WEBVTT 00:00:01.120 --> 00:00:03.520 hello everyone welcome back to the blue 00:00:03.520 --> 00:00:05.440 team training series brought to you by 00:00:05.440 --> 00:00:08.160 linode and hackersploit in this video 00:00:08.160 --> 00:00:10.160 we're going to be taking a look at how 00:00:10.160 --> 00:00:12.160 to set up or how to perform security 00:00:12.160 --> 00:00:14.400 vent monitoring with splunk more 00:00:14.400 --> 00:00:16.800 specifically uh splunk enterprise 00:00:16.800 --> 00:00:18.640 security right so the objective here 00:00:18.640 --> 00:00:21.439 will be to monitor uh intrusions and 00:00:21.439 --> 00:00:23.519 threats with splunk and you might be 00:00:23.519 --> 00:00:25.119 asking yourself well how are we going to 00:00:25.119 --> 00:00:28.400 do this what setup are we using well the 00:00:28.400 --> 00:00:30.480 scenario that i've set up for this video 00:00:30.480 --> 00:00:32.559 is we're essentially going to 00:00:32.559 --> 00:00:34.320 take all the knowledge that we've 00:00:34.320 --> 00:00:37.680 learned during the snort video and we 00:00:37.680 --> 00:00:39.360 are going to essentially forward all of 00:00:39.360 --> 00:00:42.719 the snort logs uh into splunk or have 00:00:42.719 --> 00:00:44.480 that done automatically through the 00:00:44.480 --> 00:00:47.680 splunk universal folder so that we get 00:00:47.680 --> 00:00:50.320 the latest logs when snort is running on 00:00:50.320 --> 00:00:52.399 our ubuntu virtual machine 00:00:52.399 --> 00:00:55.039 and the objective here is to use splunk 00:00:55.039 --> 00:00:58.000 in conjunction with the splunk snort app 00:00:58.000 --> 00:01:01.039 to essentially visualize and identify or 00:01:01.039 --> 00:01:03.359 monitor network intrusions and any 00:01:03.359 --> 00:01:04.479 malicious 00:01:04.479 --> 00:01:06.720 network traffic you know within the 00:01:06.720 --> 00:01:08.980 network that i'm monitoring 00:01:08.980 --> 00:01:19.360 [Music] 00:01:19.360 --> 00:01:21.680 at a very high level what will we be 00:01:21.680 --> 00:01:23.280 covering well firstly we'll get an 00:01:23.280 --> 00:01:25.439 introduction to splunk now before we 00:01:25.439 --> 00:01:28.400 move any forward or we actually carry on 00:01:28.400 --> 00:01:30.720 i do want to note that this video is not 00:01:30.720 --> 00:01:32.400 going to be focused on splunk 00:01:32.400 --> 00:01:34.640 fundamentals i'm going to be i'm going 00:01:34.640 --> 00:01:36.400 to assume that you already know what 00:01:36.400 --> 00:01:37.759 splunk is 00:01:37.759 --> 00:01:40.400 and how it can be used you know 00:01:40.400 --> 00:01:42.079 and how it's used generally speaking 00:01:42.079 --> 00:01:44.720 because splunk is not really a tool uh 00:01:44.720 --> 00:01:48.320 that is specific to security for example 00:01:48.320 --> 00:01:49.759 that's why they have the splunk 00:01:49.759 --> 00:01:52.720 enterprise security version or edition 00:01:52.720 --> 00:01:54.320 and i'm just going to assume that you 00:01:54.320 --> 00:01:56.079 know how to use splunk at a very basic 00:01:56.079 --> 00:01:58.320 level so once we get an introduction to 00:01:58.320 --> 00:02:00.960 splunk we'll go over splunk enterprise 00:02:00.960 --> 00:02:02.960 uh security at the enterprise the 00:02:02.960 --> 00:02:05.119 enterprise security edition and how it 00:02:05.119 --> 00:02:06.640 can be used for security event 00:02:06.640 --> 00:02:08.399 monitoring especially in our case 00:02:08.399 --> 00:02:10.879 because we want to essentially monitor 00:02:10.879 --> 00:02:13.280 uh the intrusion detection logs 00:02:13.280 --> 00:02:15.360 generated by snort 00:02:15.360 --> 00:02:16.800 so we'll then move on to deploying 00:02:16.800 --> 00:02:18.720 splunk enterprise security on linux 00:02:18.720 --> 00:02:20.640 which is absolutely fantastic because 00:02:20.640 --> 00:02:22.560 they have a cloud image 00:02:22.560 --> 00:02:24.560 available for it that allows you to spin 00:02:24.560 --> 00:02:26.400 it up without going through the process 00:02:26.400 --> 00:02:28.720 of installing it and configuring it so 00:02:28.720 --> 00:02:30.720 that will set up that'll set it up for 00:02:30.720 --> 00:02:32.800 us we'll then take a look at how to 00:02:32.800 --> 00:02:35.280 configure splunk and how to set up the 00:02:35.280 --> 00:02:38.239 splunk universal folder on the ubuntu 00:02:38.239 --> 00:02:40.480 virtual machine that is running snot so 00:02:40.480 --> 00:02:42.319 that we can forward those logs into 00:02:42.319 --> 00:02:44.560 splunk uh and then of course we'll take 00:02:44.560 --> 00:02:46.720 a look at the splunk snot event uh 00:02:46.720 --> 00:02:49.519 dashboard that will be provided to us by 00:02:49.519 --> 00:02:50.400 the 00:02:50.400 --> 00:02:52.879 splunk snot app so if this sounds like a 00:02:52.879 --> 00:02:55.360 gibberish to you don't worry it'll make 00:02:55.360 --> 00:02:57.599 sense in a couple of uh in a couple of 00:02:57.599 --> 00:02:58.879 minutes 00:02:58.879 --> 00:03:00.959 with that being said uh given the fact 00:03:00.959 --> 00:03:02.800 that we're going to be using uh you know 00:03:02.800 --> 00:03:04.400 we're going to be using snort to 00:03:04.400 --> 00:03:06.959 generate alerts and monitor those alerts 00:03:06.959 --> 00:03:09.040 uh if you have not gone through these uh 00:03:09.040 --> 00:03:11.519 the actual snort video please do that as 00:03:11.519 --> 00:03:14.239 it will help you set up snot and you can 00:03:14.239 --> 00:03:16.400 then run through this demo with that 00:03:16.400 --> 00:03:19.280 being said this is not a holistic video 00:03:19.280 --> 00:03:20.800 that will cover everything you can do 00:03:20.800 --> 00:03:23.440 with splunk enterprise security we are 00:03:23.440 --> 00:03:25.120 just focused on 00:03:25.120 --> 00:03:27.760 the intrusion detection uh logs produced 00:03:27.760 --> 00:03:30.000 by snort and how they can be 00:03:30.000 --> 00:03:32.879 imported or forwarded to splunk for uh 00:03:32.879 --> 00:03:35.680 you know analysis and monitoring 00:03:35.680 --> 00:03:38.159 uh so the prerequisites are the same as 00:03:38.159 --> 00:03:39.760 the previous videos the only difference 00:03:39.760 --> 00:03:41.680 is uh you know that you need to have a 00:03:41.680 --> 00:03:43.840 basic familiarity with splunk and how to 00:03:43.840 --> 00:03:46.080 navigate around the various menu 00:03:46.080 --> 00:03:47.760 elements and 00:03:47.760 --> 00:03:49.680 essentially just how to use it at a very 00:03:49.680 --> 00:03:51.360 basic level if you're not familiar with 00:03:51.360 --> 00:03:54.239 splunk i'll give you a few resources at 00:03:54.239 --> 00:03:56.000 the end of the at the end of these 00:03:56.000 --> 00:03:58.159 slides uh that will help you out or help 00:03:58.159 --> 00:04:00.159 you get started 00:04:00.159 --> 00:04:01.760 all right so let's get an introduction 00:04:01.760 --> 00:04:04.239 to splunk so what is splunk that's the 00:04:04.239 --> 00:04:05.680 main question if you've never heard of 00:04:05.680 --> 00:04:08.480 splunk splunk is an extremely powerful 00:04:08.480 --> 00:04:10.400 platform that is used to analyze data 00:04:10.400 --> 00:04:13.360 and logs produced by systems or machines 00:04:13.360 --> 00:04:15.920 as splunk likes to call them so 00:04:15.920 --> 00:04:18.639 what problem is splunk trying to solve 00:04:18.639 --> 00:04:20.880 here well let's look at this from the 00:04:20.880 --> 00:04:24.880 perspective of web 2.0 or you know the 00:04:24.880 --> 00:04:26.720 the interconnected world we live in 00:04:26.720 --> 00:04:29.199 today and we're going to be looking at 00:04:29.199 --> 00:04:31.199 it from the context of from the 00:04:31.199 --> 00:04:33.360 perspective of security 00:04:33.360 --> 00:04:35.759 so if we take a simple system let's say 00:04:35.759 --> 00:04:38.720 we have a windows operating system or a 00:04:38.720 --> 00:04:41.360 system running windows well that windows 00:04:41.360 --> 00:04:44.880 system produces a lot of data or logs 00:04:44.880 --> 00:04:47.040 uh that you know that contain 00:04:47.040 --> 00:04:48.800 information that you know at a first 00:04:48.800 --> 00:04:51.600 glance might not seem that important but 00:04:51.600 --> 00:04:53.919 once you start getting into specific 00:04:53.919 --> 00:04:57.360 sectors like security those logs start 00:04:57.360 --> 00:04:59.680 uh you know those logs have uh you know 00:04:59.680 --> 00:05:02.080 very important value to organizations 00:05:02.080 --> 00:05:04.880 now multiply that by a thousand systems 00:05:04.880 --> 00:05:06.800 so let's say we have an organization 00:05:06.800 --> 00:05:08.560 they have a thousand computers within 00:05:08.560 --> 00:05:10.479 their network or you know distributed 00:05:10.479 --> 00:05:13.520 worldwide and all of these systems are 00:05:13.520 --> 00:05:14.960 you know need to be secured their 00:05:14.960 --> 00:05:17.919 security needs to be monitored so how do 00:05:17.919 --> 00:05:20.560 we monitor all of this well this is 00:05:20.560 --> 00:05:22.639 where splunk comes into play so splunk 00:05:22.639 --> 00:05:25.280 allows you to essentially funnel all of 00:05:25.280 --> 00:05:27.360 this data produced by systems or 00:05:27.360 --> 00:05:28.800 machines 00:05:28.800 --> 00:05:30.720 into splunk and then splunk allows you 00:05:30.720 --> 00:05:32.560 to monitor search and analyze this 00:05:32.560 --> 00:05:35.280 machine generated data and the logs 00:05:35.280 --> 00:05:37.840 through a web interface so in order to 00:05:37.840 --> 00:05:39.680 use splunk you'll need to import your 00:05:39.680 --> 00:05:42.479 own data or logs alternatively you can 00:05:42.479 --> 00:05:45.280 utilize the splunk universal folder to 00:05:45.280 --> 00:05:47.759 forward logs and data to splunk for 00:05:47.759 --> 00:05:51.360 analysis and of course visualization etc 00:05:51.360 --> 00:05:53.280 now splunk does so much more that i 00:05:53.280 --> 00:05:55.199 really can't go over all of the features 00:05:55.199 --> 00:05:56.880 here but as i said we're looking at this 00:05:56.880 --> 00:06:00.400 from the uh lens of a security engineer 00:06:00.400 --> 00:06:02.240 all right so splunk collates all the 00:06:02.240 --> 00:06:04.800 data and logs from various sources and 00:06:04.800 --> 00:06:06.720 provides you with a central index that 00:06:06.720 --> 00:06:08.800 you can search through splunk also 00:06:08.800 --> 00:06:11.039 provides you with robust visualization 00:06:11.039 --> 00:06:12.720 and reporting tools that allow you to 00:06:12.720 --> 00:06:15.360 identify the data that interests you 00:06:15.360 --> 00:06:17.440 transform the data into results and 00:06:17.440 --> 00:06:19.840 visualize the answers in the form of a 00:06:19.840 --> 00:06:23.280 report chart graph etc all right so what 00:06:23.280 --> 00:06:25.360 i'm saying here is that splunk allows 00:06:25.360 --> 00:06:28.080 you to take all of this security related 00:06:28.080 --> 00:06:31.600 logs and data and make sense of them and 00:06:31.600 --> 00:06:33.520 essentially get the answers that you're 00:06:33.520 --> 00:06:35.520 looking for so for example from the 00:06:35.520 --> 00:06:37.680 perspective of a security engineer what 00:06:37.680 --> 00:06:40.240 do you want from all of this data well 00:06:40.240 --> 00:06:42.160 at a very high level you want to know 00:06:42.160 --> 00:06:44.080 whether something is going wrong and 00:06:44.080 --> 00:06:46.400 what could go wrong in the context of 00:06:46.400 --> 00:06:48.800 security a network could be compromised 00:06:48.800 --> 00:06:50.560 there could be some malicious network 00:06:50.560 --> 00:06:53.120 traffic or activity going on a system 00:06:53.120 --> 00:06:55.919 could be compromised etc etc you get the 00:06:55.919 --> 00:06:58.160 idea so we need that data to be 00:06:58.160 --> 00:07:00.560 displayed to us as a security engineer 00:07:00.560 --> 00:07:02.560 and splunk is really one of the best 00:07:02.560 --> 00:07:04.960 tools uh you know when it comes down to 00:07:04.960 --> 00:07:08.000 you know taking a lot of data 00:07:08.000 --> 00:07:09.840 and then identifying the data that 00:07:09.840 --> 00:07:11.840 interests you transforming that data 00:07:11.840 --> 00:07:14.960 into results and then visualizing that 00:07:14.960 --> 00:07:17.360 data in the form of the report chart or 00:07:17.360 --> 00:07:19.759 graph right so that's really what we're 00:07:19.759 --> 00:07:21.599 going to be doing and as i said going 00:07:21.599 --> 00:07:23.520 back to the scenario we're going to be 00:07:23.520 --> 00:07:26.080 focusing on how to you know essentially 00:07:26.080 --> 00:07:28.800 get in or how to forward 00:07:28.800 --> 00:07:31.919 the logs created or the logs and alerts 00:07:31.919 --> 00:07:33.360 created by 00:07:33.360 --> 00:07:36.000 snort into splunk for analysis and 00:07:36.000 --> 00:07:39.280 luckily for us splunk has a snort app or 00:07:39.280 --> 00:07:40.960 plug-in if you will that that will 00:07:40.960 --> 00:07:43.680 essentially simplify this process 00:07:43.680 --> 00:07:44.800 so 00:07:44.800 --> 00:07:47.360 let's get an idea as to you know how we 00:07:47.360 --> 00:07:49.120 can use splunk for security when 00:07:49.120 --> 00:07:51.759 monitoring so splunk enterprise security 00:07:51.759 --> 00:07:54.800 also known as splunk es is a security 00:07:54.800 --> 00:07:56.800 information and event management 00:07:56.800 --> 00:07:59.199 solution also known as a seam 00:07:59.199 --> 00:08:01.360 it is used to but is used by security 00:08:01.360 --> 00:08:03.680 teams to quickly detect and respond to 00:08:03.680 --> 00:08:06.160 internal and external attacks or threats 00:08:06.160 --> 00:08:09.680 or intrusions so splunk es can be used 00:08:09.680 --> 00:08:11.759 for security when monitoring incident 00:08:11.759 --> 00:08:14.240 response and running a sock or security 00:08:14.240 --> 00:08:15.919 operations center 00:08:15.919 --> 00:08:18.080 in this video we'll be using splunk es 00:08:18.080 --> 00:08:20.000 to monitor and visualize the snort 00:08:20.000 --> 00:08:22.240 intrusion alerts this will be 00:08:22.240 --> 00:08:24.400 facilitated through the help of the snot 00:08:24.400 --> 00:08:26.639 app for splunk and the splunk universal 00:08:26.639 --> 00:08:29.280 folder now the splunk universal folder 00:08:29.280 --> 00:08:31.199 is pretty much the most important 00:08:31.199 --> 00:08:33.039 element of what we'll be exploring 00:08:33.039 --> 00:08:35.200 because what it does and this is really 00:08:35.200 --> 00:08:37.200 cool is it allow it automatically 00:08:37.200 --> 00:08:39.279 forwards the latest logs 00:08:39.279 --> 00:08:40.479 even when 00:08:40.479 --> 00:08:42.479 when snot is running it forwards those 00:08:42.479 --> 00:08:45.040 alerts and logs into splunk and you can 00:08:45.040 --> 00:08:46.560 see them in real time which is 00:08:46.560 --> 00:08:49.440 absolutely fantastic 00:08:49.440 --> 00:08:52.320 so as i said if you're new to splunk 00:08:52.320 --> 00:08:54.800 then these resources are really helpful 00:08:54.800 --> 00:08:57.120 for you so splunk offer really great 00:08:57.120 --> 00:08:59.040 tutorials and courses designed for 00:08:59.040 --> 00:09:00.720 absolute beginners you can check that 00:09:00.720 --> 00:09:02.959 out by clicking on the link within this 00:09:02.959 --> 00:09:05.600 slide and you can learn more about the 00:09:05.600 --> 00:09:08.160 splunk enterprise security edition from 00:09:08.160 --> 00:09:09.760 that particular link 00:09:09.760 --> 00:09:11.040 now as i said we're going to be 00:09:11.040 --> 00:09:12.240 deploying 00:09:12.240 --> 00:09:15.200 uh splunk on linux more specifically 00:09:15.200 --> 00:09:17.120 splunk es and this is the lab 00:09:17.120 --> 00:09:19.200 environment so we're going to spin up uh 00:09:19.200 --> 00:09:21.519 you know splunk yes on linux now again 00:09:21.519 --> 00:09:23.279 to follow through with this as uh you 00:09:23.279 --> 00:09:25.760 know linux has been absolutely fantastic 00:09:25.760 --> 00:09:28.320 with uh you know by providing uh all of 00:09:28.320 --> 00:09:30.959 you guys uh with a way to get a hundred 00:09:30.959 --> 00:09:33.279 dollars in free linux credit all you 00:09:33.279 --> 00:09:35.120 need to do is just click the link in the 00:09:35.120 --> 00:09:37.440 description section and sign up and a 00:09:37.440 --> 00:09:39.040 hundred dollars will be added to your 00:09:39.040 --> 00:09:40.959 account so that you can follow along 00:09:40.959 --> 00:09:43.279 with this series um so we're going to 00:09:43.279 --> 00:09:45.200 set up splunk yes on linux and then 00:09:45.200 --> 00:09:47.279 within my internal network uh we're just 00:09:47.279 --> 00:09:49.040 gonna have a very basic infrastructure 00:09:49.040 --> 00:09:50.399 we're going to have the ubuntu virtual 00:09:50.399 --> 00:09:52.880 machine that is running snot this is the 00:09:52.880 --> 00:09:54.880 same virtual machine that we had set up 00:09:54.880 --> 00:09:57.680 and used uh to set up snort and set up 00:09:57.680 --> 00:09:59.839 suricata and the one we had used with 00:09:59.839 --> 00:10:01.360 wazoo 00:10:01.360 --> 00:10:03.519 and yeah that's essentially it we're 00:10:03.519 --> 00:10:04.720 going to have a very basic 00:10:04.720 --> 00:10:06.399 infrastructure where we have an attacker 00:10:06.399 --> 00:10:08.560 system that i'm going to be using to 00:10:08.560 --> 00:10:09.519 perform 00:10:09.519 --> 00:10:11.600 uh a bit of uh you know network 00:10:11.600 --> 00:10:15.040 intrusion detection uh emulation whereby 00:10:15.040 --> 00:10:17.519 i will essentially perform or run a 00:10:17.519 --> 00:10:20.880 couple of commands or uh or scripts to 00:10:20.880 --> 00:10:23.279 essentially emulate malicious network 00:10:23.279 --> 00:10:26.160 activity so that these logs are uh are 00:10:26.160 --> 00:10:28.320 essentially or so so this traffic is 00:10:28.320 --> 00:10:29.839 essentially logged and that will provide 00:10:29.839 --> 00:10:32.800 us with a good idea as to how helpful 00:10:32.800 --> 00:10:35.279 splunk is for security event monitoring 00:10:35.279 --> 00:10:37.760 especially in the context of our network 00:10:37.760 --> 00:10:40.320 intrusions 00:10:40.320 --> 00:10:41.920 so as i said you don't really need to 00:10:41.920 --> 00:10:44.240 have a windows workstation you simply 00:10:44.240 --> 00:10:46.000 need to have the ubuntu vm and you can 00:10:46.000 --> 00:10:48.800 pretty much run everything from it and 00:10:48.800 --> 00:10:50.560 of course you can set up the splunk 00:10:50.560 --> 00:10:52.000 enterprise 00:10:52.000 --> 00:10:54.240 enterprise security server on linux 00:10:54.240 --> 00:10:56.480 without any issues 00:10:56.480 --> 00:10:58.399 so that's the lab environment we can now 00:10:58.399 --> 00:11:00.000 get started with the practical 00:11:00.000 --> 00:11:01.440 demonstration so i'm going to switch 00:11:01.440 --> 00:11:05.040 over to my ubuntu virtual machine 00:11:05.040 --> 00:11:07.600 all right so i'm back on my ubuntu 00:11:07.600 --> 00:11:09.360 virtual machine and you can see i have 00:11:09.360 --> 00:11:11.279 linux opened up here 00:11:11.279 --> 00:11:13.279 i haven't set anything up yet because 00:11:13.279 --> 00:11:14.640 we're going to be walking through the 00:11:14.640 --> 00:11:16.079 process together 00:11:16.079 --> 00:11:18.959 i then have the splunk.com website here 00:11:18.959 --> 00:11:21.040 so if you're new to splunk then you need 00:11:21.040 --> 00:11:22.640 to create a new account in order to 00:11:22.640 --> 00:11:25.040 follow along so uh just head over to 00:11:25.040 --> 00:11:27.279 head over to splunk.com and you know 00:11:27.279 --> 00:11:29.519 register for an account it's free 00:11:29.519 --> 00:11:31.120 once that is done 00:11:31.120 --> 00:11:33.120 you'll need to activate your account or 00:11:33.120 --> 00:11:35.120 verify your account through the email or 00:11:35.120 --> 00:11:36.880 the verification email 00:11:36.880 --> 00:11:39.680 they'll send you once that is done 00:11:39.680 --> 00:11:41.279 we can then move forward because in 00:11:41.279 --> 00:11:44.320 order to access the actual um 00:11:44.320 --> 00:11:46.800 splunk universal folder you'll need to 00:11:46.800 --> 00:11:48.720 have an account and of course um you 00:11:48.720 --> 00:11:50.639 know in this case i'll be going through 00:11:50.639 --> 00:11:52.800 everything as we move along in a 00:11:52.800 --> 00:11:55.519 structured uh in a structured manner and 00:11:55.519 --> 00:11:59.120 then to perform the actual nids 00:11:59.120 --> 00:12:00.160 tests 00:12:00.160 --> 00:12:01.920 we are going to be using the test 00:12:01.920 --> 00:12:03.839 mynids.org 00:12:03.839 --> 00:12:06.480 project which is on github so this is 00:12:06.480 --> 00:12:08.880 essentially a bash script 00:12:08.880 --> 00:12:11.440 that allows you to as you can see here 00:12:11.440 --> 00:12:13.279 it allows you to essentially emulate or 00:12:13.279 --> 00:12:16.800 simulate malicious network traffic so uh 00:12:16.800 --> 00:12:19.440 previously we had used the website uh 00:12:19.440 --> 00:12:21.279 the website technique to essentially get 00:12:21.279 --> 00:12:23.760 a linux uid and that traffic would be 00:12:23.760 --> 00:12:26.240 logged as malicious or 00:12:26.240 --> 00:12:27.760 it could be logged as a potential 00:12:27.760 --> 00:12:30.000 intrusion and we can run a few other 00:12:30.000 --> 00:12:33.360 checks like an http basic authentication 00:12:33.360 --> 00:12:35.519 bad certificate authorities 00:12:35.519 --> 00:12:38.639 uh an exe or dll download over http so 00:12:38.639 --> 00:12:40.720 you know just we can run tests that are 00:12:40.720 --> 00:12:42.959 you know will just make our 00:12:42.959 --> 00:12:45.440 intrusion detection system uh blow up in 00:12:45.440 --> 00:12:47.600 terms of alerts and that's what we want 00:12:47.600 --> 00:12:49.519 because we want to see how that data is 00:12:49.519 --> 00:12:52.160 presented to us as a security engineer 00:12:52.160 --> 00:12:55.040 on splunk with that being said the first 00:12:55.040 --> 00:12:57.680 step of course is to set up splunk es on 00:12:57.680 --> 00:12:58.880 linux so 00:12:58.880 --> 00:13:01.680 just click on uh click on create and a 00:13:01.680 --> 00:13:04.079 linux and click on marketplace 00:13:04.079 --> 00:13:06.399 and they already have splunk here so 00:13:06.399 --> 00:13:08.480 there we are you can click on that there 00:13:08.480 --> 00:13:10.240 and if you click on this little info 00:13:10.240 --> 00:13:12.399 button here it'll give you an idea as to 00:13:12.399 --> 00:13:14.320 how to deploy it on 00:13:14.320 --> 00:13:16.480 uh on linux and of course you have more 00:13:16.480 --> 00:13:18.399 information regarding splunk so you have 00:13:18.399 --> 00:13:20.480 the documentation link there so i'll 00:13:20.480 --> 00:13:22.959 just click on splunk 00:13:22.959 --> 00:13:24.639 once that is clicked we can then head 00:13:24.639 --> 00:13:26.720 over here you'll need to specify the 00:13:26.720 --> 00:13:28.959 splunk admin user i recommend using 00:13:28.959 --> 00:13:31.600 admin to begin with and then specify a 00:13:31.600 --> 00:13:33.440 password 00:13:33.440 --> 00:13:35.519 if you're setting up you know splunk on 00:13:35.519 --> 00:13:37.600 a domain then you can specify the 00:13:37.600 --> 00:13:39.839 lynnode api token to essentially create 00:13:39.839 --> 00:13:42.320 the dns records that's if you're using 00:13:42.320 --> 00:13:43.839 linux dns 00:13:43.839 --> 00:13:45.839 dns service 00:13:45.839 --> 00:13:47.519 uh and then of course you need to add 00:13:47.519 --> 00:13:49.519 the admin email for the server so in 00:13:49.519 --> 00:13:52.000 this case i can just say for example 00:13:52.000 --> 00:13:54.000 hackersploit 00:13:54.000 --> 00:13:55.519 gmail.com 00:13:55.519 --> 00:13:57.360 don't spam me on this email because i 00:13:57.360 --> 00:13:59.519 don't respond anyway so we can create 00:13:59.519 --> 00:14:01.040 another user 00:14:01.040 --> 00:14:02.480 uh so this is the username for the 00:14:02.480 --> 00:14:04.720 lynnode admins ssh user please ensure 00:14:04.720 --> 00:14:06.480 that the username does not contain any 00:14:06.480 --> 00:14:08.880 so we can just call this admin and then 00:14:08.880 --> 00:14:11.360 for the admin user we'll just say 00:14:11.360 --> 00:14:13.199 provide that there 00:14:13.199 --> 00:14:14.800 so the image we're going to set it up on 00:14:14.800 --> 00:14:18.079 ubuntu 20.04 the region i'll say london 00:14:18.079 --> 00:14:19.920 because that's closest to me 00:14:19.920 --> 00:14:22.240 as for the actual linux plan 00:14:22.240 --> 00:14:24.720 linux es doesn't require that many 00:14:24.720 --> 00:14:26.480 resources especially because you know 00:14:26.480 --> 00:14:28.720 the amount of data that we're processing 00:14:28.720 --> 00:14:30.959 on the logs that are being forwarded to 00:14:30.959 --> 00:14:34.320 splunk are relatively few so less than 00:14:34.320 --> 00:14:36.160 100 which if you've used splunk before 00:14:36.160 --> 00:14:37.920 for security vent monitoring you know 00:14:37.920 --> 00:14:39.040 that that is 00:14:39.040 --> 00:14:41.199 like really really small in fl in in 00:14:41.199 --> 00:14:43.199 fact splunk will actually tell you that 00:14:43.199 --> 00:14:44.959 you know the amount of data 00:14:44.959 --> 00:14:47.519 to begin with that you have imported or 00:14:47.519 --> 00:14:49.680 you afforded is too little to make any 00:14:49.680 --> 00:14:50.880 sense off 00:14:50.880 --> 00:14:52.480 but that's where the snort app for 00:14:52.480 --> 00:14:54.800 splunk comes into play so i'll just say 00:14:54.800 --> 00:14:56.000 splunk 00:14:56.000 --> 00:14:58.160 and i'll provide my root password for 00:14:58.160 --> 00:14:59.360 the server 00:14:59.360 --> 00:15:02.079 and we can click on create 00:15:02.079 --> 00:15:03.360 all right now 00:15:03.360 --> 00:15:06.079 uh once this is set up and provisioned 00:15:06.079 --> 00:15:08.079 the actual installer is going to begin 00:15:08.079 --> 00:15:10.079 so it's going to set up because there is 00:15:10.079 --> 00:15:12.800 an auto installer setup that will set up 00:15:12.800 --> 00:15:15.199 splunk yes for you so uh let it 00:15:15.199 --> 00:15:16.880 provision after that's done you can 00:15:16.880 --> 00:15:19.199 launch the lish console to avoid logging 00:15:19.199 --> 00:15:22.160 in via ssh and of course one thing that 00:15:22.160 --> 00:15:24.000 i need to that i don't need to tell you 00:15:24.000 --> 00:15:25.680 is if you're setting this up for 00:15:25.680 --> 00:15:27.680 production then you need to make sure 00:15:27.680 --> 00:15:29.759 you're securing your server so do only 00:15:29.759 --> 00:15:32.720 use ssh keys for authentication with the 00:15:32.720 --> 00:15:33.759 server 00:15:33.759 --> 00:15:35.920 if you're new to hardening and securing 00:15:35.920 --> 00:15:37.759 a linux server you can check out the 00:15:37.759 --> 00:15:39.360 previous series 00:15:39.360 --> 00:15:41.920 that we did with linux the linux server 00:15:41.920 --> 00:15:44.800 security series uh that'll give you uh 00:15:44.800 --> 00:15:46.959 you know all the information you need to 00:15:46.959 --> 00:15:49.759 secure a linux server for production 00:15:49.759 --> 00:15:50.959 with that being said i'm just going to 00:15:50.959 --> 00:15:52.800 let it provision after which we can 00:15:52.800 --> 00:15:54.560 launch the english console to see what's 00:15:54.560 --> 00:15:56.639 going on in the background and we can 00:15:56.639 --> 00:15:58.800 then get started uh you know officially 00:15:58.800 --> 00:16:00.000 with um 00:16:00.000 --> 00:16:01.839 with how to set up splunk we then need 00:16:01.839 --> 00:16:04.720 to set up the universal folder 00:16:04.720 --> 00:16:08.639 so uh this is booting now 00:16:08.639 --> 00:16:11.120 all right so the server is booted and 00:16:11.120 --> 00:16:12.800 you can see i've just opened up the lish 00:16:12.800 --> 00:16:14.320 console here 00:16:14.320 --> 00:16:15.920 to essentially view what's going on as 00:16:15.920 --> 00:16:18.000 you can see it's begun setting up a 00:16:18.000 --> 00:16:20.399 splunk yes so just give this a couple of 00:16:20.399 --> 00:16:21.519 minutes 00:16:21.519 --> 00:16:23.279 to essentially begin 00:16:23.279 --> 00:16:25.600 um and once it's done it'll actually 00:16:25.600 --> 00:16:27.360 tell you that it'll provide you with the 00:16:27.360 --> 00:16:28.800 login prompt 00:16:28.800 --> 00:16:30.399 but it's probably logged in as the root 00:16:30.399 --> 00:16:32.000 user already so 00:16:32.000 --> 00:16:33.759 uh just let this complete i'm just gonna 00:16:33.759 --> 00:16:36.880 wait for this to actually conclude 00:16:36.880 --> 00:16:40.000 all right so once uh splunk es is done 00:16:40.000 --> 00:16:42.880 uh or the actual uh linode is done here 00:16:42.880 --> 00:16:44.320 with the setup you can see it's gonna 00:16:44.320 --> 00:16:46.240 tell you installation complete 00:16:46.240 --> 00:16:48.160 and you can then log in uh keep this 00:16:48.160 --> 00:16:49.519 window open because this is going to be 00:16:49.519 --> 00:16:50.880 very important as we'll need to 00:16:50.880 --> 00:16:53.440 configure a few firewall rules because 00:16:53.440 --> 00:16:56.320 uh by default this linux comes with ufw 00:16:56.320 --> 00:16:58.720 which is the uncomplicated firewall for 00:16:58.720 --> 00:17:00.079 debian or 00:17:00.079 --> 00:17:02.000 it typically comes pre-packaged with 00:17:02.000 --> 00:17:04.959 debian-based distributions like ubuntu 00:17:04.959 --> 00:17:06.559 in this case it's already added the 00:17:06.559 --> 00:17:08.400 firewall rule for the port that we 00:17:08.400 --> 00:17:10.000 wanted but just keep it open because 00:17:10.000 --> 00:17:12.559 we'll need to run a few checks um so you 00:17:12.559 --> 00:17:14.000 can log in there so i'm just going to 00:17:14.000 --> 00:17:15.679 log in with the credentials that i 00:17:15.679 --> 00:17:18.720 specified as the root user and i can 00:17:18.720 --> 00:17:22.160 just say sudo ufw status 00:17:22.160 --> 00:17:23.839 um 00:17:23.839 --> 00:17:25.439 and you can see these are all the 00:17:25.439 --> 00:17:28.160 allowed rules or the actual rules 00:17:28.160 --> 00:17:30.400 configured for the firewall which is 00:17:30.400 --> 00:17:32.400 looking good uh so far 00:17:32.400 --> 00:17:35.679 so we can access the splunk es instance 00:17:35.679 --> 00:17:37.840 that we set up by pasting in the ip of 00:17:37.840 --> 00:17:42.080 the server and and opening up port 8000 00:17:42.080 --> 00:17:44.080 that's going to open up splunk yes for 00:17:44.080 --> 00:17:45.760 you so just give this a couple of 00:17:45.760 --> 00:17:48.240 seconds there we are and the credentials 00:17:48.240 --> 00:17:50.880 that we had used were admin and the 00:17:50.880 --> 00:17:53.280 password that i created uh that you know 00:17:53.280 --> 00:17:54.559 of course you'll you'll be able to 00:17:54.559 --> 00:17:57.200 specify yourself so just sign in 00:17:57.200 --> 00:17:59.919 um and once that is done you'll be 00:17:59.919 --> 00:18:03.360 brought to splunk enterprise 00:18:03.360 --> 00:18:05.360 security here so there we are explore 00:18:05.360 --> 00:18:07.200 splunk enterprise 00:18:07.200 --> 00:18:10.000 uh and um 00:18:10.000 --> 00:18:11.360 in this case what we're going to be 00:18:11.360 --> 00:18:14.080 doing what we're going to start off with 00:18:14.080 --> 00:18:16.240 is we need to go through a few 00:18:16.240 --> 00:18:18.720 configuration uh changes with splunk 00:18:18.720 --> 00:18:19.760 itself 00:18:19.760 --> 00:18:22.880 so the idea firstly is to configure 00:18:22.880 --> 00:18:25.600 uh the actual uh rece the receiving of 00:18:25.600 --> 00:18:27.360 data so if you head over into settings 00:18:27.360 --> 00:18:29.440 you can click on under data just click 00:18:29.440 --> 00:18:31.840 on forwarding and receiving 00:18:31.840 --> 00:18:34.400 uh and once that is done once that is 00:18:34.400 --> 00:18:35.760 loaded up 00:18:35.760 --> 00:18:38.080 um under received data we need to 00:18:38.080 --> 00:18:40.000 configure this instance to receive data 00:18:40.000 --> 00:18:41.600 forwarded from other instances so we 00:18:41.600 --> 00:18:43.520 want to configure receiving 00:18:43.520 --> 00:18:45.120 and we just want to set the default 00:18:45.120 --> 00:18:46.799 receiving port 00:18:46.799 --> 00:18:50.400 so we can say new receiving port 00:18:50.400 --> 00:18:52.160 and the port is of course going to be 00:18:52.160 --> 00:18:54.799 the default which is 9997 which is why 00:18:54.799 --> 00:18:56.640 that firewall rule was added so i'll 00:18:56.640 --> 00:18:58.880 click on save 00:18:58.880 --> 00:19:01.200 all right so once that is done we can 00:19:01.200 --> 00:19:03.520 now install the snot 00:19:03.520 --> 00:19:06.240 app for splunk so click on apps and head 00:19:06.240 --> 00:19:08.480 over into find more apps 00:19:08.480 --> 00:19:11.360 and because the ubuntu server is running 00:19:11.360 --> 00:19:13.120 or the ubuntu vm that i'm currently 00:19:13.120 --> 00:19:15.919 working on is running snot 2 we'll need 00:19:15.919 --> 00:19:18.160 the appropriate uh app here so i'll just 00:19:18.160 --> 00:19:20.160 search for snot there and we're not 00:19:20.160 --> 00:19:22.320 looking for these note 3 json alerts 00:19:22.320 --> 00:19:24.320 although that you know could be quite 00:19:24.320 --> 00:19:26.480 useful but we want the snort alert for 00:19:26.480 --> 00:19:28.720 splunk all right so this app provides 00:19:28.720 --> 00:19:30.880 field extraction so that's really great 00:19:30.880 --> 00:19:32.400 because performing your own field 00:19:32.400 --> 00:19:34.960 extractions uh you know using rejects 00:19:34.960 --> 00:19:36.400 can be quite difficult if you're a 00:19:36.400 --> 00:19:39.360 beginner so fast and full 00:19:39.360 --> 00:19:42.400 as well as dashboards uh saved searches 00:19:42.400 --> 00:19:45.600 reports event types tags and event 00:19:45.600 --> 00:19:48.080 search interfaces so we'll install that 00:19:48.080 --> 00:19:50.240 now you'll need to log in with the spa 00:19:50.240 --> 00:19:52.400 your splunk account credentials that you 00:19:52.400 --> 00:19:55.120 uh you know that you actually created on 00:19:55.120 --> 00:19:57.760 splunk.com so i'll just fill in my 00:19:57.760 --> 00:20:00.400 information really quickly 00:20:00.400 --> 00:20:02.240 all right so i've put in my username and 00:20:02.240 --> 00:20:04.240 password so i'll just say i'll accept 00:20:04.240 --> 00:20:06.320 the terms and conditions there so log in 00:20:06.320 --> 00:20:07.600 and install 00:20:07.600 --> 00:20:09.280 that's going to install it there we are 00:20:09.280 --> 00:20:10.880 so we'll just hit done 00:20:10.880 --> 00:20:13.360 now that is done if we head back over 00:20:13.360 --> 00:20:16.400 into our dashboard so i'll just click on 00:20:16.400 --> 00:20:18.400 splunk enterprise there 00:20:18.400 --> 00:20:20.720 and you can now see we have snot alert 00:20:20.720 --> 00:20:23.039 force for splunk so that's it already 00:20:23.039 --> 00:20:25.600 comes pre-configured with a dashboard 00:20:25.600 --> 00:20:28.000 um so we'll just let this uh load up 00:20:28.000 --> 00:20:30.000 here and you can see that we don't have 00:20:30.000 --> 00:20:32.480 any data yet so uh this will display 00:20:32.480 --> 00:20:34.559 your events and sources top source 00:20:34.559 --> 00:20:36.480 countries the events this is very 00:20:36.480 --> 00:20:38.480 important the sources top 10 00:20:38.480 --> 00:20:41.039 classifications so that will classify uh 00:20:41.039 --> 00:20:44.400 your alerts uh in in terms of uh the 00:20:44.400 --> 00:20:46.640 type which again will make sense uh in a 00:20:46.640 --> 00:20:49.280 couple of seconds uh so now that that is 00:20:49.280 --> 00:20:51.600 done we actually need to configure 00:20:51.600 --> 00:20:54.480 the actual splunk universal folder so 00:20:54.480 --> 00:20:56.480 i'll just open that up in a new tab it's 00:20:56.480 --> 00:20:59.120 absolutely free to download the debian 00:20:59.120 --> 00:21:01.840 client or the uh the splunk universal 00:21:01.840 --> 00:21:04.159 ford debian package so universal 00:21:04.159 --> 00:21:06.960 forwarders uh provide reliable secure 00:21:06.960 --> 00:21:09.440 data collection from remote from remote 00:21:09.440 --> 00:21:11.520 sources and forward that data into 00:21:11.520 --> 00:21:14.159 splunk software for indexing and 00:21:14.159 --> 00:21:16.880 consolidation they can scale to tens of 00:21:16.880 --> 00:21:18.799 thousands of remote systems collecting 00:21:18.799 --> 00:21:20.720 terabytes of data so 00:21:20.720 --> 00:21:23.039 again you can actually see why splunk is 00:21:23.039 --> 00:21:25.360 so powerful and why it's widely uh used 00:21:25.360 --> 00:21:27.440 and deployed because of the fact that 00:21:27.440 --> 00:21:30.480 you can literally uh you know be you can 00:21:30.480 --> 00:21:32.640 literally forward a ton of data from a 00:21:32.640 --> 00:21:35.840 ton of systems into splunk so because 00:21:35.840 --> 00:21:38.480 the uh because snot is running on this 00:21:38.480 --> 00:21:40.480 ubuntu vm we need the debian package so 00:21:40.480 --> 00:21:41.919 i'll click on linux and we want the 00:21:41.919 --> 00:21:45.039 64-bit version again you can choose one 00:21:45.039 --> 00:21:46.559 based on your requirements so if you're 00:21:46.559 --> 00:21:49.840 running on red at fedora or centos you 00:21:49.840 --> 00:21:51.520 can use the rpm package so i'll just 00:21:51.520 --> 00:21:54.559 download the debian package here 00:21:54.559 --> 00:21:56.080 give that a couple of seconds it's then 00:21:56.080 --> 00:21:58.240 going to begin downloading it and then 00:21:58.240 --> 00:22:00.000 i'll walk you through the setup process 00:22:00.000 --> 00:22:01.840 so there we are 00:22:01.840 --> 00:22:05.120 it's begun the setup 00:22:07.360 --> 00:22:09.440 and once that is done i'll open up my 00:22:09.440 --> 00:22:10.799 terminal so that's saved in the 00:22:10.799 --> 00:22:12.960 downloads directory so 00:22:12.960 --> 00:22:14.320 if we check if we head over into the 00:22:14.320 --> 00:22:15.840 downloads directory you can see we have 00:22:15.840 --> 00:22:17.919 the splunk forwarder debian package 00:22:17.919 --> 00:22:19.200 there 00:22:19.200 --> 00:22:21.679 so what we want to do firstly is we want 00:22:21.679 --> 00:22:25.120 to move this package uh into the actual 00:22:25.120 --> 00:22:28.080 opt directory on linux uh which will 00:22:28.080 --> 00:22:30.880 essentially allow us to uh you know to 00:22:30.880 --> 00:22:33.360 to set it up as as optional software and 00:22:33.360 --> 00:22:35.280 it's really good to have all that 00:22:35.280 --> 00:22:38.240 optional software stored in the opt 00:22:38.240 --> 00:22:42.240 directory so uh once that is done uh 00:22:42.240 --> 00:22:44.320 once that's downloaded we can say uh 00:22:44.320 --> 00:22:45.600 move 00:22:45.600 --> 00:22:48.480 splunk forwarder into opt 00:22:48.480 --> 00:22:50.400 and we'll need sudo privileges so i'll 00:22:50.400 --> 00:22:52.559 say sudo move there we are and i'll just 00:22:52.559 --> 00:22:55.120 type in my password fantastic so we'll 00:22:55.120 --> 00:22:57.360 now navigate to the opt directory and to 00:22:57.360 --> 00:23:00.320 install this we can say sudo apt 00:23:00.320 --> 00:23:02.960 and then we can specify install so we 00:23:02.960 --> 00:23:05.120 can say sudo apt install 00:23:05.120 --> 00:23:06.960 and then we specify the package itself 00:23:06.960 --> 00:23:09.440 so splunk folder 00:23:09.440 --> 00:23:11.440 and we're just going to hit enter that's 00:23:11.440 --> 00:23:13.520 going to install it for you 00:23:13.520 --> 00:23:16.880 give that a couple of seconds 00:23:19.440 --> 00:23:21.520 all right so once that is installed if 00:23:21.520 --> 00:23:23.039 you list out the contents of this 00:23:23.039 --> 00:23:24.559 directory you're going to have a splunk 00:23:24.559 --> 00:23:26.559 for the directory here so i'll say cd 00:23:26.559 --> 00:23:29.200 splunk folder and under the binary 00:23:29.200 --> 00:23:31.200 directory we can navigate to that here 00:23:31.200 --> 00:23:32.720 we'll need to start 00:23:32.720 --> 00:23:35.600 us we'll need to start splunk so we will 00:23:35.600 --> 00:23:37.280 say uh sudo 00:23:37.280 --> 00:23:39.039 and a binary we want to run is called 00:23:39.039 --> 00:23:41.279 splunk and we'll accept the license uh 00:23:41.279 --> 00:23:42.799 the reason we're doing this is because 00:23:42.799 --> 00:23:44.799 we need to configure it so we need to 00:23:44.799 --> 00:23:46.799 specify the username and password or you 00:23:46.799 --> 00:23:49.279 know create a username and password 00:23:49.279 --> 00:23:52.000 and once that is done uh you'll actually 00:23:52.000 --> 00:23:53.360 see what that looks like so i'll just 00:23:53.360 --> 00:23:55.679 say accept the license 00:23:55.679 --> 00:23:56.640 and 00:23:56.640 --> 00:23:59.200 you can see in this case let's see if i 00:23:59.200 --> 00:24:01.200 typed that in correctly that should 00:24:01.200 --> 00:24:03.600 actually start so splunk start i did not 00:24:03.600 --> 00:24:05.440 specify start there 00:24:05.440 --> 00:24:06.799 there we are so please enter an 00:24:06.799 --> 00:24:09.679 administrator name i'll just say admin 00:24:09.679 --> 00:24:12.000 so again splunk software must create an 00:24:12.000 --> 00:24:14.320 administrator account during startup 00:24:14.320 --> 00:24:16.559 otherwise you cannot log in so create 00:24:16.559 --> 00:24:18.159 credentials for the administrator 00:24:18.159 --> 00:24:19.279 account 00:24:19.279 --> 00:24:20.640 um 00:24:20.640 --> 00:24:22.320 so in this case uh you know you can 00:24:22.320 --> 00:24:23.600 create whatever you want i'm just going 00:24:23.600 --> 00:24:26.000 to fill in my credentials here 00:24:26.000 --> 00:24:28.640 all right so i've just entered my 00:24:28.640 --> 00:24:30.320 administrator username and then of 00:24:30.320 --> 00:24:32.400 course my password so 00:24:32.400 --> 00:24:33.840 that is done 00:24:33.840 --> 00:24:36.240 uh so it'll go through um 00:24:36.240 --> 00:24:37.760 it'll essentially go through and check 00:24:37.760 --> 00:24:40.400 the prerequisites uh new certs have been 00:24:40.400 --> 00:24:42.960 generated in the following directory 00:24:42.960 --> 00:24:45.200 and all the preliminary checks have 00:24:45.200 --> 00:24:47.520 passed so starting the splunk server 00:24:47.520 --> 00:24:49.440 daemon so that's started you can also 00:24:49.440 --> 00:24:52.159 enable it to run on system startup so if 00:24:52.159 --> 00:24:55.440 i say you know for example sudo system 00:24:55.440 --> 00:24:56.720 ctl 00:24:56.720 --> 00:24:59.520 status splunk 00:24:59.520 --> 00:25:01.840 let me type that in correctly here so 00:25:01.840 --> 00:25:03.360 splunk 00:25:03.360 --> 00:25:07.520 sorry systems pseudosystem ctl 00:25:07.520 --> 00:25:10.240 and we can say splunk d 00:25:10.240 --> 00:25:12.880 uh sorry so we can say splunk i'm not 00:25:12.880 --> 00:25:15.039 really sure why that's not loading here 00:25:15.039 --> 00:25:17.520 but i do know that the daemon is running 00:25:17.520 --> 00:25:21.440 and there should be a an init 00:25:21.440 --> 00:25:24.799 an init demon for that but in any case 00:25:24.799 --> 00:25:27.360 you can always start it that way 00:25:27.360 --> 00:25:29.840 once that is done we will need to add 00:25:29.840 --> 00:25:32.320 our ford server so the we need to add 00:25:32.320 --> 00:25:34.960 the the address of the server uh the 00:25:34.960 --> 00:25:37.039 splunk server that we're forwarding our 00:25:37.039 --> 00:25:39.600 logs to we'll go we'll move on to what 00:25:39.600 --> 00:25:42.480 logs we want to forward in a second but 00:25:42.480 --> 00:25:44.159 let's do that first so again we're going 00:25:44.159 --> 00:25:46.720 to use the 00:25:47.520 --> 00:25:49.360 the splunk binary and we're going to say 00:25:49.360 --> 00:25:50.480 forward 00:25:50.480 --> 00:25:52.559 server and we'll just copy the ip 00:25:52.559 --> 00:25:54.799 address of your 00:25:54.799 --> 00:25:57.600 your splunk server here so there we are 00:25:57.600 --> 00:26:00.640 and i'll paste that in there 00:26:00.640 --> 00:26:03.320 and then you need to type in the port so 00:26:03.320 --> 00:26:07.200 9997 that's the port to connect to hit 00:26:07.200 --> 00:26:08.400 enter 00:26:08.400 --> 00:26:11.279 um so splunk ford uh 00:26:11.279 --> 00:26:13.279 yeah we need to add it i keep forgetting 00:26:13.279 --> 00:26:15.760 the the preliminary command so add ford 00:26:15.760 --> 00:26:18.320 server splunk username 00:26:18.320 --> 00:26:21.919 um so in this case uh let me just uh put 00:26:21.919 --> 00:26:25.840 in my credentials here 00:26:26.640 --> 00:26:29.440 all right and it's going to then add the 00:26:29.440 --> 00:26:31.760 forwarding to that particular address 00:26:31.760 --> 00:26:33.760 all right now that that is done 00:26:33.760 --> 00:26:35.440 we can actually we actually need to 00:26:35.440 --> 00:26:37.919 configure a particular file 00:26:37.919 --> 00:26:40.720 and that is going to be the outputs.conf 00:26:40.720 --> 00:26:43.039 directory if it's already set up for us 00:26:43.039 --> 00:26:45.039 which it should be 00:26:45.039 --> 00:26:46.880 then we do not need to go through the 00:26:46.880 --> 00:26:49.360 initial setup so 00:26:49.360 --> 00:26:51.120 if we head over into the following 00:26:51.120 --> 00:26:52.640 directory so i'll just take a step back 00:26:52.640 --> 00:26:54.080 we're still in the splunk for the 00:26:54.080 --> 00:26:55.279 directory 00:26:55.279 --> 00:26:58.159 uh we'll head over into 00:26:58.159 --> 00:27:01.679 the etsy directory and under system 00:27:01.679 --> 00:27:05.039 we have a file under local i think it is 00:27:05.039 --> 00:27:06.640 called outputs right so i'm going to say 00:27:06.640 --> 00:27:08.720 sudo vim outputs 00:27:08.720 --> 00:27:09.840 dot conf 00:27:09.840 --> 00:27:11.840 and really the only thing that is 00:27:11.840 --> 00:27:13.840 required here 00:27:13.840 --> 00:27:16.159 is of course just leave the default 00:27:16.159 --> 00:27:18.320 configuration as is the default group is 00:27:18.320 --> 00:27:21.760 fine so tcp out default auto lb group 00:27:21.760 --> 00:27:23.279 that's fine so you make sure that the 00:27:23.279 --> 00:27:25.840 server option here is configured that's 00:27:25.840 --> 00:27:28.480 the most important and the tcp out 00:27:28.480 --> 00:27:30.320 server address is also configured in 00:27:30.320 --> 00:27:32.000 this format so we don't need to make any 00:27:32.000 --> 00:27:33.760 changes there so i'll just say quit and 00:27:33.760 --> 00:27:35.120 exit 00:27:35.120 --> 00:27:38.640 once that is done we also need to check 00:27:38.640 --> 00:27:41.279 uh the actual inputs configuration file 00:27:41.279 --> 00:27:43.200 but before we do that 00:27:43.200 --> 00:27:45.279 let's take a look so if you revisit the 00:27:45.279 --> 00:27:46.880 snort video 00:27:46.880 --> 00:27:48.880 you know that all the logs are stored 00:27:48.880 --> 00:27:51.840 under var uh log 00:27:51.840 --> 00:27:55.760 and snot right so we have the alert log 00:27:55.760 --> 00:27:59.279 um and we also have uh so again based on 00:27:59.279 --> 00:28:01.120 the type of um 00:28:01.120 --> 00:28:03.200 of alerts you want generated so you know 00:28:03.200 --> 00:28:05.440 if i say man snort here 00:28:05.440 --> 00:28:07.440 uh you can see that we have the alert 00:28:07.440 --> 00:28:09.440 mode so you can use the fast mode or the 00:28:09.440 --> 00:28:11.360 full mode in this case i'll be using the 00:28:11.360 --> 00:28:12.559 fast mode 00:28:12.559 --> 00:28:13.760 um 00:28:13.760 --> 00:28:15.279 and i'll give you a description of what 00:28:15.279 --> 00:28:17.279 what's going on here right so 00:28:17.279 --> 00:28:19.919 uh full writes the alert to the alert 00:28:19.919 --> 00:28:21.919 file with the full decoded header as 00:28:21.919 --> 00:28:24.720 well as the alert message which might be 00:28:24.720 --> 00:28:27.279 important so we can also do that as well 00:28:27.279 --> 00:28:29.600 so this was from the previous uh from 00:28:29.600 --> 00:28:31.760 the from from the snort video where we 00:28:31.760 --> 00:28:33.360 had ran uh you know where we had 00:28:33.360 --> 00:28:35.840 essentially run snot and uh you know 00:28:35.840 --> 00:28:38.480 where we were identifying various alerts 00:28:38.480 --> 00:28:41.919 so uh what we can do is uh again we will 00:28:41.919 --> 00:28:43.760 go through what needs to be created but 00:28:43.760 --> 00:28:45.600 we can run a quick test command just to 00:28:45.600 --> 00:28:46.880 see whether 00:28:46.880 --> 00:28:48.799 the the actual alerts are being logged 00:28:48.799 --> 00:28:50.320 within the alert file because we have 00:28:50.320 --> 00:28:53.039 alert dot one ideally we would only want 00:28:53.039 --> 00:28:55.760 to forward this file into splunk 00:28:55.760 --> 00:28:58.080 so uh in order to do this what i'm going 00:28:58.080 --> 00:29:00.080 to do now is i'm just going to run snot 00:29:00.080 --> 00:29:01.600 really quickly so i'm going to say sudo 00:29:01.600 --> 00:29:02.559 snort 00:29:02.559 --> 00:29:03.919 queue 00:29:03.919 --> 00:29:06.000 for quiet and then 00:29:06.000 --> 00:29:09.360 the actual directory for the logs is var 00:29:09.360 --> 00:29:11.360 log snot 00:29:11.360 --> 00:29:12.880 and then we can say the interface is 00:29:12.880 --> 00:29:14.640 enp0s3 00:29:14.640 --> 00:29:16.240 again make sure to replace that with 00:29:16.240 --> 00:29:19.039 your own interface uh the alert we can 00:29:19.039 --> 00:29:20.320 say full 00:29:20.320 --> 00:29:23.360 and the configuration is sc 00:29:23.360 --> 00:29:25.039 snort 00:29:25.039 --> 00:29:26.399 dot conf 00:29:26.399 --> 00:29:28.320 i believe we had another configuration 00:29:28.320 --> 00:29:30.720 file yeah we had used the snot.com file 00:29:30.720 --> 00:29:32.399 so i'll hit enter 00:29:32.399 --> 00:29:34.880 and now let me open up my file explorer 00:29:34.880 --> 00:29:35.840 here 00:29:35.840 --> 00:29:38.720 we take a look at the var directory 00:29:38.720 --> 00:29:42.240 under log and under snort 00:29:42.240 --> 00:29:44.960 we have alert there we are so 00:29:44.960 --> 00:29:47.960 that has been modified the last was 00:29:47.960 --> 00:29:51.200 modified uh 00:29:51.200 --> 00:29:53.919 right over there okay so that's 19 yeah 00:29:53.919 --> 00:29:55.679 so this is the last modified so i know 00:29:55.679 --> 00:29:58.000 this file is not human readable uh we 00:29:58.000 --> 00:30:00.399 are not going to be folding this dot log 00:30:00.399 --> 00:30:02.960 file so i'll just close that there 00:30:02.960 --> 00:30:05.840 so i'm just going to try and uh 00:30:05.840 --> 00:30:07.440 i'm just going to try and perform a few 00:30:07.440 --> 00:30:09.679 checks on the networks like a few pings 00:30:09.679 --> 00:30:11.760 just to see if that's detected 00:30:11.760 --> 00:30:14.080 uh so i'll just you know perform a ping 00:30:14.080 --> 00:30:15.679 really quickly 00:30:15.679 --> 00:30:17.520 again the alerts will not be logged on 00:30:17.520 --> 00:30:18.960 our terminal because they're being 00:30:18.960 --> 00:30:21.200 logged uh you know into the respective 00:30:21.200 --> 00:30:24.159 alert file or the alert log file so i'll 00:30:24.159 --> 00:30:26.080 just perform uh you know a few pings as 00:30:26.080 --> 00:30:27.679 i was saying which i'm doing right now 00:30:27.679 --> 00:30:29.520 on the attacker system 00:30:29.520 --> 00:30:31.760 uh once that is done let's see whether 00:30:31.760 --> 00:30:33.760 those changes are being highlighted in 00:30:33.760 --> 00:30:37.600 alet indeed they are okay so now this is 00:30:37.600 --> 00:30:39.919 um 00:30:40.159 --> 00:30:42.399 as you can see here 00:30:42.399 --> 00:30:45.279 this is the full 00:30:45.360 --> 00:30:48.000 these are so to begin with we had used 00:30:48.000 --> 00:30:50.399 the fast alert 00:30:50.399 --> 00:30:54.000 we had used the fast alert output mode 00:30:54.000 --> 00:30:56.080 and right over here we then have the 00:30:56.080 --> 00:30:57.039 full 00:30:57.039 --> 00:31:00.159 alert mode which i'm not really sure how 00:31:00.159 --> 00:31:01.919 we want to 00:31:01.919 --> 00:31:05.360 go about doing this but you can see 00:31:05.360 --> 00:31:07.360 we can actually make a few changes but 00:31:07.360 --> 00:31:09.600 what we can do is we can get rid of this 00:31:09.600 --> 00:31:11.440 traffic here 00:31:11.440 --> 00:31:13.519 but you can see the messages actually 00:31:13.519 --> 00:31:15.279 being logged so 00:31:15.279 --> 00:31:17.760 we can get rid of this here 00:31:17.760 --> 00:31:20.399 because we don't want to mix fast um we 00:31:20.399 --> 00:31:22.559 don't mix fast alerts 00:31:22.559 --> 00:31:24.480 with um 00:31:24.480 --> 00:31:26.080 we don't want to mix the alerts that 00:31:26.080 --> 00:31:28.799 were output in the fast mode uh with the 00:31:28.799 --> 00:31:31.519 full mode so we can just get rid of that 00:31:31.519 --> 00:31:34.159 there and save that 00:31:34.159 --> 00:31:37.840 so once that is done i'll just say 00:31:37.840 --> 00:31:40.320 we actually need permissions to modify 00:31:40.320 --> 00:31:42.000 that file 00:31:42.000 --> 00:31:45.600 but you know what we can do is what i am 00:31:45.600 --> 00:31:47.279 going to do actually is close without 00:31:47.279 --> 00:31:49.519 saving is i'm just going to stop snort 00:31:49.519 --> 00:31:50.399 there 00:31:50.399 --> 00:31:52.080 and i'm just going to say 00:31:52.080 --> 00:31:54.480 sudo remove var 00:31:54.480 --> 00:31:56.799 log 00:31:56.960 --> 00:31:59.120 and snort and we're going to remove 00:31:59.120 --> 00:32:01.360 alert 00:32:01.360 --> 00:32:02.720 all right and we're also going to remove 00:32:02.720 --> 00:32:04.240 alert dot one 00:32:04.240 --> 00:32:05.440 all right so i'm just going to run this 00:32:05.440 --> 00:32:07.039 again just to see if that file is 00:32:07.039 --> 00:32:08.240 generated 00:32:08.240 --> 00:32:11.120 so there we are we have alert there 00:32:11.120 --> 00:32:12.559 so now it's much cleaner so i'll just 00:32:12.559 --> 00:32:14.240 run a few pings just to make sure that 00:32:14.240 --> 00:32:16.480 the traffic is being locked all those 00:32:16.480 --> 00:32:18.480 alerts are being logged 00:32:18.480 --> 00:32:20.399 uh so there we are we have a few pings 00:32:20.399 --> 00:32:21.519 there 00:32:21.519 --> 00:32:24.640 and we can also you know just run a few 00:32:24.640 --> 00:32:26.960 checks there okay so there we are we can 00:32:26.960 --> 00:32:29.360 see that those are now being logged and 00:32:29.360 --> 00:32:31.519 of course we can change the format based 00:32:31.519 --> 00:32:32.320 on 00:32:32.320 --> 00:32:33.519 you can change it based on your 00:32:33.519 --> 00:32:35.039 requirements right 00:32:35.039 --> 00:32:37.840 so um 00:32:38.000 --> 00:32:39.919 now that that is done 00:32:39.919 --> 00:32:42.000 what we can do is we can close that up 00:32:42.000 --> 00:32:44.960 and we can actually leave snort running 00:32:44.960 --> 00:32:46.320 as is 00:32:46.320 --> 00:32:48.960 so what i'll do is i'm just going to 00:32:48.960 --> 00:32:51.120 open up another tab 00:32:51.120 --> 00:32:53.120 so i'll just you know i can say control 00:32:53.120 --> 00:32:54.880 shift d there we are 00:32:54.880 --> 00:32:56.799 and we're currently within the following 00:32:56.799 --> 00:33:00.159 directory so opt opt splunk forward etsy 00:33:00.159 --> 00:33:01.519 system local 00:33:01.519 --> 00:33:03.120 so 00:33:03.120 --> 00:33:06.000 once that is done we now need to add 00:33:06.000 --> 00:33:08.080 uh we now need to add the files that we 00:33:08.080 --> 00:33:09.919 would like to monitor or that we would 00:33:09.919 --> 00:33:12.240 like to forward right so the log files 00:33:12.240 --> 00:33:15.360 so i'll go back into the bin directory 00:33:15.360 --> 00:33:17.679 so there we are cd bin because that's 00:33:17.679 --> 00:33:19.360 where we have the splunk binary so i'll 00:33:19.360 --> 00:33:20.960 say sudo 00:33:20.960 --> 00:33:22.000 um 00:33:22.000 --> 00:33:24.399 splunk 00:33:24.399 --> 00:33:28.320 and we can say add monitor 00:33:28.320 --> 00:33:30.720 and the file that we want to forward is 00:33:30.720 --> 00:33:34.399 under var log snot and it is just alert 00:33:34.399 --> 00:33:36.559 right so that's all that's really all 00:33:36.559 --> 00:33:38.720 that we want to do right 00:33:38.720 --> 00:33:41.600 and we can also utilize the fast alerts 00:33:41.600 --> 00:33:44.399 but let's just do this for now 00:33:44.399 --> 00:33:46.399 and we only want the alerts we don't 00:33:46.399 --> 00:33:48.320 want the actual log files that contain 00:33:48.320 --> 00:33:53.840 the packets themselves so i'll hit enter 00:33:54.480 --> 00:33:56.399 all right so it's now going to forward 00:33:56.399 --> 00:33:58.960 those alerts into splunk which pretty 00:33:58.960 --> 00:34:02.159 much means that on our end we are done 00:34:02.159 --> 00:34:04.000 however we still need to check one more 00:34:04.000 --> 00:34:05.840 configuration file so i'll just take a 00:34:05.840 --> 00:34:08.000 step back here and we'll head over into 00:34:08.000 --> 00:34:10.879 the etsy directory under apps 00:34:10.879 --> 00:34:13.119 and search 00:34:13.119 --> 00:34:15.520 and then into local 00:34:15.520 --> 00:34:16.720 when you think we'll need to root 00:34:16.720 --> 00:34:18.320 permissions to access this so i'll just 00:34:18.320 --> 00:34:20.079 switch to the root user and head over 00:34:20.079 --> 00:34:21.520 into local 00:34:21.520 --> 00:34:24.399 and we're looking for the inputs dot 00:34:24.399 --> 00:34:26.560 conf file 00:34:26.560 --> 00:34:28.079 uh right so we need to actually 00:34:28.079 --> 00:34:29.760 configure this because this is very 00:34:29.760 --> 00:34:31.040 important so 00:34:31.040 --> 00:34:35.119 uh the first thing we want to do is let 00:34:35.119 --> 00:34:35.919 us 00:34:35.919 --> 00:34:38.639 add a new line here and within the 00:34:38.639 --> 00:34:41.440 square brackets i'll just say splunk 00:34:41.440 --> 00:34:44.240 uh tcp 00:34:44.240 --> 00:34:46.399 and we then want to specify the port so 00:34:46.399 --> 00:34:48.399 9997 00:34:48.399 --> 00:34:49.679 let me make sure i type that in 00:34:49.679 --> 00:34:51.520 correctly 00:34:51.520 --> 00:34:54.240 we then need to actually put in the 00:34:54.240 --> 00:34:56.960 connection 00:34:56.960 --> 00:35:01.200 um so the connection host so connection 00:35:01.200 --> 00:35:03.440 host is going to be equal to the ip 00:35:03.440 --> 00:35:05.280 address of the splunk 00:35:05.280 --> 00:35:06.560 server 00:35:06.560 --> 00:35:08.960 so i'll just copy that there paste that 00:35:08.960 --> 00:35:11.280 in there 00:35:11.280 --> 00:35:14.000 once that is done 00:35:14.000 --> 00:35:16.320 this is fine here disabled is set to 00:35:16.320 --> 00:35:19.040 false we want index is going to be equal 00:35:19.040 --> 00:35:20.320 to main 00:35:20.320 --> 00:35:23.680 and then the source type 00:35:23.680 --> 00:35:26.560 is going to be equal to snot 00:35:26.560 --> 00:35:27.520 alert 00:35:27.520 --> 00:35:28.960 full 00:35:28.960 --> 00:35:31.280 and we can then say the source is equal 00:35:31.280 --> 00:35:33.040 to snort all right so this is a very 00:35:33.040 --> 00:35:35.280 important configuration so let me just 00:35:35.280 --> 00:35:36.640 go through those options or 00:35:36.640 --> 00:35:38.640 configurations again we have the splunk 00:35:38.640 --> 00:35:40.320 tcp option 00:35:40.320 --> 00:35:42.880 uh we then have the actual connection 00:35:42.880 --> 00:35:45.520 host the monitor is set correctly to 00:35:45.520 --> 00:35:46.640 that file 00:35:46.640 --> 00:35:49.520 uh it's enabled index equals main source 00:35:49.520 --> 00:35:51.680 type equals snorter that full source is 00:35:51.680 --> 00:35:53.680 equal to snot fantastic so we'll write 00:35:53.680 --> 00:35:54.720 in quit 00:35:54.720 --> 00:35:57.040 uh once this is done 00:35:57.040 --> 00:35:58.720 we'll need to restart splunk so i'll 00:35:58.720 --> 00:36:00.800 switch back to my user lexis here and 00:36:00.800 --> 00:36:04.560 we'll navigate back to the bin directory 00:36:04.560 --> 00:36:06.400 so i'll say cd bin 00:36:06.400 --> 00:36:08.800 and we'll say sudo 00:36:08.800 --> 00:36:11.680 let me say splunk and we can then say 00:36:11.680 --> 00:36:13.440 restart 00:36:13.440 --> 00:36:15.680 all right hit enter 00:36:15.680 --> 00:36:18.320 it's going to stop the splunk daemon 00:36:18.320 --> 00:36:19.680 shutting it down 00:36:19.680 --> 00:36:22.160 restart it and it's done successfully so 00:36:22.160 --> 00:36:24.560 all the checks were completed without 00:36:24.560 --> 00:36:27.119 any issue all right so 00:36:27.119 --> 00:36:29.040 now that this is done we can actually go 00:36:29.040 --> 00:36:31.440 back into splunk here and we'll navigate 00:36:31.440 --> 00:36:33.280 to the dashboard 00:36:33.280 --> 00:36:35.839 uh this is your splunk server right 00:36:35.839 --> 00:36:37.440 and let's take a look at the messages 00:36:37.440 --> 00:36:39.920 here that's just uh a few updates we 00:36:39.920 --> 00:36:41.920 don't need to do anything there so if we 00:36:41.920 --> 00:36:43.119 click on 00:36:43.119 --> 00:36:45.599 search and reporting just to verify that 00:36:45.599 --> 00:36:47.839 that data has indeed been for that i'll 00:36:47.839 --> 00:36:49.280 just skip through this if we click on 00:36:49.280 --> 00:36:51.040 data summary 00:36:51.040 --> 00:36:52.880 under sources you should see that we 00:36:52.880 --> 00:36:55.680 have the host and in my case the name of 00:36:55.680 --> 00:36:58.640 the system is black box so that should 00:36:58.640 --> 00:37:01.119 be reflected there so there we are black 00:37:01.119 --> 00:37:03.280 box we have 42 00:37:03.280 --> 00:37:06.800 logs or alerts if you will sources 42 we 00:37:06.800 --> 00:37:08.640 can click on that there to just see the 00:37:08.640 --> 00:37:11.280 data that has been logged indeed we can 00:37:11.280 --> 00:37:13.040 see that has been done correctly so 00:37:13.040 --> 00:37:14.880 source type is alert 00:37:14.880 --> 00:37:17.280 uh we can see that it's imported you 00:37:17.280 --> 00:37:19.440 know pretty much all the data or the you 00:37:19.440 --> 00:37:21.119 know these are the this is the full log 00:37:21.119 --> 00:37:23.599 whereby we have the reference to that 00:37:23.599 --> 00:37:24.880 there 00:37:24.880 --> 00:37:26.800 uh that's weird i didn't actually run 00:37:26.800 --> 00:37:30.240 anything weird uh but uh there you go 00:37:30.240 --> 00:37:32.720 um so now that this is done uh you can 00:37:32.720 --> 00:37:34.880 use splunk to essentially visualize this 00:37:34.880 --> 00:37:36.800 data you know however you want so you 00:37:36.800 --> 00:37:39.359 know i can go into visualization 00:37:39.359 --> 00:37:42.240 uh and we can click on maybe we can 00:37:42.240 --> 00:37:44.720 create a um 00:37:44.720 --> 00:37:46.880 we can select a few fields so if i go 00:37:46.880 --> 00:37:50.240 back into the events here i can select a 00:37:50.240 --> 00:37:52.240 few fields that i want displayed here 00:37:52.240 --> 00:37:54.320 and i can you know essentially extract 00:37:54.320 --> 00:37:57.040 the fields that i want with rejects 00:37:57.040 --> 00:37:57.920 but 00:37:57.920 --> 00:37:59.680 i don't think this is necessary in this 00:37:59.680 --> 00:38:01.520 point because if we actually go back to 00:38:01.520 --> 00:38:03.599 the dashboard 00:38:03.599 --> 00:38:06.160 and we click on 00:38:06.160 --> 00:38:10.079 let's see splunk snot alert for splunk 00:38:10.079 --> 00:38:11.440 let's see if this is actually whether 00:38:11.440 --> 00:38:15.200 this automates that process for us 00:38:15.200 --> 00:38:17.280 uh there we are actually it looks like 00:38:17.280 --> 00:38:21.599 it does so um classification bad traffic 00:38:21.599 --> 00:38:24.160 so it looks like that is working 00:38:24.160 --> 00:38:26.400 so what we can do now 00:38:26.400 --> 00:38:28.720 is run a few 00:38:28.720 --> 00:38:31.280 uh we can actually utilize this script 00:38:31.280 --> 00:38:33.520 here the 00:38:33.520 --> 00:38:37.119 uh the test my nids script here so all 00:38:37.119 --> 00:38:39.440 you need to do to run it is just copy 00:38:39.440 --> 00:38:41.520 this one liner script here or this 00:38:41.520 --> 00:38:43.200 command that will download it into your 00:38:43.200 --> 00:38:46.000 tmp directory and will then execute it 00:38:46.000 --> 00:38:49.200 so you know to execute it within your 00:38:49.200 --> 00:38:51.599 temp directory you can just uh execute 00:38:51.599 --> 00:38:53.040 the actual 00:38:53.040 --> 00:38:54.400 um 00:38:54.400 --> 00:38:56.240 you know the actual binary there it is a 00:38:56.240 --> 00:38:58.800 binary not a script 00:38:58.800 --> 00:39:01.280 and uh once that is done you can then 00:39:01.280 --> 00:39:03.520 select the option here so let me just do 00:39:03.520 --> 00:39:05.920 that on my attacker system 00:39:05.920 --> 00:39:08.880 i'm just gonna run it one more time so 00:39:08.880 --> 00:39:14.359 um just going to say ls here and 00:39:16.160 --> 00:39:18.960 if i uh open up the documentation so 00:39:18.960 --> 00:39:21.839 firstly i will 00:39:21.839 --> 00:39:23.440 i will run 00:39:23.440 --> 00:39:26.640 a quick linux uid check so 00:39:26.640 --> 00:39:28.960 i'll just hit enter 00:39:28.960 --> 00:39:31.280 okay that is done i'll then perform a 00:39:31.280 --> 00:39:35.119 http basic authentication 00:39:35.119 --> 00:39:37.839 and a malware user agent so i'm doing 00:39:37.839 --> 00:39:40.640 that right now 00:39:40.839 --> 00:39:46.000 okay and we can run one more here so 00:39:46.000 --> 00:39:48.720 uh let's see let's see let's see uh we 00:39:48.720 --> 00:39:51.520 can try exe or dll download over http 00:39:51.520 --> 00:39:55.280 that is surely going to be um 00:39:55.280 --> 00:39:57.040 logged 00:39:57.040 --> 00:39:59.839 or that's going to trigger an alert 00:39:59.839 --> 00:40:00.640 so 00:40:00.640 --> 00:40:03.040 uh do we have uh that is running all 00:40:03.040 --> 00:40:05.280 right so snot is running that's great 00:40:05.280 --> 00:40:08.079 uh so we know that the log is being uh 00:40:08.079 --> 00:40:10.240 the actual alerts are being forwarded 00:40:10.240 --> 00:40:12.960 absolutely fantastic so let's go back in 00:40:12.960 --> 00:40:15.040 here i've already run those 00:40:15.040 --> 00:40:18.400 uh those particular checks 00:40:18.400 --> 00:40:20.160 so let me just refresh this i know it 00:40:20.160 --> 00:40:22.160 usually takes a couple of seconds to a 00:40:22.160 --> 00:40:24.400 couple of minutes but that data should 00:40:24.400 --> 00:40:26.240 start should actually be reflected there 00:40:26.240 --> 00:40:28.160 we are fantastic so 00:40:28.160 --> 00:40:31.119 uh we can see that uh you know firstly 00:40:31.119 --> 00:40:32.880 i'll just explain the dashboard here 00:40:32.880 --> 00:40:33.760 because 00:40:33.760 --> 00:40:36.160 uh this dashboard is automatically you 00:40:36.160 --> 00:40:38.000 know set up for you by the snort app 00:40:38.000 --> 00:40:39.920 which is really awesome as i said you 00:40:39.920 --> 00:40:41.440 don't need to go through that process 00:40:41.440 --> 00:40:42.560 yourself 00:40:42.560 --> 00:40:44.560 so the first graph here essentially 00:40:44.560 --> 00:40:46.400 tells you your events 00:40:46.400 --> 00:40:48.560 uh and and it also displays uh you know 00:40:48.560 --> 00:40:50.400 the total number of sources so you can 00:40:50.400 --> 00:40:52.560 see that there you also have the time 00:40:52.560 --> 00:40:54.480 uh and you saw you have your events and 00:40:54.480 --> 00:40:56.079 then the timeline here and you can 00:40:56.079 --> 00:40:58.880 essentially you know view a trend or the 00:40:58.880 --> 00:41:01.680 trend of uh of events there you then 00:41:01.680 --> 00:41:04.880 have the top uh the top source countries 00:41:04.880 --> 00:41:07.040 right over here and if i just run 00:41:07.040 --> 00:41:08.720 another check really quickly here 00:41:08.720 --> 00:41:11.119 through the nids website 00:41:11.119 --> 00:41:14.720 so uh let me just run the curl command 00:41:14.720 --> 00:41:16.640 uh you should actually see that because 00:41:16.640 --> 00:41:19.280 we are reaching out to uh you know a 00:41:19.280 --> 00:41:21.280 connection made to an external server 00:41:21.280 --> 00:41:23.680 that it should reflect that info under 00:41:23.680 --> 00:41:25.760 the top countries the top source 00:41:25.760 --> 00:41:26.800 countries 00:41:26.800 --> 00:41:28.800 so uh we then have the events here which 00:41:28.800 --> 00:41:31.280 uh you know you can click on um and then 00:41:31.280 --> 00:41:33.119 of course you have the sources 00:41:33.119 --> 00:41:36.079 so these are the uh snort event types 00:41:36.079 --> 00:41:37.760 and these are actually the 00:41:37.760 --> 00:41:39.680 classification so we can see potentially 00:41:39.680 --> 00:41:42.640 bad traffic attempted information leak 00:41:42.640 --> 00:41:44.720 and you know you can just refresh your 00:41:44.720 --> 00:41:47.440 dashboard to get the latest 00:41:47.440 --> 00:41:49.359 so we'll give that a couple of seconds 00:41:49.359 --> 00:41:52.000 and you can also specify the actual uh 00:41:52.000 --> 00:41:53.599 interval period 00:41:53.599 --> 00:41:56.400 so uh i'll just wait for this uh let's 00:41:56.400 --> 00:41:58.880 see if it's actually being logged or 00:41:58.880 --> 00:42:00.319 whether we can see all of that so i'll 00:42:00.319 --> 00:42:04.000 just go back into the dashboard here 00:42:04.000 --> 00:42:04.800 and 00:42:04.800 --> 00:42:07.359 we'll go into search and reporting and 00:42:07.359 --> 00:42:09.920 if we click on the actual 00:42:09.920 --> 00:42:13.040 data summary and the sources uh we can 00:42:13.040 --> 00:42:15.359 see we have snort there and then vast 00:42:15.359 --> 00:42:19.520 not alert so we click on snot there 00:42:19.520 --> 00:42:22.000 okay so this is bad traffic that's 00:42:22.000 --> 00:42:25.440 really weird because 00:42:26.079 --> 00:42:27.920 the source is not we had added two 00:42:27.920 --> 00:42:29.520 sources there 00:42:29.520 --> 00:42:32.720 so data summary 00:42:32.720 --> 00:42:34.800 let me just click on that there and if 00:42:34.800 --> 00:42:36.960 we click on these sources there this is 00:42:36.960 --> 00:42:40.800 the one that we want ideally 00:42:43.200 --> 00:42:46.079 yeah so that looks like uh the correct 00:42:46.079 --> 00:42:48.720 one there 00:42:49.599 --> 00:42:51.680 yeah that's the correct traffic um uh i 00:42:51.680 --> 00:42:55.119 think that's why uh the actual uh let me 00:42:55.119 --> 00:42:56.960 see if i can find so snot alert for 00:42:56.960 --> 00:43:00.640 splunk let me click on the app there 00:43:02.480 --> 00:43:04.160 show filters it should be displaying 00:43:04.160 --> 00:43:06.400 much more than that because i know yeah 00:43:06.400 --> 00:43:08.319 they're not just four 00:43:08.319 --> 00:43:09.920 so 00:43:09.920 --> 00:43:12.640 uh if we actually head over into the 00:43:12.640 --> 00:43:16.560 uh snot event search here 00:43:18.480 --> 00:43:20.800 we can actually search for uh you know 00:43:20.800 --> 00:43:25.359 we can utilize uh yeah so these are only 00:43:25.359 --> 00:43:28.400 this is only monitoring the pings so 00:43:28.400 --> 00:43:30.240 that's weird i'm not really sure why we 00:43:30.240 --> 00:43:32.319 have two data sources i think it's to do 00:43:32.319 --> 00:43:33.839 with the fact 00:43:33.839 --> 00:43:37.040 uh that uh you know we had so let me 00:43:37.040 --> 00:43:39.520 just go back here 00:43:39.520 --> 00:43:42.640 apps search and sudo root 00:43:42.640 --> 00:43:46.720 let me just check that here so cd local 00:43:46.720 --> 00:43:47.839 vim 00:43:47.839 --> 00:43:50.640 inputs dot look so there we are so the 00:43:50.640 --> 00:43:53.280 source is snort 00:43:53.280 --> 00:43:56.079 we already specified the source as not 00:43:56.079 --> 00:43:57.599 there 00:43:57.599 --> 00:43:59.520 but it's all it's adding 00:43:59.520 --> 00:44:02.319 this particular you know the alert as uh 00:44:02.319 --> 00:44:04.160 as a source as well 00:44:04.160 --> 00:44:06.400 and then this the source type is not 00:44:06.400 --> 00:44:09.040 alert full index main yeah that that 00:44:09.040 --> 00:44:10.560 should be working that should be working 00:44:10.560 --> 00:44:12.319 without any issues i'm not really sure 00:44:12.319 --> 00:44:14.079 why that is the case but 00:44:14.079 --> 00:44:16.480 we can actually customize what data set 00:44:16.480 --> 00:44:18.000 we want to use 00:44:18.000 --> 00:44:19.359 so uh 00:44:19.359 --> 00:44:21.520 i think let me actually showcase how to 00:44:21.520 --> 00:44:23.359 do that right now 00:44:23.359 --> 00:44:25.839 um so apologies about that i actually 00:44:25.839 --> 00:44:27.599 figured out what the issue was it was 00:44:27.599 --> 00:44:30.319 because the system i was running 00:44:30.319 --> 00:44:32.079 uh this particular 00:44:32.079 --> 00:44:34.560 attacks from wasn't even connected to 00:44:34.560 --> 00:44:36.800 the local network 00:44:36.800 --> 00:44:38.880 and even though i was running these 00:44:38.880 --> 00:44:41.040 these attacks i did realize that of 00:44:41.040 --> 00:44:42.640 course they weren't working so i'm just 00:44:42.640 --> 00:44:44.880 gonna i've just reconnected it 00:44:44.880 --> 00:44:47.359 and what i'm gonna do is i'm just gonna 00:44:47.359 --> 00:44:49.599 run this one more time 00:44:49.599 --> 00:44:53.359 so just give me a second here and i'll 00:44:53.359 --> 00:44:56.319 be able to do that one more time so 00:44:56.319 --> 00:44:58.560 let me just navigate to that particular 00:44:58.560 --> 00:45:00.079 directory 00:45:00.079 --> 00:45:01.040 and 00:45:01.040 --> 00:45:02.480 we'll actually see whether this will 00:45:02.480 --> 00:45:04.400 work so 00:45:04.400 --> 00:45:06.000 you can actually see there's much more 00:45:06.000 --> 00:45:07.920 uh that's been captured in regards to 00:45:07.920 --> 00:45:10.160 events and i'll be explaining this 00:45:10.160 --> 00:45:12.480 dashboard in a couple of seconds 00:45:12.480 --> 00:45:13.359 so 00:45:13.359 --> 00:45:14.960 let me just uh 00:45:14.960 --> 00:45:17.359 launch that first attack there so that 00:45:17.359 --> 00:45:19.440 you know let me just launch that first 00:45:19.440 --> 00:45:22.240 uh type of check and of course i'm using 00:45:22.240 --> 00:45:26.400 test my nids here so uh unfortunately 00:45:26.400 --> 00:45:28.000 that wasn't even being logged which is 00:45:28.000 --> 00:45:30.000 why i was a bit confused as to why those 00:45:30.000 --> 00:45:32.800 logs are not being displayed here 00:45:32.800 --> 00:45:35.520 so i'll give that a couple of seconds 00:45:35.520 --> 00:45:36.800 and 00:45:36.800 --> 00:45:38.880 we'll be able to see this happen 00:45:38.880 --> 00:45:41.920 in real time as well 00:45:41.920 --> 00:45:44.560 all right so that is done so i've 00:45:44.560 --> 00:45:46.319 essentially launched a couple of those 00:45:46.319 --> 00:45:48.319 tests and uh 00:45:48.319 --> 00:45:50.640 this as i said this is your default uh 00:45:50.640 --> 00:45:52.560 dashboard that you're provided with here 00:45:52.560 --> 00:45:53.520 so 00:45:53.520 --> 00:45:55.760 um you know you can actually refresh uh 00:45:55.760 --> 00:45:58.720 all of these um all of these panels here 00:45:58.720 --> 00:46:00.800 if you will so that'll display the 00:46:00.800 --> 00:46:03.920 latest and as i said here because i'd 00:46:03.920 --> 00:46:05.839 had performed the actual 00:46:05.839 --> 00:46:07.680 uh you know i'd perform the actual check 00:46:07.680 --> 00:46:09.520 and then connected to an external server 00:46:09.520 --> 00:46:11.680 you can see that you know the top source 00:46:11.680 --> 00:46:13.680 countries are highlighted there 00:46:13.680 --> 00:46:15.839 you can also refresh the number of 00:46:15.839 --> 00:46:18.160 events as you can see here 00:46:18.160 --> 00:46:20.319 and the number of sources so 00:46:20.319 --> 00:46:22.319 uh you can also do that for the rest of 00:46:22.319 --> 00:46:24.480 the panel so these are the top 10 00:46:24.480 --> 00:46:26.800 classifications 00:46:26.800 --> 00:46:28.960 in terms of events if you will and then 00:46:28.960 --> 00:46:31.359 the snort event types as you can see 00:46:31.359 --> 00:46:32.319 here 00:46:32.319 --> 00:46:33.839 so for example in this case we have the 00:46:33.839 --> 00:46:36.160 attack response id check which if we 00:46:36.160 --> 00:46:37.520 click on 00:46:37.520 --> 00:46:40.319 right over here 00:46:41.119 --> 00:46:42.640 you can see that it actually displays 00:46:42.640 --> 00:46:44.400 that and you can then uh you can then 00:46:44.400 --> 00:46:46.400 click on the signature itself and this 00:46:46.400 --> 00:46:48.880 is for statistics now if you click on 00:46:48.880 --> 00:46:52.000 the snort event search tab right over 00:46:52.000 --> 00:46:53.040 here 00:46:53.040 --> 00:46:54.880 you can see that this allows you to 00:46:54.880 --> 00:46:57.119 search based on the source ip the source 00:46:57.119 --> 00:46:59.680 port the destination ip destination port 00:46:59.680 --> 00:47:02.240 and the event type so i can check for 00:47:02.240 --> 00:47:04.400 attack responses based on the rule set 00:47:04.400 --> 00:47:06.480 that we had used previously 00:47:06.480 --> 00:47:09.359 and i can also specify the timing right 00:47:09.359 --> 00:47:12.079 so that's really fantastic there 00:47:12.079 --> 00:47:14.640 so you can see that right over here we 00:47:14.640 --> 00:47:16.240 have that logged 00:47:16.240 --> 00:47:19.040 which is fantastic and 00:47:19.040 --> 00:47:21.920 if we click on the snort world map 00:47:21.920 --> 00:47:24.000 that'll essentially as you'll see in a 00:47:24.000 --> 00:47:26.160 couple of seconds this will essentially 00:47:26.160 --> 00:47:28.559 display the countries by the source ips 00:47:28.559 --> 00:47:29.839 in this case it should display the 00:47:29.839 --> 00:47:32.079 united states which makes sense 00:47:32.079 --> 00:47:34.800 uh and there we are so again this is 00:47:34.800 --> 00:47:37.119 extremely helpful especially if you work 00:47:37.119 --> 00:47:39.839 in a sock and as i said there's multiple 00:47:39.839 --> 00:47:41.920 uh you know security tools you can 00:47:41.920 --> 00:47:45.040 integrate with uh with splunk 00:47:45.040 --> 00:47:46.880 now one thing that i wanted to highlight 00:47:46.880 --> 00:47:49.440 is you can if you click on edit i'll 00:47:49.440 --> 00:47:51.200 just go back to the 00:47:51.200 --> 00:47:53.200 event summary here because this is very 00:47:53.200 --> 00:47:55.119 important 00:47:55.119 --> 00:47:57.280 you can set this as your main dashboard 00:47:57.280 --> 00:47:58.960 so if you right click here you can set 00:47:58.960 --> 00:48:01.520 this as your home dashboard 00:48:01.520 --> 00:48:03.599 so i'll just click on that there 00:48:03.599 --> 00:48:05.440 and now you'll see on your dashboard 00:48:05.440 --> 00:48:08.240 here if i just close that top menu 00:48:08.240 --> 00:48:10.240 that will actually be displayed there so 00:48:10.240 --> 00:48:12.319 give it a couple of seconds 00:48:12.319 --> 00:48:14.079 and of course you can click on the cog 00:48:14.079 --> 00:48:16.240 wheel here 00:48:16.240 --> 00:48:19.280 and essentially display whatever 00:48:19.280 --> 00:48:21.520 you know you can specify your default 00:48:21.520 --> 00:48:23.200 dashboard now there are a couple of 00:48:23.200 --> 00:48:25.599 other ones that are created by default 00:48:25.599 --> 00:48:27.119 uh but yeah you can have that on your 00:48:27.119 --> 00:48:28.400 dashboard 00:48:28.400 --> 00:48:31.040 uh and uh you know if you actually click 00:48:31.040 --> 00:48:33.839 on snot the snot alert for splunk here 00:48:33.839 --> 00:48:36.240 and we'll just go back into that snot 00:48:36.240 --> 00:48:38.240 event summary tab 00:48:38.240 --> 00:48:40.880 uh you can actually edit the way these 00:48:40.880 --> 00:48:44.240 um these particular panels are tiled so 00:48:44.240 --> 00:48:46.079 uh you know you can convert it to a 00:48:46.079 --> 00:48:48.880 pre-built panel or you know 00:48:48.880 --> 00:48:50.400 you can you can actually convert it to a 00:48:50.400 --> 00:48:52.960 pre-built panel you can get rid of it 00:48:52.960 --> 00:48:54.720 uh you can also move them around based 00:48:54.720 --> 00:48:57.440 on your own requirements and uh in this 00:48:57.440 --> 00:48:59.680 case you can actually let's see if i can 00:48:59.680 --> 00:49:00.880 show you can actually select the 00:49:00.880 --> 00:49:02.480 visualization 00:49:02.480 --> 00:49:04.240 uh so in this case i think the default 00:49:04.240 --> 00:49:06.079 one is fine and you can then view the 00:49:06.079 --> 00:49:07.920 report here so 00:49:07.920 --> 00:49:08.960 um 00:49:08.960 --> 00:49:11.359 if we click on this one here for example 00:49:11.359 --> 00:49:13.280 we could actually use the bar graph to 00:49:13.280 --> 00:49:15.280 display the you know the number of the 00:49:15.280 --> 00:49:17.200 actual um 00:49:17.200 --> 00:49:19.440 the top source countries uh and have 00:49:19.440 --> 00:49:21.599 them displayed in a bar graph style but 00:49:21.599 --> 00:49:23.280 we can just take it back into the pie 00:49:23.280 --> 00:49:25.599 chart there and you can also change this 00:49:25.599 --> 00:49:27.440 for the events as well 00:49:27.440 --> 00:49:29.359 so uh you know if we wanted to view a 00:49:29.359 --> 00:49:31.440 trend we can click on the bar graph 00:49:31.440 --> 00:49:32.240 there 00:49:32.240 --> 00:49:34.000 uh in this case i don't think that's 00:49:34.000 --> 00:49:37.040 formatted correctly so uh if we just use 00:49:37.040 --> 00:49:39.440 the the default one 00:49:39.440 --> 00:49:42.880 uh which i believe was i think it was no 00:49:42.880 --> 00:49:46.160 that wasn't the one i believe it was uh 00:49:46.160 --> 00:49:47.920 let's see if i can identify it here it 00:49:47.920 --> 00:49:50.800 was the number there we are so 26 uh so 00:49:50.800 --> 00:49:52.640 as i said you can customize this based 00:49:52.640 --> 00:49:53.839 on your own 00:49:53.839 --> 00:49:55.440 uh you know 00:49:55.440 --> 00:49:57.440 your own requirements so for example 00:49:57.440 --> 00:49:59.839 this one might do well if it was in the 00:49:59.839 --> 00:50:02.240 form of a bar graph so you know 00:50:02.240 --> 00:50:04.240 you can utilize that if you feel that 00:50:04.240 --> 00:50:06.319 that is appropriate 00:50:06.319 --> 00:50:08.319 uh in this case uh you know we can also 00:50:08.319 --> 00:50:11.920 specify uh the actual um you know we can 00:50:11.920 --> 00:50:14.559 actually list the events themselves 00:50:14.559 --> 00:50:16.079 uh let's see which other ones look 00:50:16.079 --> 00:50:17.920 really good here 00:50:17.920 --> 00:50:19.760 uh and uh yeah once you're done with the 00:50:19.760 --> 00:50:22.079 customization you can then cancel or 00:50:22.079 --> 00:50:24.559 save based on your requirements and you 00:50:24.559 --> 00:50:27.200 can also filter on this particular tab 00:50:27.200 --> 00:50:28.960 here you know through the source ip 00:50:28.960 --> 00:50:31.280 destination ip etc 00:50:31.280 --> 00:50:33.839 um let's see what else did i wanted to 00:50:33.839 --> 00:50:35.599 did i want to highlight let me just 00:50:35.599 --> 00:50:38.000 refresh this once more 00:50:38.000 --> 00:50:39.760 and you know to essentially get the 00:50:39.760 --> 00:50:42.480 latest data 00:50:42.480 --> 00:50:44.480 and uh you can see uh in terms of the 00:50:44.480 --> 00:50:46.480 fan the in terms of the panels this will 00:50:46.480 --> 00:50:49.520 display the last 100 attempts 00:50:49.520 --> 00:50:51.760 uh and uh you know you can go through 00:50:51.760 --> 00:50:53.599 them like so 00:50:53.599 --> 00:50:55.839 uh you can also view i think we've gone 00:50:55.839 --> 00:50:57.119 through all of them but you have the 00:50:57.119 --> 00:50:59.440 persistent sources so two or more days 00:50:59.440 --> 00:51:01.359 of activity in the last 30 days so you 00:51:01.359 --> 00:51:03.040 actually need a lot of data for that to 00:51:03.040 --> 00:51:05.200 be displayed or to give you anything 00:51:05.200 --> 00:51:06.400 useful 00:51:06.400 --> 00:51:07.520 um 00:51:07.520 --> 00:51:09.760 yeah so that is 00:51:09.760 --> 00:51:11.680 what i wanted to highlight in regards to 00:51:11.680 --> 00:51:14.079 the snot alert for splunk app and the 00:51:14.079 --> 00:51:15.839 actual dashboards which i said it 00:51:15.839 --> 00:51:17.359 already does for you 00:51:17.359 --> 00:51:19.119 now you can create your own dashboard as 00:51:19.119 --> 00:51:21.200 i said if i go back into apps and search 00:51:21.200 --> 00:51:22.720 and reporting 00:51:22.720 --> 00:51:25.200 based on your own sources so i'll just 00:51:25.200 --> 00:51:27.280 click on data summary there and if i 00:51:27.280 --> 00:51:29.280 click on sources 00:51:29.280 --> 00:51:30.960 you can click on the 00:51:30.960 --> 00:51:33.839 this source here for example and 00:51:33.839 --> 00:51:36.640 you know in this case we can actually uh 00:51:36.640 --> 00:51:39.680 just click on that there and i can click 00:51:39.680 --> 00:51:41.920 on extract fields 00:51:41.920 --> 00:51:43.359 and you can extract the fields with 00:51:43.359 --> 00:51:46.319 rejects so i'll click on next there 00:51:46.319 --> 00:51:47.760 and you can then select the fields that 00:51:47.760 --> 00:51:50.400 you want so for example in this case we 00:51:50.400 --> 00:51:52.720 would want the date and time 00:51:52.720 --> 00:51:55.280 so i can just highlight that there so i 00:51:55.280 --> 00:51:56.319 can say 00:51:56.319 --> 00:51:59.520 time for example add the extraction 00:51:59.520 --> 00:52:02.000 and then of course we have the source ip 00:52:02.000 --> 00:52:03.839 and the port but i'll just highlight 00:52:03.839 --> 00:52:05.680 them together but i think it's actually 00:52:05.680 --> 00:52:07.440 recommended just to highlight the source 00:52:07.440 --> 00:52:08.880 ip there 00:52:08.880 --> 00:52:13.200 so source we can say crc src 00:52:13.200 --> 00:52:14.559 underscore 00:52:14.559 --> 00:52:15.520 ip 00:52:15.520 --> 00:52:18.480 add that extraction and we then have the 00:52:18.480 --> 00:52:20.800 destination ip which in this case uh 00:52:20.800 --> 00:52:22.559 because this is uh 00:52:22.559 --> 00:52:25.520 an sm snmp broadcast 00:52:25.520 --> 00:52:27.520 request we can we know that that's the 00:52:27.520 --> 00:52:30.880 destination ip so i'll say dst 00:52:30.880 --> 00:52:33.040 underscore ip 00:52:33.040 --> 00:52:36.720 add the extraction let's see what else 00:52:36.720 --> 00:52:40.079 we can do um 00:52:40.079 --> 00:52:41.440 in this case it's saying the extraction 00:52:41.440 --> 00:52:42.960 field you're extracting if you're 00:52:42.960 --> 00:52:45.040 extracting multiple fields try removing 00:52:45.040 --> 00:52:47.040 one or more fields start with the 00:52:47.040 --> 00:52:48.720 extractions that are embedded within 00:52:48.720 --> 00:52:51.680 longer strings okay so let's try and use 00:52:51.680 --> 00:52:54.400 another alert here 00:52:54.400 --> 00:52:57.599 that was kind of interesting um let's 00:52:57.599 --> 00:52:58.319 see 00:52:58.319 --> 00:53:00.480 it's not displaying all of them here but 00:53:00.480 --> 00:53:02.800 you get the idea once you're done 00:53:02.800 --> 00:53:04.480 uh you know for example i can remove 00:53:04.480 --> 00:53:06.079 that field here i'm just giving you an 00:53:06.079 --> 00:53:08.720 example of that so remove that field 00:53:08.720 --> 00:53:12.000 uh there we are i can then say next and 00:53:12.000 --> 00:53:15.440 i can click on validate and save based 00:53:15.440 --> 00:53:18.240 on those fields there hit finish 00:53:18.240 --> 00:53:20.800 and then you know i can go back to 00:53:20.800 --> 00:53:23.359 uh you know search and reporting 00:53:23.359 --> 00:53:25.280 and if i wanted to create a very simple 00:53:25.280 --> 00:53:27.040 visualization which i'll show you right 00:53:27.040 --> 00:53:27.839 now 00:53:27.839 --> 00:53:30.000 even though i don't really need those 00:53:30.000 --> 00:53:31.920 extracted fields although they might be 00:53:31.920 --> 00:53:33.280 useful so 00:53:33.280 --> 00:53:36.079 i can click on those extracted fields 00:53:36.079 --> 00:53:38.559 now i believe they should have been 00:53:38.559 --> 00:53:39.760 added 00:53:39.760 --> 00:53:41.200 i'm not really sure why they aren't 00:53:41.200 --> 00:53:43.440 being highlighted here there we are so 00:53:43.440 --> 00:53:45.200 source ip 00:53:45.200 --> 00:53:47.760 uh we can also specify the source port 00:53:47.760 --> 00:53:50.240 uh we all there there they are so i had 00:53:50.240 --> 00:53:51.760 actually they took a while to be 00:53:51.760 --> 00:53:53.599 displayed there so 00:53:53.599 --> 00:53:56.559 uh so support that why why not we can 00:53:56.559 --> 00:53:59.920 yeah i think that's pretty much it so 00:53:59.920 --> 00:54:02.079 uh based on those we can actually build 00:54:02.079 --> 00:54:04.480 an event type however if we go to 00:54:04.480 --> 00:54:07.520 visualization and click on pivot here 00:54:07.520 --> 00:54:10.640 selected fields is five hit ok 00:54:10.640 --> 00:54:12.559 we can actually you know visualize this 00:54:12.559 --> 00:54:14.319 however we want so for example if i 00:54:14.319 --> 00:54:17.119 wanted a column chart here 00:54:17.119 --> 00:54:19.680 number one will display the count 00:54:19.680 --> 00:54:22.079 i can just add the 00:54:22.079 --> 00:54:24.079 events 00:54:24.079 --> 00:54:26.319 because that's the count and we should 00:54:26.319 --> 00:54:28.720 have at the bottom the time which i did 00:54:28.720 --> 00:54:32.559 specify uh we believe within that range 00:54:32.559 --> 00:54:34.000 there 00:54:34.000 --> 00:54:36.720 but that's not being highlighted here so 00:54:36.720 --> 00:54:39.280 the number of events and you know you 00:54:39.280 --> 00:54:41.839 can go ahead and click as you can 00:54:41.839 --> 00:54:43.440 essentially save it 00:54:43.440 --> 00:54:45.280 so you get the idea you don't really 00:54:45.280 --> 00:54:46.880 need to do this because we have the 00:54:46.880 --> 00:54:48.480 snort app here 00:54:48.480 --> 00:54:50.079 which pretty much gives you the 00:54:50.079 --> 00:54:52.880 summaries that are useful to you or for 00:54:52.880 --> 00:54:53.839 you 00:54:53.839 --> 00:54:56.559 and there we are so fantastic so that's 00:54:56.559 --> 00:54:57.920 going to conclude the practical 00:54:57.920 --> 00:55:01.119 demonstration side of this video 00:55:01.119 --> 00:55:02.799 so uh thank you very much for watching 00:55:02.799 --> 00:55:04.559 this video if you have any questions or 00:55:04.559 --> 00:55:06.240 suggestions leave them in the comments 00:55:06.240 --> 00:55:07.200 section 00:55:07.200 --> 00:55:08.559 if you want to reach out to me you can 00:55:08.559 --> 00:55:10.160 do so via 00:55:10.160 --> 00:55:12.319 twitter or the discord server the links 00:55:12.319 --> 00:55:14.240 to both of those are in the description 00:55:14.240 --> 00:55:16.720 section furthermore we are now moving on 00:55:16.720 --> 00:55:18.720 to part two so this will conclude part 00:55:18.720 --> 00:55:21.040 one so part two will be available on the 00:55:21.040 --> 00:55:24.559 lynnodes on 24 platform so uh the videos 00:55:24.559 --> 00:55:26.559 are available uh on demand so all you 00:55:26.559 --> 00:55:28.559 need to do just click uh click the link 00:55:28.559 --> 00:55:31.599 in the description register for part two 00:55:31.599 --> 00:55:33.520 after which an email will be sent to you 00:55:33.520 --> 00:55:34.720 and you'll be given uh you know 00:55:34.720 --> 00:55:37.200 immediate access to to the videos uh 00:55:37.200 --> 00:55:40.000 within part two so uh thank you very 00:55:40.000 --> 00:55:42.799 much uh for watching part one uh in the 00:55:42.799 --> 00:55:45.040 next video in part two we'll get started 00:55:45.040 --> 00:55:46.640 or we'll take a look at host intrusion 00:55:46.640 --> 00:55:49.520 detection with os sec so i'll be seeing 00:55:49.520 --> 00:55:53.640 you in the next video 00:55:59.130 --> 00:56:12.240 [Music] 00:56:12.240 --> 00:56:14.319 you