logs uh that you know that contain information that you know at a first glance might not seem that important but once you start getting into specific sectors like security those logs start uh you know those logs have uh you know very important value to organizations now multiply that by a thousand systems so let's say we have an organization they have a thousand computers within their network or you know distributed worldwide and all of these systems are you know need to be secured their security needs to be monitored so how do we monitor all of this well this is where splunk comes into play so splunk allows you to essentially funnel all of this data produced by systems or machines into splunk and then splunk allows you to monitor search and analyze this machine generated data and the logs through a web interface so in order to use splunk you'll need to import your own data or logs alternatively you can utilize the splunk universal folder to forward logs and data to splunk for analysis and of course visualization etc now splunk does so much more that i really can't go over all of the features here but as i said we're looking at this from the uh lens of a security engineer all right so splunk collates all the data and logs from various sources and provides you with a central index that you can search through splunk also provides you with robust visualization and reporting tools that allow you to identify the data that interests you transform the data into results and visualize the answers in the form of a report chart graph etc all right so what i'm saying here is that splunk allows you to take all of this security related logs and data and make sense of them and essentially get the answers that you're looking for so for example from the perspective of a security engineer what do you want from all of this data well at a very high level you want to know whether something is going wrong and what could go wrong in the context of security a network could be compromised there could be some malicious network traffic or activity going on a system could be compromised etc etc you get the idea so we need that data to be displayed to us as a security engineer and splunk is really one of the best tools uh you know when it comes down to you know taking a lot of data and then identifying the data that interests you transforming that data into results and then visualizing that data in the form of the report chart or graph right so that's really what we're going to be doing and as i said going back to the scenario we're going to be focusing on how to you know essentially get in or how to forward the logs created or the logs and alerts created by snort into splunk for analysis and luckily for us splunk has a snort app or plug-in if you will that that will essentially simplify this process so let's get an idea as to you know how we can use splunk for security when monitoring so splunk enterprise security also known as splunk es is a security information and event management solution also known as a seam it is used to but is used by security teams to quickly detect and respond to internal and external attacks or threats or intrusions so splunk es can be used for security when monitoring incident response and running a sock or security operations center in this video we'll be using splunk es to monitor and visualize the snort intrusion alerts this will be facilitated through the help of the snot app for splunk and the splunk universal folder now the splunk universal folder is pretty much the most important element of what we'll be exploring because what it does and this is really cool is it allow it automatically forwards the latest logs even when when snot is running it forwards those alerts and logs into splunk and you can see them in real time which is absolutely fantastic so as i said if you're new to splunk then these resources are really helpful for you so splunk offer really great tutorials and courses designed for absolute beginners you can check that out by clicking on the link within this slide and you can learn more about the splunk enterprise security edition from that particular link now as i said we're going to be deploying uh splunk on linux more specifically splunk es and this is the lab environment so we're going to spin up uh you know splunk yes on linux now again to follow through with this as uh you know linux has been absolutely fantastic with uh you know by providing uh all of you guys uh with a way to get a hundred dollars in free linux credit all you need to do is just click the link in the description section and sign up and a hundred dollars will be added to your account so that you can follow along with this series um so we're going to set up splunk yes on linux and then within my internal network uh we're just gonna have a very basic infrastructure we're going to have the ubuntu virtual machine that is running snot this is the same virtual machine that we had set up and used uh to set up snort and set up suricata and the one we had used with wazoo and yeah that's essentially it we're going to have a very basic infrastructure where we have an attacker system that i'm going to be using to perform uh a bit of uh you know network intrusion detection uh emulation whereby i will essentially perform or run a couple of commands or uh or scripts to essentially emulate malicious network activity so that these logs are uh are essentially or so so this traffic is essentially logged and that will provide us with a good idea as to how helpful splunk is for security event monitoring especially in the context of our network intrusions so as i said you don't really need to have a windows workstation you simply need to have the ubuntu vm and you can pretty much run everything from it and of course you can set up the splunk enterprise enterprise security server on linux without any issues so that's the lab environment we can now get started with the practical demonstration so i'm going to switch over to my ubuntu virtual machine all right so i'm back on my ubuntu virtual machine and you can see i have linux opened up here i haven't set anything up yet because we're going to be walking through the process together i then have the splunk.com website here so if you're new to splunk then you need to create a new account in order to follow along so uh just head over to head over to splunk.com and you know register for an account it's free once that is done you'll need to activate your account or verify your account through the email or the verification email they'll send you once that is done we can then move forward because in order to access the actual um splunk universal folder you'll need to have an account and of course um you know in this case i'll be going through everything as we move along in a structured uh in a structured manner and then to perform the actual nids tests we are going to be using the test mynids.org project which is on github so this is essentially a bash script that allows you to as you can see here it allows you to essentially emulate or simulate malicious network traffic so uh previously we had used the website uh the website technique to essentially get a linux uid and that traffic would be logged as malicious or it could be logged as a potential intrusion and we can run a few other checks like an http basic authentication bad certificate authorities uh an exe or dll download over http so you know just we can run tests that are you know will just make our intrusion detection system uh blow up in terms of alerts and that's what we want because we want to see how that data is presented to us as a security engineer on splunk with that being said the first step of course is to set up splunk es on linux so just click on uh click on create and a linux and click on marketplace and they already have splunk here so there we are you can click on that there and if you click on this little info button here it'll give you an idea as to how to deploy it on uh on linux and of course you have more information regarding splunk so you have the documentation link there so i'll just click on splunk once that is clicked we can then head over here you'll need to specify the splunk admin user i recommend using admin to begin with and then specify a password if you're setting up you know splunk on a domain then you can specify the lynnode api token to essentially create the dns records that's if you're using linux dns dns service uh and then of course you need to add the admin email for the server so in this case i can just say for example hackersploit gmail.com don't spam me on this email because i don't respond anyway so we can create another user uh so this is the username for the lynnode admins ssh user please ensure that the username does not contain any so we can just call this admin and then for the admin user we'll just say provide that there so the image we're going to set it up on ubuntu 20.04 the region i'll say london because that's closest to me as for the actual linux plan linux es doesn't require that many resources especially because you know the amount of data that we're processing on the logs that are being forwarded to splunk are relatively few so less than 100 which if you've used splunk before for security vent monitoring you know that that is like really really small in fl in in fact splunk will actually tell you that you know the amount of data to begin with that you have imported or you afforded is too little to make any sense off but that's where the snort app for splunk comes into play so i'll just say splunk and i'll provide my root password for the server and we can click on create all right now uh once this is set up and provisioned the actual installer is going to begin so it's going to set up because there is an auto installer setup that will set up splunk yes for you so uh let it provision after that's done you can launch the lish console to avoid logging in via ssh and of course one thing that i need to that i don't need to tell you is if you're setting this up for production then you need to make sure you're securing your server so do only use ssh keys for authentication with the server if you're new to hardening and securing a linux server you can check out the previous series that we did with linux the linux server security series uh that'll give you uh you know all the information you need to secure a linux server for production with that being said i'm just going to let it provision after which we can launch the english console to see what's going on in the background and we can then get started uh you know officially with um with how to set up splunk we then need to set up the universal folder so uh this is booting now all right so the server is booted and you can see i've just opened up the lish console here to essentially view what's going on as you can see it's begun setting up a splunk yes so just give this a couple of minutes to essentially begin um and once it's done it'll actually tell you that it'll provide you with the login prompt but it's probably logged in as the root user already so uh just let this complete i'm just gonna wait for this to actually conclude all right so once uh splunk es is done uh or the actual uh linode is done here with the setup you can see it's gonna tell you installation complete and you can then log in uh keep this window open because this is going to be very important as we'll need to configure a few firewall rules because uh by default this linux comes with ufw which is the uncomplicated firewall for debian or it typically comes pre-packaged with debian-based distributions like ubuntu in this case it's already added the firewall rule for the port that we wanted but just keep it open because we'll need to run a few checks um so you can log in there so i'm just going to log in with the credentials that i specified as the root user and i can just say sudo ufw status um and you can see these are all the allowed rules or the actual rules configured for the firewall which is looking good uh so far so we can access the splunk es instance that we set up by pasting in the ip of the server and and opening up port 8000 that's going to open up splunk yes for you so just give this a couple of seconds there we are and the credentials that we had used were admin and the password that i created uh that you know of course you'll you'll be able to specify yourself so just sign in um and once that is done you'll be brought to splunk enterprise security here so there we are explore splunk enterprise uh and um in this case what we're going to be doing what we're going to start off with is we need to go through a few configuration uh changes with splunk itself so the idea firstly is to configure uh the actual uh rece the receiving of data so if you head over into settings you can click on under data just click on forwarding and receiving uh and once that is done once that is loaded up um under received data we need to configure this instance to receive data forwarded from other instances so we want to configure receiving and we just want to set the default receiving port so we can say new receiving port and the port is of course going to be the default which is 9997 which is why that firewall rule was added so i'll click on save all right so once that is done we can now install the snot app for splunk so click on apps and head over into find more apps and because the ubuntu server is running or the ubuntu vm that i'm currently working on is running snot 2 we'll need the appropriate uh app here so i'll just search for snot there and we're not looking for these note 3 json alerts although that you know could be quite useful but we want the snort alert for splunk all right so this app provides field extraction so that's really great because performing your own field extractions uh you know using rejects can be quite difficult if you're a beginner so fast and full as well as dashboards uh saved searches reports event types tags and event search interfaces so we'll install that now you'll need to log in with the spa your splunk account credentials that you uh you know that you actually created on splunk.com so i'll just fill in my information really quickly all right so i've put in my username and password so i'll just say i'll accept the terms and conditions there so log in and install that's going to install it there we are so we'll just hit done now that is done if we head back over into our dashboard so i'll just click on splunk enterprise there and you can now see we have snot alert force for splunk so that's it already comes pre-configured with a dashboard um so we'll just let this uh load up here and you can see that we don't have any data yet so uh this will display your events and sources top source countries the events this is very important the sources top 10 classifications so that will classify uh your alerts uh in in terms of uh the type which again will make sense uh in a couple of seconds uh so now that that is done we actually need to configure the actual splunk universal folder so i'll just open that up in a new tab it's absolutely free to download the debian client or the uh the splunk universal ford debian package so universal forwarders uh provide reliable secure data collection from remote from remote sources and forward that data into splunk software for indexing and consolidation they can scale to tens of thousands of remote systems collecting terabytes of data so again you can actually see why splunk is so powerful and why it's widely uh used and deployed because of the fact that you can literally uh you know be you can literally forward a ton of data from a ton of systems into splunk so because the uh because snot is running on this ubuntu vm we need the debian package so i'll click on linux and we want the 64-bit version again you can choose one based on your requirements so if you're running on red at fedora or centos you can use the rpm package so i'll just download the debian package here give that a couple of seconds it's then going to begin downloading it and then i'll walk you through the setup process so there we are it's begun the setup and once that is done i'll open up my terminal so that's saved in the downloads directory so if we check if we head over into the downloads directory you can see we have the splunk forwarder debian package there so what we want to do firstly is we want to move this package uh into the actual opt directory on linux uh which will essentially allow us to uh you know to to set it up as as optional software and it's really good to have all that optional software stored in the opt directory so uh once that is done uh once that's downloaded we can say uh move splunk forwarder into opt and we'll need sudo privileges so i'll say sudo move there we are and i'll just type in my password fantastic so we'll now navigate to the opt directory and to install this we can say sudo apt and then we can specify install so we can say sudo apt install and then we specify the package itself so splunk folder and we're just going to hit enter that's going to install it for you give that a couple of seconds all right so once that is installed if you list out the contents of this directory you're going to have a splunk for the directory here so i'll say cd splunk folder and under the binary directory we can navigate to that here we'll need to start us we'll need to start splunk so we will say uh sudo and a binary we want to run is called splunk and we'll accept the license uh the reason we're doing this is because we need to configure it so we need to specify the username and password or you know create a username and password and once that is done uh you'll actually see what that looks like so i'll just say accept the license and you can see in this case let's see if i typed that in correctly that should actually start so splunk start i did not specify start there there we are so please enter an administrator name i'll just say admin so again splunk software must create an administrator account during startup otherwise you cannot log in so create credentials for the administrator account um so in this case uh you know you can create whatever you want i'm just going to fill in my credentials here all right so i've just entered my administrator username and then of course my password so that is done uh so it'll go through um it'll essentially go through and check the prerequisites uh new certs have been generated in the following directory and all the preliminary checks have passed so starting the splunk server daemon so that's started you can also enable it to run on system startup so if i say you know for example sudo system ctl status splunk let me type that in correctly here so splunk sorry systems pseudosystem ctl and we can say splunk d uh sorry so we can say splunk i'm not really sure why that's not loading here but i do know that the daemon is running and there should be a an init an init demon for that but in any case you can always start it that way once that is done we will need to add our ford server so the we need to add the the address of the server uh the splunk server that we're forwarding our logs to we'll go we'll move on to what logs we want to forward in a second but let's do that first so again we're going to use the the splunk binary and we're going to say forward server and we'll just copy the ip address of your your splunk server here so there we are and i'll paste that in there and then you need to type in the port so 9997 that's the port to connect to hit enter um so splunk ford uh yeah we need to add it i keep forgetting the the preliminary command so add ford server splunk username um so in this case uh let me just uh put in my credentials here all right and it's going to then add the forwarding to that particular address all right now that that is done we can actually we actually need to configure a particular file and that is going to be the outputs.conf directory if it's already set up for us which it should be then we do not need to go through the initial setup so if we head over into the following directory so i'll just take a step back we're still in the splunk for the directory uh we'll head over into the etsy directory and under system we have a file under local i think it is called outputs right so i'm going to say sudo vim outputs dot conf and really the only thing that is required here is of course just leave the default configuration as is the default group is fine so tcp out default auto lb group that's fine so you make sure that the server option here is configured that's the most important and the tcp out server address is also configured in this format so we don't need to make any changes there so i'll just say quit and exit once that is done we also need to check uh the actual inputs configuration file but before we do that let's take a look so if you revisit the snort video you know that all the logs are stored under var uh log and snot right so we have the alert log um and we also have uh so again based on the type of um of alerts you want generated so you know if i say man snort here uh you can see that we have the alert mode so you can use the fast mode or the full mode in this case i'll be using the fast mode um and i'll give you a description of what what's going on here right so uh full writes the alert to the alert file with the full decoded header as well as the alert message which might be important so we can also do that as well so this was from the previous uh from the from from the snort video where we had ran uh you know where we had essentially run snot and uh you know where we were identifying various alerts so uh what we can do is uh again we will go through what needs to be created but we can run a quick test command just to see whether the the actual alerts are being logged within the alert file because we have alert dot one ideally we would only want to forward this file into splunk so uh in order to do this what i'm going to do now is i'm just going to run snot really quickly so i'm going to say sudo snort queue for quiet and then the actual directory for the logs is var log snot and then we can say the interface is enp0s3 again make sure to replace that with your own interface uh the alert we can say full and the configuration is sc snort dot conf i believe we had another configuration file yeah we had used the snot.com file so i'll hit enter and now let me open up my file explorer here we take a look at the var directory under log and under snort we have alert there we are so that has been modified the last was modified uh right over there okay so that's 19 yeah so this is the last modified so i know this file is not human readable uh we are not going to be folding this dot log file so i'll just close that there so i'm just going to try and uh i'm just going to try and perform a few checks on the networks like a few pings just to see if that's detected uh so i'll just you know perform a ping really quickly again the alerts will not be logged on our terminal because they're being logged uh you know into the respective alert file or the alert log file so i'll just perform uh you know a few pings as i was saying which i'm doing right now on the attacker system uh once that is done let's see whether those changes are being highlighted in alet indeed they are okay so now this is um as you can see here this is the full these are so to begin with we had used the fast alert we had used the fast alert output mode and right over here we then have the full alert mode which i'm not really sure how we want to go about doing this but you can see we can actually make a few changes but what we can do is we can get rid of this traffic here but you can see the messages actually being logged so we can get rid of this here because we don't want to mix fast um we don't mix fast alerts with um we don't want to mix the alerts that were output in the fast mode uh with the full mode so we can just get rid of that there and save that so once that is done i'll just say we actually need permissions to modify that file but you know what we can do is what i am going to do actually is close without saving is i'm just going to stop snort there and i'm just going to say sudo remove var log and snort and we're going to remove alert all right and we're also going to remove alert dot one all right so i'm just going to run this again just to see if that file is generated so there we are we have alert there so now it's much cleaner so i'll just run a few pings just to make sure that the traffic is being locked all those alerts are being logged uh so there we are we have a few pings there and we can also you know just run a few checks there okay so there we are we can see that those are now being logged and of course we can change the format based on you can change it based on your requirements right so um now that that is done what we can do is we can close that up and we can actually leave snort running as is so what i'll do is i'm just going to open up another tab so i'll just you know i can say control shift d there we are and we're currently within the following directory so opt opt splunk forward etsy system local so once that is done we now need to add uh we now need to add the files that we would like to monitor or that we would like to forward right so the log files so i'll go back into the bin directory so there we are cd bin because that's where we have the splunk binary so i'll say sudo um splunk and we can say add monitor and the file that we want to forward is under var log snot and it is just alert right so that's all that's really all that we want to do right and we can also utilize the fast alerts but let's just do this for now and we only want the alerts we don't want the actual log files that contain the packets themselves so i'll hit enter all right so it's now going to forward those alerts into splunk which pretty much means that on our end we are done however we still need to check one more configuration file so i'll just take a step back here and we'll head over into the etsy directory under apps and search and then into local when you think we'll need to root permissions to access this so i'll just switch to the root user and head over into local and we're looking for the inputs dot conf file uh right so we need to actually configure this because this is very important so uh the first thing we want to do is let us add a new line here and within the square brackets i'll just say splunk uh tcp and we then want to specify the port so 9997 let me make sure i type that in correctly we then need to actually put in the connection um so the connection host so connection host is going to be equal to the ip address of the splunk server so i'll just copy that there paste that in there once that is done this is fine here disabled is set to false we want index is going to be equal to main and then the source type is going to be equal to snot alert full and we can then say the source is equal to snort all right so this is a very important configuration so let me just go through those options or configurations again we have the splunk tcp option uh we then have the actual connection host the monitor is set correctly to that file uh it's enabled index equals main source type equals snorter that full source is equal to snot fantastic so we'll write in quit uh once this is done we'll need to restart splunk so i'll switch back to my user lexis here and we'll navigate back to the bin directory so i'll say cd bin and we'll say sudo let me say splunk and we can then say restart all right hit enter it's going to stop the splunk daemon shutting it down restart it and it's done successfully so all the checks were completed without any issue all right so now that this is done we can actually go back into splunk here and we'll navigate to the dashboard uh this is your splunk server right and let's take a look at the messages here that's just uh a few updates we don't need to do anything there so if we click on search and reporting just to verify that that data has indeed been for that i'll just skip through this if we click on data summary under sources you should see that we have the host and in my case the name of the system is black box so that should be reflected there so there we are black box we have 42 logs or alerts if you will sources 42 we can click on that there to just see the data that has been logged indeed we can see that has been done correctly so source type is alert uh we can see that it's imported you know pretty much all the data or the you know these are the this is the full log whereby we have the reference to that there uh that's weird i didn't actually run anything weird uh but uh there you go um so now that this is done uh you can use splunk to essentially visualize this data you know however you want so you know i can go into visualization uh and we can click on maybe we can create a um we can select a few fields so if i go back into the events here i can select a few fields that i want displayed here and i can you know essentially extract the fields that i want with rejects but i don't think this is necessary in this point because if we actually go back to the dashboard and we click on let's see splunk snot alert for splunk let's see if this is actually whether this automates that process for us uh there we are actually it looks like it does so um classification bad traffic so it looks like that is working so what we can do now is run a few uh we can actually utilize this script here the uh the test my nids script here so all you need to do to run it is just copy this one liner script here or this command that will download it into your tmp directory and will then execute it so you know to execute it within your temp directory you can just uh execute the actual um you know the actual binary there it is a binary not a script and uh once that is done you can then select the option here so let me just do that on my attacker system i'm just gonna run it one more time so um just going to say ls here and if i uh open up the documentation so firstly i will i will run a quick linux uid check so i'll just hit enter okay that is done i'll then perform a http basic authentication and a malware user agent so i'm doing that right now okay and we can run one more here so uh let's see let's see let's see uh we can try exe or dll download over http that is surely going to be um logged or that's going to trigger an alert so uh do we have uh that is running all right so snot is running that's great uh so we know that the log is being uh the actual alerts are being forwarded absolutely fantastic so let's go back in here i've already run those uh those particular checks so let me just refresh this i know it usually takes a couple of seconds to a couple of minutes but that data should start should actually be reflected there we are fantastic so uh we can see that uh you know firstly i'll just explain the dashboard here because uh this dashboard is automatically you know set up for you by the snort app which is really awesome as i said you don't need to go through that process yourself so the first graph here essentially tells you your events uh and and it also displays uh you know the total number of sources so you can see that there you also have the time uh and you saw you have your events and then the timeline here and you can essentially you know view a trend or the trend of uh of events there you then have the top uh the top source countries right over here and if i just run another check really quickly here through the nids website so uh let me just run the curl command uh you should actually see that because we are reaching out to uh you know a connection made to an external server that it should reflect that info under the top countries the top source countries so uh we then have the events here which uh you know you can click on um and then of course you have the sources so these are the uh snort event types and these are actually the classification so we can see potentially bad traffic attempted information leak and you know you can just refresh your dashboard to get the latest so we'll give that a couple of seconds and you can also specify the actual uh interval period so uh i'll just wait for this uh let's see if it's actually being logged or whether we can see all of that so i'll just go back into the dashboard here and we'll go into search and reporting and if we click on the actual data summary and the sources uh we can see we have snort there and then vast not alert so we click on snot there okay so this is bad traffic that's really weird because the source is not we had added two sources there so data summary let me just click on that there and if we click on these sources there this is the one that we want ideally yeah so that looks like uh the correct one there yeah that's the correct traffic um uh i think that's why uh the actual uh let me see if i can find so snot alert for splunk let me click on the app there show filters it should be displaying much more than that because i know yeah they're not just four so uh if we actually head over into the uh snot event search here we can actually search for uh you know we can utilize uh yeah so these are only this is only monitoring the pings so that's weird i'm not really sure why we have two data sources i think it's to do with the fact uh that uh you know we had so let me just go back here apps search and sudo root let me just check that here so cd local vim inputs dot look so there we are so the source is snort we already specified the source as not there but it's all it's adding this particular you know the alert as uh as a source as well and then this the source type is not alert full index main yeah that that should be working that should be working without any issues i'm not really sure why that is the case but we can actually customize what data set we want to use so uh i think let me actually showcase how to do that right now um so apologies about that i actually figured out what the issue was it was because the system i was running uh this particular attacks from wasn't even connected to the local network and even though i was running these these attacks i did realize that of course they weren't working so i'm just gonna i've just reconnected it and what i'm gonna do is i'm just gonna run this one more time so just give me a second here and i'll be able to do that one more time so let me just navigate to that particular directory and we'll actually see whether this will work so you can actually see there's much more uh that's been captured in regards to events and i'll be explaining this dashboard in a couple of seconds so let me just uh launch that first attack there so that you know let me just launch that first uh type of check and of course i'm using test my nids here so uh unfortunately that wasn't even being logged which is why i was a bit confused as to why those logs are not being displayed here so i'll give that a couple of seconds and we'll be able to see this happen in real time as well all right so that is done so i've essentially launched a couple of those tests and uh this as i said this is your default uh dashboard that you're provided with here so um you know you can actually refresh uh all of these um all of these panels here if you will so that'll display the latest and as i said here because i'd had performed the actual uh you know i'd perform the actual check and then connected to an external server you can see that you know the top source countries are highlighted there you can also refresh the number of events as you can see here and the number of sources so uh you can also do that for the rest of the panel so these are the top 10 classifications in terms of events if you will and then the snort event types as you can see here so for example in this case we have the attack response id check which if we click on right over here you can see that it actually displays that and you can then uh you can then click on the signature itself and this is for statistics now if you click on the snort event search tab right over here you can see that this allows you to search based on the source ip the source port the destination ip destination port and the event type so i can check for attack responses based on the rule set that we had used previously and i can also specify the timing right so that's really fantastic there so you can see that right over here we have that logged which is fantastic and if we click on the snort world map that'll essentially as you'll see in a couple of seconds this will essentially display the countries by the source ips in this case it should display the united states which makes sense uh and there we are so again this is extremely helpful especially if you work in a sock and as i said there's multiple uh you know security tools you can integrate with uh with splunk now one thing that i wanted to highlight is you can if you click on edit i'll just go back to the event summary here because this is very important you can set this as your main dashboard so if you right click here you can set this as your home dashboard so i'll just click on that there and now you'll see on your dashboard here if i just close that top menu that will actually be displayed there so give it a couple of seconds and of course you can click on the cog wheel here and essentially display whatever you know you can specify your default dashboard now there are a couple of other ones that are created by default uh but yeah you can have that on your dashboard uh and uh you know if you actually click on snot the snot alert for splunk here and we'll just go back into that snot event summary tab uh you can actually edit the way these um these particular panels are tiled so uh you know you can convert it to a pre-built panel or you know you can you can actually convert it to a pre-built panel you can get rid of it uh you can also move them around based on your own requirements and uh in this case you can actually let's see if i can show you can actually select the visualization uh so in this case i think the default one is fine and you can then view the report here so um if we click on this one here for example we could actually use the bar graph to display the you know the number of the actual um the top source countries uh and have them displayed in a bar graph style but we can just take it back into the pie chart there and you can also change this for the events as well so uh you know if we wanted to view a trend we can click on the bar graph there uh in this case i don't think that's formatted correctly so uh if we just use the the default one uh which i believe was i think it was no that wasn't the one i believe it was uh let's see if i can identify it here it was the number there we are so 26 uh so as i said you can customize this based on your own uh you know your own requirements so for example this one might do well if it was in the form of a bar graph so you know you can utilize that if you feel that that is appropriate uh in this case uh you know we can also specify uh the actual um you know we can actually list the events themselves uh let's see which other ones look really good here uh and uh yeah once you're done with the customization you can then cancel or save based on your requirements and you can also filter on this particular tab here you know through the source ip destination ip etc um let's see what else did i wanted to did i want to highlight let me just refresh this once more and you know to essentially get the latest data and uh you can see uh in terms of the fan the in terms of the panels this will display the last 100 attempts uh and uh you know you can go through them like so uh you can also view i think we've gone through all of them but you have the persistent sources so two or more days of activity in the last 30 days so you actually need a lot of data for that to be displayed or to give you anything useful um yeah so that is what i wanted to highlight in regards to the snot alert for splunk app and the actual dashboards which i said it already does for you now you can create your own dashboard as i said if i go back into apps and search and reporting based on your own sources so i'll just click on data summary there and if i click on sources you can click on the this source here for example and you know in this case we can actually uh just click on that there and i can click on extract fields and you can extract the fields with rejects so i'll click on next there and you can then select the fields that you want so for example in this case we would want the date and time so i can just highlight that there so i can say time for example add the extraction and then of course we have the source ip and the port but i'll just highlight them together but i think it's actually recommended just to highlight the source ip there so source we can say crc src underscore ip add that extraction and we then have the destination ip which in this case uh because this is uh an sm snmp broadcast request we can we know that that's the destination ip so i'll say dst underscore ip add the extraction let's see what else we can do um in this case it's saying the extraction field you're extracting if you're extracting multiple fields try removing one or more fields start with the extractions that are embedded within longer strings okay so let's try and use another alert here that was kind of interesting um let's see it's not displaying all of them here but you get the idea once you're done uh you know for example i can remove that field here i'm just giving you an example of that so remove that field uh there we are i can then say next and i can click on validate and save based on those fields there hit finish and then you know i can go back to uh you know search and reporting and if i wanted to create a very simple visualization which i'll show you right now even though i don't really need those extracted fields although they might be useful so i can click on those extracted fields now i believe they should have been added i'm not really sure why they aren't being highlighted here there we are so source ip uh we can also specify the source port uh we all there there they are so i had actually they took a while to be displayed there so uh so support that why why not we can yeah i think that's pretty much it so uh based on those we can actually build an event type however if we go to visualization and click on pivot here selected fields is five hit ok we can actually you know visualize this however we want so for example if i wanted a column chart here number one will display the count i can just add the events because that's the count and we should have at the bottom the time which i did specify uh we believe within that range there but that's not being highlighted here so the number of events and you know you can go ahead and click as you can essentially save it so you get the idea you don't really need to do this because we have the snort app here which pretty much gives you the summaries that are useful to you or for you and there we are so fantastic so that's going to conclude the practical demonstration side of this video so uh thank you very much for watching this video if you have any questions or suggestions leave them in the comments section if you want to reach out to me you can do so via twitter or the discord server the links to both of those are in the description section furthermore we are now moving on to part two so this will conclude part one so part two will be available on the lynnodes on 24 platform so uh the videos are available uh on demand so all you need to do just click uh click the link in the description register for part two after which an email will be sent to you and you'll be given uh you know immediate access to to the videos uh within part two so uh thank you very much uh for watching part one uh in the next video in part two we'll get started or we'll take a look at host intrusion detection with os sec so i'll be seeing you in the next video [Music] you