Hello, everyone. Welcome back to the Blue
Team training series brought to you by
Linode and Hackersploit. In this video,
we're going to be taking a look at how
to set up or how to perform security
event monitoring with Splunk, more
specifically, Splunk Enterprise
Security. Right? So the objective here
will be to monitor intrusions and
threats with Splunk. And you might be
asking yourself, well, how are we going to
do this? What setup are we using? Well, the
scenario that I've set up for this video
is we are essentially going to
take all the knowledge that we've
learned during the Snort video, and we
are going to essentially forward all of
the Snort logs into Splunk or have
that done automatically through the
Splunk Universal Forwarder so that we get
the latest logs when Snort is running on
our Ubuntu virtual machine.
And the objective here is to use Splunk
in conjunction with the Splunk's Snort app
to essentially visualize and identify or
monitor network intrusions and any
malicious network traffic, you know, within the
network that I'm monitoring.
[Music].
At a very high level, what will we be
covering? Well, firstly, we'll get an
introduction to Splunk. Now before we
move any further or we actually carry on,
I do want to note that this video is not
going to be focused on Splunk
fundamentals. I'm going
to assume that you already know what
Splunk is and how it can be used, you know,
and how it's used generally speaking.
Because Splunk is not really a tool
that is specific to security, for example.
That's why they have the Splunk
Enterprise Security version or edition.
And I'm just going to assume that you
know how to use Splunk at a very basic
level. So once we get an introduction to
Splunk, we'll go over Splunk Enterprise
Security--the Enterprise Security edition--and how it
can be used for security event
monitoring, especially in our case
because we want to essentially monitor
the intrusion detection logs
generated by Snort.
So we'll then move on to deploying
Splunk Enterprise Security on Linode,
which is absolutely fantastic because
they have a cloud image
available for it that allows you to spin
it up without going through the process
of installing it and configuring it. So
that'll set it up for us.
We'll then take a look at how to
configure Splunk, and how to set up the
Splunk Universal Forwarder on the Ubuntu
virtual machine that is running Snort so
that we can forward those logs into
Splunk. And then, of course, we'll take
a look at the Splunk Snort event
dashboard that will be provided to us by
the Splunk Snort app. So if this sounds like
gibberish to you, don't worry. It will make
sense in a couple of minutes.
With that being said, given the fact
that we're going to be using, you know,
we're going to be using Snort to
generate alerts and monitor those alerts,
if you have not gone through
the actual Snort video, please do that as
it'll help you set up Snort, and you can
then run through this demo. With that
being said, this is not a holistic video
that will cover everything you can do
with Splunk Enterprise Security. We are
just focused on the intrusion
detection logs produced
by Snort and how they can be
imported or forwarded to Splunk for,
you know, analysis and monitoring.
So the prerequisites are the same as
the previous videos. The only difference
is, you know, that you need to have a
basic familiarity with Splunk and how to
navigate around the various menu
elements and, yeah,
essentially just how to use it at a very
basic level. If you're not familiar with
Splunk, I'll give you a few resources at
the end of these slides
that'll help you out or help
you get started. Alright.
So let's get an introduction
to Splunk. So what is Splunk? That's the
main question. If you've never heard of
Splunk, Splunk is an extremely powerful
platform that is used to analyze data
and logs produced by systems or machines,
as Splunk likes to call them. So
what problem is Splunk trying to solve
here? Well, let's look at this from the
perspective of Web 2.0 or, you know, the
interconnected world we live in
today. And we're going to be looking at
it from the context of or from the
perspective of security.
So if we take a simple system--let's say
we have a Windows operating system or a
system running Windows--well, that Windows
system produces a lot of data or logs
that, you know, contain
information that, you know, at first
glance might not seem that important. But
once you start getting into specific
sectors like security, those logs start,
you know, those logs have, you know,
very important value to organizations.
Now multiply that by a thousand systems.
So let's say we have an organization.
They have a thousand computers within
their network or, you know, distributed
worldwide. And all of these systems,
you know, need to be secured. Their
security needs to be monitored. So how do
we monitor all of this? Well, this is
where Splunk comes into play. So Splunk
allows you to essentially funnel all of
this data produced by systems or
machines into Splunk. And then Splunk allows you
to monitor, search, and analyze this
machine-generated data and the logs
through a web interface. So in order to
use Splunk, you'll need to import your
own data or logs. Alternatively, you can
utilize the Splunk Universal Forwarder to
forward logs and data to Splunk for
analysis and, of course, visualization, etc.
Now, Splunk does so much more that I
really can't go over all of the features
here. But as I said, we're looking at this
from the lens of a security engineer.
Alright. So Splunk collates all the
data and logs from various sources and
provides you with a central index that
you can search through. Splunk also
provides you with robust visualization
and reporting tools that allow you to
identify the data that interests you,
transform the data into results, and
visualize the answers in the form of a
report, chart, graph, etc. Alright. So what
I'm saying here is that Splunk allows
you to take all of this security-related
logs and data and make sense of them and
essentially get the answers that you're
looking for. So, for example, from the
perspective of a security engineer, what
do you want from all of this data? Well,
at a very high level, you want to know
whether something is going wrong and
what could go wrong. In the context of
security, a network could be compromised.
There could be some malicious network
traffic or activity going on. A system
could be compromised, etc., etc. You get the
idea. So we need that data to be
displayed to us as a security engineer.
And Splunk is really one of the best
tools, you know, when it comes down to,
you know, taking a lot of data
and then identifying the data that
interests you, transforming that data
into results, and then visualizing that
data in the form of a report, chart, or
graph. Right. So that's really what we're
going to be doing. And as I said, going
back to the scenario, we're going to be
focusing on how to, you know, essentially
get in or how to forward
the logs created--or the logs and alerts created--by
Snort into Splunk for analysis. And
luckily for us, Splunk has a Snort app or
plug-in, if you will, that will
essentially simplify this process.
So, let's get an idea as to, you know, how we
can use Splunk for security event
monitoring. So Splunk Enterprise Security,
also known as Splunk ES, is a security
information and event management
solution, also known as a SIEM.
It is used by security
teams to quickly detect and respond to
internal and external attacks or threats
or intrusions. So Splunk ES can be used
for security event monitoring, incident
response, and running a SOC or Security Operations Center.
In this video, we'll be using Splunk ES
to monitor and visualize the Snort
intrusion alerts. This will be
facilitated through the help of the Snort
app for Splunk and the Splunk Universal
Forwarder. Now, the Splunk Universal Forwarder
is pretty much the most important
element of what we'll be exploring
because what it does--and this is really
cool--is it automatically
forwards the latest logs,
even when Snort is running. It forwards those
alerts and logs into Splunk, and you can
see them in real time, which is
absolutely fantastic.
So as I said, if you're new to Splunk,
then these resources are really helpful
for you. Splunk offers really great
tutorials and courses designed for
absolute beginners. You can check that
out by clicking on the link within this
slide. And you can learn more about the
Splunk Enterprise Security edition from
that particular link.
Now, as I said, we are going to be deploying
Splunk on Linode, more specifically
Splunk ES. And this is the lab
environment. So we're going to spin up,
you know, Splunk ES on Linode. Now, again,
to follow through with this, you
know, Linode has been absolutely fantastic
with, you know, by providing all of
you guys with a way to get $100
in free Linode credit. All you
need to do is just click the link in the
description section and sign up, and
$100 will be added to your
account so that you can follow along
with this series. So we're going to
set up Splunk ES on Linode. And then
within my internal network, we're just
going to have a very basic infrastructure.
We're going to have the Ubuntu virtual
machine that is running Snort. This is the
same virtual machine that we had set up
and used to set up Snort and set up
Suricata and the one we had used with Wazuh.
And, yeah, that's essentially it. We're
going to have a very basic
infrastructure where we have an attacker
system that I'm going to be using to perform
a bit of network
intrusion detection emulation, whereby
I will essentially perform or run a
couple of commands or scripts to
essentially emulate malicious network
activity so that these logs are
essentially--so this traffic is
essentially logged--and that'll provide
us with a good idea as to how helpful
Splunk is for security event monitoring,
especially in the context of network intrusions.
So as I said, you don't really need to
have a Windows workstation. You simply
need to have the Ubuntu VM, and you can
pretty much run everything from it. And,
of course, you can set up the Splunk
Enterprise Security server on Linode
without any issues.
So that's the lab environment. We can now
get started with the practical
demonstration. So I'm going to switch
over to my Ubuntu virtual machine.
Alright. So I'm back on my Ubuntu
virtual machine, and you can see I have
Linode opened up here.
I haven't set anything up yet because
we're going to be walking through the
process together.
I then have the Splunk.com website here.
So if you're new to Splunk, then you need
to create a new account in order to
follow along. So just head over to
Splunk.com and, you know,
register for an account. It's free.
Once that is done,
you'll need to activate your account or
verify your account through
the verification email
they'll send you. Once that is done,
we can then move forward. Because in
order to access the actual
Splunk Universal Forwarder, you'll need to
have an account. And of course, you
know, in this case, I'll be going through
everything as we move along in a
structured manner. And
then to perform the actual NIDS tests,
we are going to be using the
testmyNIDS.org project,
which is on GitHub. So this is
essentially a bash script
that allows you to--as you can see here--
it allows you to essentially emulate or
simulate malicious network traffic. So,
previously, we had used
the website technique to essentially get
a Linux UID, and that traffic would be
logged as malicious, or
it could be logged as a potential
intrusion. And we can run a few other
checks like HTTP basic authentication,
bad certificate authorities,
an EXE or DLL download over HTTP. So,
you know, we can run tests that,
you know, will just make our
intrusion detection system blow up in
terms of alerts. And that's what we want
because we want to see how that data is
presented to us as a security engineer
on Splunk. With that being said, the first
step, of course, is to set up Splunk ES on Linode.
So just click on “Create a Linode” and click on “Marketplace.”
And they already have Splunk here. So
there we are. You can click on that there.
And if you click on this little info
button here, it'll give you an idea as to
how to deploy it on
Linode. And, of course, you have more
information regarding Splunk. So you have
the documentation link there. So I'll
just click on Splunk.
Once that is clicked, we can then head
over here. You'll need to specify the
Splunk admin user. I recommend using
“admin” to begin with and then specify a password.
If you're setting up, you know, Splunk on
a domain, then you can specify the
Linode API token to essentially create
the DNS records--that's if you're using
Linode's DNS service.
And then, of course, you need to add
the admin email for the server. So in
this case, I can just say, for example,
hackersploit@gmail.com.
Don't spam me on this email because I
don't respond anyway. So we can create
another user.
This is the username for the
Linode admin's SSH user. Please ensure
that the username does not contain any...
so we can just call this “admin.” And then
for the admin user, we'll just say
provide that there.
So the image--we're going to set it up on
Ubuntu 20.04. The region--I’ll say London
because that's closest to me.
As for the actual Linode plan,
Linode ES doesn't require that many
resources, especially because, you know,
the amount of data that we're processing
or the logs that are being forwarded to
Splunk are relatively few--so less than
100--which, if you've used Splunk before
for security event monitoring, you know
that that is
really, really small. In
fact, Splunk will actually tell you,
you know, that the amount of data
to begin with that you have imported or
forwarded is too little to make any sense of.
But that's where the Snort app for
Splunk comes into play. So I'll just say
“Splunk,”
and I'll provide my root password for the server.
And we can click on “Create.”
Alright. Now,
once this is set up and provisioned,
the actual installer is going to begin.
So it's going to set up because there is
an auto-installer setup that will set up Splunk.
Yes. For you. So, let it
provision. After that's done, you can
launch the Lish console to avoid logging
in via SSH. And of course, one thing that
I don't need to tell you
is, if you're setting this up for
production, then you need to make sure
you're securing your server. So do only
use SSH keys for authentication with the server.
If you're new to hardening and securing
a Linux server, you can check out the
previous series
that we did with Linux--the Linux Server
Security series. They'll give you,
you know, all the information you need to
secure a Linux server for production.
With that being said, I'm just going to
let it provision, after which we can
launch the Lish console to see what's
going on in the background. And we can
then get started, you know, officially
with how to set up Splunk. We then need
to set up the Universal Forwarder.
So, this is booting now.
Alright. So the server is booted, and
you can see I've just opened up the Lish
console here
to essentially view what's going on. As
you can see, it's begun setting up
Splunk ES. So just give this a couple of
minutes to essentially begin.
And once it's done, it'll actually
tell you that, and it'll provide you with the
login prompt.
But it's probably logged in as the root
user already. So
just let this complete. I'm just going to
wait for this to actually conclude.
Alright. So once Splunk ES is done,
or the actual Linode is done here
with the setup, you can see it's going to
tell you "installation complete,"
and you can then log in. Keep this
window open because this is going to be
very important, as we'll need to
configure a few firewall rules.
By default, this Linode comes with UFW,
which is the uncomplicated firewall for
Debian, or
it typically comes prepackaged with
Debian-based distributions like Ubuntu.
In this case, it's already added the
firewall rule for the port that we
wanted, but just keep it open because
we'll need to run a few checks. So you
can log in there. So I'm just going to
log in with the credentials that I
specified as the root user. And I can
just say sudo ufw status.
And you can see these are all the
allowed rules or the actual rules
configured for the firewall, which is
looking good so far.
So we can access the Splunk ES instance
that we set up by pasting in the IP of
the server and opening up port 8000.
That's going to open up Splunk ES for
you. So just give this a couple of
seconds. There we are. And the credentials
that we had used were "admin" and the
password that I created--that, you know,
of course, you'll be able to
specify yourself. So just sign in.
And once that is done, you'll be
brought to Splunk Enterprise Security here.
So there we are--explore
Splunk Enterprise.
And in this case, what we're going to be
doing--what we're going to start off with--
is we need to go through a few
configuration changes with Splunk itself.
So the idea, firstly, is to configure
the actual receiving of data.
So if you head over into "Settings,"
you can click on "Data," then just click
on "Forwarding and Receiving."
And once that is done--once that is
loaded up--
under "Receive Data," we need to
configure this instance to receive data
forwarded from other instances. So we
want to configure receiving,
and we just want to set the default receiving port.
So we can say "New Receiving Port,"
and the port is, of course, going to be
the default, which is 9997--which is why
that firewall rule was added. So I'll
click on Save.
Alright. So once that is done, we can
now install the Snort app
for Splunk. So click on "Apps" and head
over into "Find More Apps."
And because the Ubuntu server is running--
or the Ubuntu VM that I'm currently
working on is running--Snort 2, we'll need
the appropriate app here. So I'll just
search for "Snort" there. And we're not
looking for the Snort 3 JSON alerts,
although that, you know, could be quite
useful, but we want the Snort alert for
Splunk. Alright. So this app provides
field extraction. So that's really great
because performing your own field
extractions using regex
can be quite difficult if you're a
beginner. So fast and full,
as well as dashboards, saved searches,
reports, event types, tags, and event
search interfaces. So we'll install that.
Now you'll need to log in with
your Splunk account credentials that you,
you know, actually created on
splunk.com. So I'll just fill in my
information really quickly.
Alright. So I've put in my username and
password. So I'll just say I'll accept
the terms and conditions there. So log in
and install.
That's going to install it. There we are.
So we'll just hit "Done."
Now that that is done, if we head back over
into our dashboard--so I'll just click on
Splunk Enterprise there--
you can now see we have Snort
Alert for Splunk. So that already
comes preconfigured with a dashboard.
So we'll just let this load up here.
And you can see that we don't have
any data yet. So this will display
your events and sources, top source
countries, the events. This is very
important--these sources, top 10
classification. So that'll classify
your alerts in terms of the
type, which again will make sense in a
couple of seconds. So now that that is
done, we actually need to configure
the actual Splunk Universal Forwarder. So
I'll just open that up in a new tab. It's
absolutely free to download the Debian
client or the Splunk Universal
Forwarder Debian package. So Universal
Forwarders provide reliable, secure
data collection from remote
sources and forward that data into
Splunk software for indexing and
consolidation. They can scale to tens of
thousands of remote systems, collecting
terabytes of data. So
again, you can actually see why Splunk is
so powerful and why it's widely used
and deployed--because of the fact that
you can literally be...
literally forward a ton of data from a
ton of systems into Splunk. So because
Snort is running on this
Ubuntu VM, we need the Debian package. So
I'll click on Linux, and we want the
64-bit version. Again, you can choose one
based on your requirements. So if you're
running on Red Hat, Fedora, or CentOS, you
can use the RPM package. So I'll just
download the Debian package here.
Give that a couple of seconds. It's then
going to begin downloading it, and then
I'll walk you through the setup process.
So there we are.
It's begun the setup.
And once that is done, I'll open up my
terminal. So that's saved in the
Downloads directory. So
if we check--if we head over into the
Downloads directory--you can see we have
the Splunk Forwarder Debian package there.
So what we want to do, firstly, is we want
to move this package into the actual /opt
directory on Linux, which will
essentially allow us to, you know,
to set it up as optional software. And
it's really good to have all that
optional software stored in the
directory. So, once that is done and
once that's downloaded, we can say,
move
Splunk forward into opt,
and we'll need sudo privileges. So I'll
say sudo move. There we are. And I'll just
type in my password. Fantastic. So
now navigate to the opt directory. And to
install this, we can say sudo apt,
and then we can specify install. So we
can say sudo apt install,
and then we specify the package itself.
So Splunk forwarder,
and we're just going to hit enter. That's
going to install it for you.
Give that a couple of seconds.
Alright. So once that is installed, if
you list out the contents of this
directory, you're gonna have a Splunk
forwarder directory here. So I'll say cd
splunkforwarder. And under the binary
directory, we can navigate to that here.
We'll need to start--
we'll need to start Splunk. So we will
say sudo,
and the binary we want to run is called
splunk, and we'll accept the license.
The reason we're doing this is because
we need to configure it. So we need to
specify the username and password, or, you
know, create a username and password.
And once that is done, you'll actually
see what that looks like. So I'll just
say accept the license.
And, you can see in this case, let's see if I
typed that incorrectly. That should
actually start. So splunk start. I did not
specify start there.
There we are. So please enter an
administrator name. I'll just say admin.
So again, Splunk software must create an
administrator account during startup.
Otherwise, you cannot log in. So create
credentials for the administrator account.
So in this case, you can
create whatever you want. I'm just going
to fill in my credentials here.
Alright, so I've just entered my
administrator username and then, of
course, my password. So
that is done.
So it'll go through--
it'll essentially go through and check
the prerequisites. New certs have been
generated in the following directory,
and all the preliminary checks have
passed. So starting the Splunk server
daemon--so that started. You can also
enable it to run on system startup. So if
I say, you know, for example, sudo systemctl
status splunk,
let me type that correctly here. So
splunk--
sorry, systemctl,
and we can say splunkd.
Sorry. So we can say splunk. I'm not
really sure why that's not loading here.
But I do know that the daemon is running,
and there should be an init daemon for that.
But in any case,
you can always start it that way.
Once that is done, we will need to add
our forward server. So we need to add
the address of the server--the
Splunk server that we're forwarding our
logs to. We'll move on to what
logs we want to forward in a second. But
let's do that first. So again, we're going
to use the
Splunk binary, and we're going to say forward-server.
And we'll just copy the IP
address of your Splunk server here.
So there we are. And I'll paste that in there.
And then you need to type in the port--so
9997, that's the port to connect to. Hit enter.
So splunk forward--
yeah, we need to add it. I keep forgetting
the preliminary command. So add forward-server,
Splunk username.
So in this case, let me just put
in my credentials here.
Alright. And it's going to then add the
forwarding to that particular address.
Alright. Now that that is done,
we actually need to
configure a particular file,
and that is going to be the outputs.conf
directory. If it's already set up for us,
which it should be,
then we do not need to go through the
initial setup. So,
if we head over into the following
directory--so I'll just take a step back--
we're still in the Splunk forwarder directory.
We'll head over into the etc directory.
And under system,
we have a file under local, I think. It is
called outputs here. Right? So I'm going to say
sudo vim outputs.conf.
And really, the only thing that is
required here is,
of course, just leave the default
configuration as is. The default group is
fine. So tcpout:default-autolb-group,
that's fine. So make sure that the
server option here is configured--that's
the most important. And the tcpout-server
address is also configured in
this format. So we don't need to make any
changes there. So I'll just say quit and exit.
Once that is done, we also need to check
the actual inputs configuration file.
But before we do that,
let's take a look. So if you revisit the
Snort video,
you know that all the logs are stored
under /var/log/snort.
Right? So we have the alert log,
and we also have--so again, based on
the type of alerts
you want generated--so, you know,
if I say man snort here,
you can see that we have the alert mode.
So you can use the fast mode or the
full mode. In this case, I'll be using the
fast mode,
and I'll give you a description of what's
going on here. Right? So
full writes the alert to the alert
file with the full decoded header as
well as the alert message, which might be
important. So we can also do that as well.
So this was from the previous--from
the Snort video where we
had run...
essentially run Snort and, you know,
where we were identifying various alerts.
So, what we can do is, again, we'll
go through what needs to be created, but
we can run a quick test command just to
see whether
the actual alerts are being logged
within the alert file, because we have
alert.1. Ideally, we would only want
to forward this file into Splunk.
So, in order to do this, what I'm going
to do now is I'm just gonna run Snort
really quickly. So I'm going to say sudo snort -q,
for quiet, and then
the actual directory for the logs is /var/log/snort.
And then we can say the interface is enp0s3.
Again, make sure to replace that with
your own interface. The alert, we can
say full,
and the configuration is /etc/snort/snort.conf.
I believe we had another configuration
file. Yeah. We had used the snort.conf file.
So I'll hit enter.
And now let me open up my file explorer here.
We take a look at the var directory
under log. And under snort,
we have alert. There we are. So,
that has been modified. The last was
modified
right over there. Okay. So that's 19. Yeah.
So this is the last modified. So I know
this file is not human-readable. We
are not going to be forwarding this .log file.
So I'll just close that there.
So I'm just going to try and perform a few
checks on the network, like a few pings,
just to see if that's detected.
So I'll just, you know, perform a ping really quickly.
Again, the alerts will not be logged on
our terminal because they're being
logged, you know, into the respective
alert file or the alert log file. So I'll
just perform, you know, a few pings, as
I was saying, which I'm doing right now
on the attacker system.
Once that is done, let's see whether
those changes are being highlighted in
alert. Indeed, they are. Okay. So now,
as you can see here,
this is the full--
these are... So to begin with, we had used
the fast alert output mode.
And right over here, we then have the
full alert mode, which I'm not really sure how
we want to
go about doing this. But you can see,
we can actually make a few changes.
What we can do is we can get rid of this traffic here.
But you can see the message is actually
being logged. So
we can get rid of this here
because we don't want to mix fast alerts
with the full mode. So we can just get rid of that
there and save that.
Once that is done, I'll just say--
we actually need permissions to modify that file.
but you know what we can do is what i am
going to do actually is close without
saving is i'm just going to stop snort
there
and i'm just going to say
sudo remove var
log
and snort and we're going to remove
alert
all right and we're also going to remove
alert dot one
all right so i'm just going to run this
again just to see if that file is
generated
so there we are we have alert there
so now it's much cleaner so i'll just
run a few pings just to make sure that
the traffic is being locked all those
alerts are being logged
uh so there we are we have a few pings
there
and we can also you know just run a few
checks there okay so there we are we can
see that those are now being logged and
of course we can change the format based
on
you can change it based on your
requirements right
so um
now that that is done
what we can do is we can close that up
and we can actually leave snort running
as is
so what i'll do is i'm just going to
open up another tab
so i'll just you know i can say control
shift d there we are
and we're currently within the following
directory so opt opt splunk forward etsy
system local
so
once that is done we now need to add
uh we now need to add the files that we
would like to monitor or that we would
like to forward right so the log files
so i'll go back into the bin directory
so there we are cd bin because that's
where we have the splunk binary so i'll
say sudo
um
splunk
and we can say add monitor
and the file that we want to forward is
under var log snot and it is just alert
right so that's all that's really all
that we want to do right
and we can also utilize the fast alerts
but let's just do this for now
and we only want the alerts we don't
want the actual log files that contain
the packets themselves so i'll hit enter
all right so it's now going to forward
those alerts into splunk which pretty
much means that on our end we are done
however we still need to check one more
configuration file so i'll just take a
step back here and we'll head over into
the etsy directory under apps
and search
and then into local
when you think we'll need to root
permissions to access this so i'll just
switch to the root user and head over
into local
and we're looking for the inputs dot
conf file
uh right so we need to actually
configure this because this is very
important so
uh the first thing we want to do is let
us
add a new line here and within the
square brackets i'll just say splunk
uh tcp
and we then want to specify the port so
9997
let me make sure i type that in
correctly
we then need to actually put in the
connection
um so the connection host so connection
host is going to be equal to the ip
address of the splunk
server
so i'll just copy that there paste that
in there
once that is done
this is fine here disabled is set to
false we want index is going to be equal
to main
and then the source type
is going to be equal to snot
alert
full
and we can then say the source is equal
to snort all right so this is a very
important configuration so let me just
go through those options or
configurations again we have the splunk
tcp option
uh we then have the actual connection
host the monitor is set correctly to
that file
uh it's enabled index equals main source
type equals snorter that full source is
equal to snot fantastic so we'll write
in quit
uh once this is done
we'll need to restart splunk so i'll
switch back to my user lexis here and
we'll navigate back to the bin directory
so i'll say cd bin
and we'll say sudo
let me say splunk and we can then say
restart
all right hit enter
it's going to stop the splunk daemon
shutting it down
restart it and it's done successfully so
all the checks were completed without
any issue all right so
now that this is done we can actually go
back into splunk here and we'll navigate
to the dashboard
uh this is your splunk server right
and let's take a look at the messages
here that's just uh a few updates we
don't need to do anything there so if we
click on
search and reporting just to verify that
that data has indeed been for that i'll
just skip through this if we click on
data summary
under sources you should see that we
have the host and in my case the name of
the system is black box so that should
be reflected there so there we are black
box we have 42
logs or alerts if you will sources 42 we
can click on that there to just see the
data that has been logged indeed we can
see that has been done correctly so
source type is alert
uh we can see that it's imported you
know pretty much all the data or the you
know these are the this is the full log
whereby we have the reference to that
there
uh that's weird i didn't actually run
anything weird uh but uh there you go
um so now that this is done uh you can
use splunk to essentially visualize this
data you know however you want so you
know i can go into visualization
uh and we can click on maybe we can
create a um
we can select a few fields so if i go
back into the events here i can select a
few fields that i want displayed here
and i can you know essentially extract
the fields that i want with rejects
but
i don't think this is necessary in this
point because if we actually go back to
the dashboard
and we click on
let's see splunk snot alert for splunk
let's see if this is actually whether
this automates that process for us
uh there we are actually it looks like
it does so um classification bad traffic
so it looks like that is working
so what we can do now
is run a few
uh we can actually utilize this script
here the
uh the test my nids script here so all
you need to do to run it is just copy
this one liner script here or this
command that will download it into your
tmp directory and will then execute it
so you know to execute it within your
temp directory you can just uh execute
the actual
um
you know the actual binary there it is a
binary not a script
and uh once that is done you can then
select the option here so let me just do
that on my attacker system
i'm just gonna run it one more time so
um just going to say ls here and
if i uh open up the documentation so
firstly i will
i will run
a quick linux uid check so
i'll just hit enter
okay that is done i'll then perform a
http basic authentication
and a malware user agent so i'm doing
that right now
okay and we can run one more here so
uh let's see let's see let's see uh we
can try exe or dll download over http
that is surely going to be um
logged
or that's going to trigger an alert
so
uh do we have uh that is running all
right so snot is running that's great
uh so we know that the log is being uh
the actual alerts are being forwarded
absolutely fantastic so let's go back in
here i've already run those
uh those particular checks
so let me just refresh this i know it
usually takes a couple of seconds to a
couple of minutes but that data should
start should actually be reflected there
we are fantastic so
uh we can see that uh you know firstly
i'll just explain the dashboard here
because
uh this dashboard is automatically you
know set up for you by the snort app
which is really awesome as i said you
don't need to go through that process
yourself
so the first graph here essentially
tells you your events
uh and and it also displays uh you know
the total number of sources so you can
see that there you also have the time
uh and you saw you have your events and
then the timeline here and you can
essentially you know view a trend or the
trend of uh of events there you then
have the top uh the top source countries
right over here and if i just run
another check really quickly here
through the nids website
so uh let me just run the curl command
uh you should actually see that because
we are reaching out to uh you know a
connection made to an external server
that it should reflect that info under
the top countries the top source
countries
so uh we then have the events here which
uh you know you can click on um and then
of course you have the sources
so these are the uh snort event types
and these are actually the
classification so we can see potentially
bad traffic attempted information leak
and you know you can just refresh your
dashboard to get the latest
so we'll give that a couple of seconds
and you can also specify the actual uh
interval period
so uh i'll just wait for this uh let's
see if it's actually being logged or
whether we can see all of that so i'll
just go back into the dashboard here
and
we'll go into search and reporting and
if we click on the actual
data summary and the sources uh we can
see we have snort there and then vast
not alert so we click on snot there
okay so this is bad traffic that's
really weird because
the source is not we had added two
sources there
so data summary
let me just click on that there and if
we click on these sources there this is
the one that we want ideally
yeah so that looks like uh the correct
one there
yeah that's the correct traffic um uh i
think that's why uh the actual uh let me
see if i can find so snot alert for
splunk let me click on the app there
show filters it should be displaying
much more than that because i know yeah
they're not just four
so
uh if we actually head over into the
uh snot event search here
we can actually search for uh you know
we can utilize uh yeah so these are only
this is only monitoring the pings so
that's weird i'm not really sure why we
have two data sources i think it's to do
with the fact
uh that uh you know we had so let me
just go back here
apps search and sudo root
let me just check that here so cd local
vim
inputs dot look so there we are so the
source is snort
we already specified the source as not
there
but it's all it's adding
this particular you know the alert as uh
as a source as well
and then this the source type is not
alert full index main yeah that that
should be working that should be working
without any issues i'm not really sure
why that is the case but
we can actually customize what data set
we want to use
so uh
i think let me actually showcase how to
do that right now
um so apologies about that i actually
figured out what the issue was it was
because the system i was running
uh this particular
attacks from wasn't even connected to
the local network
and even though i was running these
these attacks i did realize that of
course they weren't working so i'm just
gonna i've just reconnected it
and what i'm gonna do is i'm just gonna
run this one more time
so just give me a second here and i'll
be able to do that one more time so
let me just navigate to that particular
directory
and
we'll actually see whether this will
work so
you can actually see there's much more
uh that's been captured in regards to
events and i'll be explaining this
dashboard in a couple of seconds
so
let me just uh
launch that first attack there so that
you know let me just launch that first
uh type of check and of course i'm using
test my nids here so uh unfortunately
that wasn't even being logged which is
why i was a bit confused as to why those
logs are not being displayed here
so i'll give that a couple of seconds
and
we'll be able to see this happen
in real time as well
all right so that is done so i've
essentially launched a couple of those
tests and uh
this as i said this is your default uh
dashboard that you're provided with here
so
um you know you can actually refresh uh
all of these um all of these panels here
if you will so that'll display the
latest and as i said here because i'd
had performed the actual
uh you know i'd perform the actual check
and then connected to an external server
you can see that you know the top source
countries are highlighted there
you can also refresh the number of
events as you can see here
and the number of sources so
uh you can also do that for the rest of
the panel so these are the top 10
classifications
in terms of events if you will and then
the snort event types as you can see
here
so for example in this case we have the
attack response id check which if we
click on
right over here
you can see that it actually displays
that and you can then uh you can then
click on the signature itself and this
is for statistics now if you click on
the snort event search tab right over
here
you can see that this allows you to
search based on the source ip the source
port the destination ip destination port
and the event type so i can check for
attack responses based on the rule set
that we had used previously
and i can also specify the timing right
so that's really fantastic there
so you can see that right over here we
have that logged
which is fantastic and
if we click on the snort world map
that'll essentially as you'll see in a
couple of seconds this will essentially
display the countries by the source ips
in this case it should display the
united states which makes sense
uh and there we are so again this is
extremely helpful especially if you work
in a sock and as i said there's multiple
uh you know security tools you can
integrate with uh with splunk
now one thing that i wanted to highlight
is you can if you click on edit i'll
just go back to the
event summary here because this is very
important
you can set this as your main dashboard
so if you right click here you can set
this as your home dashboard
so i'll just click on that there
and now you'll see on your dashboard
here if i just close that top menu
that will actually be displayed there so
give it a couple of seconds
and of course you can click on the cog
wheel here
and essentially display whatever
you know you can specify your default
dashboard now there are a couple of
other ones that are created by default
uh but yeah you can have that on your
dashboard
uh and uh you know if you actually click
on snot the snot alert for splunk here
and we'll just go back into that snot
event summary tab
uh you can actually edit the way these
um these particular panels are tiled so
uh you know you can convert it to a
pre-built panel or you know
you can you can actually convert it to a
pre-built panel you can get rid of it
uh you can also move them around based
on your own requirements and uh in this
case you can actually let's see if i can
show you can actually select the
visualization
uh so in this case i think the default
one is fine and you can then view the
report here so
um
if we click on this one here for example
we could actually use the bar graph to
display the you know the number of the
actual um
the top source countries uh and have
them displayed in a bar graph style but
we can just take it back into the pie
chart there and you can also change this
for the events as well
so uh you know if we wanted to view a
trend we can click on the bar graph
there
uh in this case i don't think that's
formatted correctly so uh if we just use
the the default one
uh which i believe was i think it was no
that wasn't the one i believe it was uh
let's see if i can identify it here it
was the number there we are so 26 uh so
as i said you can customize this based
on your own
uh you know
your own requirements so for example
this one might do well if it was in the
form of a bar graph so you know
you can utilize that if you feel that
that is appropriate
uh in this case uh you know we can also
specify uh the actual um you know we can
actually list the events themselves
uh let's see which other ones look
really good here
uh and uh yeah once you're done with the
customization you can then cancel or
save based on your requirements and you
can also filter on this particular tab
here you know through the source ip
destination ip etc
um let's see what else did i wanted to
did i want to highlight let me just
refresh this once more
and you know to essentially get the
latest data
and uh you can see uh in terms of the
fan the in terms of the panels this will
display the last 100 attempts
uh and uh you know you can go through
them like so
uh you can also view i think we've gone
through all of them but you have the
persistent sources so two or more days
of activity in the last 30 days so you
actually need a lot of data for that to
be displayed or to give you anything
useful
um
yeah so that is
what i wanted to highlight in regards to
the snot alert for splunk app and the
actual dashboards which i said it
already does for you
now you can create your own dashboard as
i said if i go back into apps and search
and reporting
based on your own sources so i'll just
click on data summary there and if i
click on sources
you can click on the
this source here for example and
you know in this case we can actually uh
just click on that there and i can click
on extract fields
and you can extract the fields with
rejects so i'll click on next there
and you can then select the fields that
you want so for example in this case we
would want the date and time
so i can just highlight that there so i
can say
time for example add the extraction
and then of course we have the source ip
and the port but i'll just highlight
them together but i think it's actually
recommended just to highlight the source
ip there
so source we can say crc src
underscore
ip
add that extraction and we then have the
destination ip which in this case uh
because this is uh
an sm snmp broadcast
request we can we know that that's the
destination ip so i'll say dst
underscore ip
add the extraction let's see what else
we can do um
in this case it's saying the extraction
field you're extracting if you're
extracting multiple fields try removing
one or more fields start with the
extractions that are embedded within
longer strings okay so let's try and use
another alert here
that was kind of interesting um let's
see
it's not displaying all of them here but
you get the idea once you're done
uh you know for example i can remove
that field here i'm just giving you an
example of that so remove that field
uh there we are i can then say next and
i can click on validate and save based
on those fields there hit finish
and then you know i can go back to
uh you know search and reporting
and if i wanted to create a very simple
visualization which i'll show you right
now
even though i don't really need those
extracted fields although they might be
useful so
i can click on those extracted fields
now i believe they should have been
added
i'm not really sure why they aren't
being highlighted here there we are so
source ip
uh we can also specify the source port
uh we all there there they are so i had
actually they took a while to be
displayed there so
uh so support that why why not we can
yeah i think that's pretty much it so
uh based on those we can actually build
an event type however if we go to
visualization and click on pivot here
selected fields is five hit ok
we can actually you know visualize this
however we want so for example if i
wanted a column chart here
number one will display the count
i can just add the
events
because that's the count and we should
have at the bottom the time which i did
specify uh we believe within that range
there
but that's not being highlighted here so
the number of events and you know you
can go ahead and click as you can
essentially save it
so you get the idea you don't really
need to do this because we have the
snort app here
which pretty much gives you the
summaries that are useful to you or for
you
and there we are so fantastic so that's
going to conclude the practical
demonstration side of this video
so uh thank you very much for watching
this video if you have any questions or
suggestions leave them in the comments
section
if you want to reach out to me you can
do so via
twitter or the discord server the links
to both of those are in the description
section furthermore we are now moving on
to part two so this will conclude part
one so part two will be available on the
lynnodes on 24 platform so uh the videos
are available uh on demand so all you
need to do just click uh click the link
in the description register for part two
after which an email will be sent to you
and you'll be given uh you know
immediate access to to the videos uh
within part two so uh thank you very
much uh for watching part one uh in the
next video in part two we'll get started
or we'll take a look at host intrusion
detection with os sec so i'll be seeing
you in the next video
[Music]
you