0:00:01.120,0:00:03.520
Hello, everyone. Welcome back to the Blue

0:00:03.520,0:00:05.440
Team training series brought to you by

0:00:05.440,0:00:08.160
Linode and Hackersploit. In this video,

0:00:08.160,0:00:10.160
we're going to be taking a look at how

0:00:10.160,0:00:12.160
to set up or how to perform security

0:00:12.160,0:00:14.400
event monitoring with Splunk, more

0:00:14.400,0:00:16.800
specifically, Splunk Enterprise

0:00:16.800,0:00:18.640
Security. Right? So the objective here

0:00:18.640,0:00:21.439
will be to monitor intrusions and

0:00:21.439,0:00:23.519
threats with Splunk. And you might be

0:00:23.519,0:00:25.119
asking yourself, well, how are we going to

0:00:25.119,0:00:28.400
do this? What setup are we using? Well, the

0:00:28.400,0:00:30.480
scenario that I've set up for this video

0:00:30.480,0:00:32.559
is we are essentially going to

0:00:32.559,0:00:34.320
take all the knowledge that we've

0:00:34.320,0:00:37.680
learned during the Snort video, and we

0:00:37.680,0:00:39.360
are going to essentially forward all of

0:00:39.360,0:00:42.719
the Snort logs into Splunk or have

0:00:42.719,0:00:44.480
that done automatically through the

0:00:44.480,0:00:47.680
Splunk Universal Forwarder so that we get

0:00:47.680,0:00:50.320
the latest logs when Snort is running on

0:00:50.320,0:00:52.399
our Ubuntu virtual machine.

0:00:52.399,0:00:55.039
And the objective here is to use Splunk

0:00:55.039,0:00:58.000
in conjunction with the Splunk's Snort app

0:00:58.000,0:01:01.039
to essentially visualize and identify or

0:01:01.039,0:01:03.359
monitor network intrusions and any

0:01:03.359,0:01:06.720
malicious network traffic, you know, within the

0:01:06.720,0:01:08.980
network that I'm monitoring.

0:01:08.980,0:01:18.782
[Music].

0:01:19.360,0:01:21.680
At a very high level, what will we be

0:01:21.680,0:01:23.280
covering? Well, firstly, we'll get an

0:01:23.280,0:01:25.439
introduction to Splunk. Now before we

0:01:25.439,0:01:28.400
move any further or we actually carry on,

0:01:28.400,0:01:30.720
I do want to note that this video is not

0:01:30.720,0:01:32.400
going to be focused on Splunk

0:01:32.400,0:01:34.640
fundamentals. I'm going

0:01:34.640,0:01:36.400
to assume that you already know what

0:01:36.400,0:01:40.400
Splunk is and how it can be used, you know,

0:01:40.400,0:01:42.079
and how it's used generally speaking.

0:01:42.079,0:01:44.720
Because Splunk is not really a tool

0:01:44.720,0:01:48.320
that is specific to security, for example.

0:01:48.320,0:01:49.759
That's why they have the Splunk

0:01:49.759,0:01:52.720
Enterprise Security version or edition.

0:01:52.720,0:01:54.320
And I'm just going to assume that you

0:01:54.320,0:01:56.079
know how to use Splunk at a very basic

0:01:56.079,0:01:58.320
level. So once we get an introduction to

0:01:58.320,0:02:00.960
Splunk, we'll go over Splunk Enterprise

0:02:00.960,0:02:05.119
Security--the Enterprise Security edition--and how it

0:02:05.119,0:02:06.640
can be used for security event

0:02:06.640,0:02:08.399
monitoring, especially in our case

0:02:08.399,0:02:10.879
because we want to essentially monitor

0:02:10.879,0:02:13.280
the intrusion detection logs

0:02:13.280,0:02:15.360
generated by Snort.

0:02:15.360,0:02:16.800
So we'll then move on to deploying

0:02:16.800,0:02:18.720
Splunk Enterprise Security on Linode,

0:02:18.720,0:02:20.640
which is absolutely fantastic because

0:02:20.640,0:02:22.560
they have a cloud image

0:02:22.560,0:02:24.560
available for it that allows you to spin

0:02:24.560,0:02:26.400
it up without going through the process

0:02:26.400,0:02:28.720
of installing it and configuring it. So

0:02:28.720,0:02:30.720
that'll set it up for us.

0:02:30.720,0:02:32.800
We'll then take a look at how to

0:02:32.800,0:02:35.280
configure Splunk, and how to set up the

0:02:35.280,0:02:38.239
Splunk Universal Forwarder on the Ubuntu

0:02:38.239,0:02:40.480
virtual machine that is running Snort so

0:02:40.480,0:02:42.319
that we can forward those logs into

0:02:42.319,0:02:44.560
Splunk. And then, of course, we'll take

0:02:44.560,0:02:46.720
a look at the Splunk Snort event

0:02:46.720,0:02:49.519
dashboard that will be provided to us by

0:02:49.519,0:02:52.879
the Splunk Snort app. So if this sounds like

0:02:52.879,0:02:55.360
gibberish to you, don't worry. It will make

0:02:55.360,0:02:58.139
sense in a couple of minutes.

0:02:58.879,0:03:00.959
With that being said, given the fact

0:03:00.959,0:03:02.800
that we're going to be using, you know,

0:03:02.800,0:03:04.400
we're going to be using Snort to

0:03:04.400,0:03:06.959
generate alerts and monitor those alerts,

0:03:06.959,0:03:09.040
if you have not gone through

0:03:09.040,0:03:11.519
the actual Snort video, please do that as

0:03:11.519,0:03:14.239
it'll help you set up Snort, and you can

0:03:14.239,0:03:16.400
then run through this demo. With that

0:03:16.400,0:03:19.280
being said, this is not a holistic video

0:03:19.280,0:03:20.800
that will cover everything you can do

0:03:20.800,0:03:23.440
with Splunk Enterprise Security. We are

0:03:23.440,0:03:26.010
just focused on the intrusion

0:03:26.010,0:03:27.760
detection logs produced

0:03:27.760,0:03:30.000
by Snort and how they can be

0:03:30.000,0:03:32.879
imported or forwarded to Splunk for,

0:03:32.879,0:03:35.680
you know, analysis and monitoring.

0:03:35.680,0:03:38.159
So the prerequisites are the same as

0:03:38.159,0:03:39.760
the previous videos. The only difference

0:03:39.760,0:03:41.680
is, you know, that you need to have a

0:03:41.680,0:03:43.840
basic familiarity with Splunk and how to

0:03:43.840,0:03:46.080
navigate around the various menu

0:03:46.080,0:03:47.760
elements and, yeah,

0:03:47.760,0:03:49.680
essentially just how to use it at a very

0:03:49.680,0:03:51.360
basic level. If you're not familiar with

0:03:51.360,0:03:54.239
Splunk, I'll give you a few resources at

0:03:54.239,0:03:56.780
the end of these slides

0:03:56.780,0:03:58.159
that'll help you out or help

0:03:58.159,0:04:00.769
you get started. Alright.

0:04:00.769,0:04:01.760
So let's get an introduction

0:04:01.760,0:04:04.239
to Splunk. So what is Splunk? That's the

0:04:04.239,0:04:05.680
main question. If you've never heard of

0:04:05.680,0:04:08.480
Splunk, Splunk is an extremely powerful

0:04:08.480,0:04:10.400
platform that is used to analyze data

0:04:10.400,0:04:13.360
and logs produced by systems or machines,

0:04:13.360,0:04:15.920
as Splunk likes to call them. So

0:04:15.920,0:04:18.639
what problem is Splunk trying to solve

0:04:18.639,0:04:20.880
here? Well, let's look at this from the

0:04:20.880,0:04:24.880
perspective of Web 2.0 or, you know, the

0:04:24.880,0:04:26.720
interconnected world we live in

0:04:26.720,0:04:29.199
today. And we're going to be looking at

0:04:29.199,0:04:31.199
it from the context of or from the

0:04:31.199,0:04:33.360
perspective of security.

0:04:33.360,0:04:35.759
So if we take a simple system--let's say

0:04:35.759,0:04:38.720
we have a Windows operating system or a

0:04:38.720,0:04:41.360
system running Windows--well, that Windows

0:04:41.360,0:04:44.880
system produces a lot of data or logs

0:04:44.880,0:04:47.040
that, you know, contain

0:04:47.040,0:04:48.800
information that, you know, at first

0:04:48.800,0:04:51.600
glance might not seem that important. But

0:04:51.600,0:04:53.919
once you start getting into specific

0:04:53.919,0:04:57.360
sectors like security, those logs start,

0:04:57.360,0:04:59.680
you know, those logs have, you know,

0:04:59.680,0:05:02.080
very important value to organizations.

0:05:02.080,0:05:04.880
Now multiply that by a thousand systems.

0:05:04.880,0:05:06.800
So let's say we have an organization.

0:05:06.800,0:05:08.560
They have a thousand computers within

0:05:08.560,0:05:10.479
their network or, you know, distributed

0:05:10.479,0:05:13.520
worldwide. And all of these systems,

0:05:13.520,0:05:14.960
you know, need to be secured. Their

0:05:14.960,0:05:17.919
security needs to be monitored. So how do

0:05:17.919,0:05:20.560
we monitor all of this? Well, this is

0:05:20.560,0:05:22.639
where Splunk comes into play. So Splunk

0:05:22.639,0:05:25.280
allows you to essentially funnel all of

0:05:25.280,0:05:27.800
this data produced by systems or

0:05:27.800,0:05:30.720
machines into Splunk. And then Splunk allows you

0:05:30.720,0:05:32.560
to monitor, search, and analyze this

0:05:32.560,0:05:35.280
machine-generated data and the logs

0:05:35.280,0:05:37.840
through a web interface. So in order to

0:05:37.840,0:05:39.680
use Splunk, you'll need to import your

0:05:39.680,0:05:42.479
own data or logs. Alternatively, you can

0:05:42.479,0:05:45.280
utilize the Splunk Universal Forwarder to

0:05:45.280,0:05:47.759
forward logs and data to Splunk for

0:05:47.759,0:05:51.360
analysis and, of course, visualization, etc.

0:05:51.360,0:05:53.280
Now, Splunk does so much more that I

0:05:53.280,0:05:55.199
really can't go over all of the features

0:05:55.199,0:05:56.880
here. But as I said, we're looking at this

0:05:56.880,0:06:00.400
from the lens of a security engineer.

0:06:00.400,0:06:02.240
Alright. So Splunk collates all the

0:06:02.240,0:06:04.800
data and logs from various sources and

0:06:04.800,0:06:06.720
provides you with a central index that

0:06:06.720,0:06:08.800
you can search through. Splunk also

0:06:08.800,0:06:11.039
provides you with robust visualization

0:06:11.039,0:06:12.720
and reporting tools that allow you to

0:06:12.720,0:06:15.360
identify the data that interests you,

0:06:15.360,0:06:17.440
transform the data into results, and

0:06:17.440,0:06:19.840
visualize the answers in the form of a

0:06:19.840,0:06:23.280
report, chart, graph, etc. Alright. So what

0:06:23.280,0:06:25.360
I'm saying here is that Splunk allows

0:06:25.360,0:06:28.080
you to take all of this security-related

0:06:28.080,0:06:31.600
logs and data and make sense of them and

0:06:31.600,0:06:33.520
essentially get the answers that you're

0:06:33.520,0:06:35.520
looking for. So, for example, from the

0:06:35.520,0:06:37.680
perspective of a security engineer, what

0:06:37.680,0:06:40.240
do you want from all of this data? Well,

0:06:40.240,0:06:42.160
at a very high level, you want to know

0:06:42.160,0:06:44.080
whether something is going wrong and

0:06:44.080,0:06:46.400
what could go wrong. In the context of

0:06:46.400,0:06:48.800
security, a network could be compromised.

0:06:48.800,0:06:50.560
There could be some malicious network

0:06:50.560,0:06:53.120
traffic or activity going on. A system

0:06:53.120,0:06:55.919
could be compromised, etc., etc. You get the

0:06:55.919,0:06:58.160
idea. So we need that data to be

0:06:58.160,0:07:00.560
displayed to us as a security engineer.

0:07:00.560,0:07:02.560
And Splunk is really one of the best

0:07:02.560,0:07:04.960
tools, you know, when it comes down to,

0:07:04.960,0:07:08.000
you know, taking a lot of data

0:07:08.000,0:07:09.840
and then identifying the data that

0:07:09.840,0:07:11.840
interests you, transforming that data

0:07:11.840,0:07:14.960
into results, and then visualizing that

0:07:14.960,0:07:17.360
data in the form of a report, chart, or

0:07:17.360,0:07:19.759
graph. Right. So that's really what we're

0:07:19.759,0:07:21.599
going to be doing. And as I said, going

0:07:21.599,0:07:23.520
back to the scenario, we're going to be

0:07:23.520,0:07:26.080
focusing on how to, you know, essentially

0:07:26.080,0:07:28.800
get in or how to forward

0:07:28.800,0:07:33.360
the logs created--or the logs and alerts created--by

0:07:33.360,0:07:36.000
Snort into Splunk for analysis. And

0:07:36.000,0:07:39.280
luckily for us, Splunk has a Snort app or

0:07:39.280,0:07:40.960
plug-in, if you will, that will

0:07:40.960,0:07:43.680
essentially simplify this process.

0:07:44.100,0:07:47.360
So, let's get an idea as to, you know, how we

0:07:47.360,0:07:49.120
can use Splunk for security event

0:07:49.120,0:07:51.759
monitoring. So Splunk Enterprise Security,

0:07:51.759,0:07:54.800
also known as Splunk ES, is a security

0:07:54.800,0:07:56.800
information and event management

0:07:56.800,0:07:59.199
solution, also known as a SIEM.

0:07:59.199,0:08:01.360
It is used by security

0:08:01.360,0:08:03.680
teams to quickly detect and respond to

0:08:03.680,0:08:06.160
internal and external attacks or threats

0:08:06.160,0:08:09.680
or intrusions. So Splunk ES can be used

0:08:09.680,0:08:11.759
for security event monitoring, incident

0:08:11.759,0:08:15.919
response, and running a SOC or Security Operations Center.

0:08:15.919,0:08:18.080
In this video, we'll be using Splunk ES

0:08:18.080,0:08:20.000
to monitor and visualize the Snort

0:08:20.000,0:08:22.240
intrusion alerts. This will be

0:08:22.240,0:08:24.400
facilitated through the help of the Snort

0:08:24.400,0:08:26.639
app for Splunk and the Splunk Universal

0:08:26.639,0:08:29.280
Forwarder. Now, the Splunk Universal Forwarder

0:08:29.280,0:08:31.199
is pretty much the most important

0:08:31.199,0:08:33.039
element of what we'll be exploring

0:08:33.039,0:08:35.200
because what it does--and this is really

0:08:35.200,0:08:37.200
cool--is it automatically

0:08:37.200,0:08:39.279
forwards the latest logs,

0:08:39.279,0:08:42.479
even when Snort is running. It forwards those

0:08:42.479,0:08:45.040
alerts and logs into Splunk, and you can

0:08:45.040,0:08:46.560
see them in real time, which is

0:08:46.560,0:08:49.440
absolutely fantastic.

0:08:49.440,0:08:52.320
So as I said, if you're new to Splunk,

0:08:52.320,0:08:54.800
then these resources are really helpful

0:08:54.800,0:08:57.120
for you. Splunk offers really great

0:08:57.120,0:08:59.040
tutorials and courses designed for

0:08:59.040,0:09:00.720
absolute beginners. You can check that

0:09:00.720,0:09:02.959
out by clicking on the link within this

0:09:02.959,0:09:05.600
slide. And you can learn more about the

0:09:05.600,0:09:08.160
Splunk Enterprise Security edition from

0:09:08.160,0:09:09.760
that particular link.

0:09:09.760,0:09:12.240
Now, as I said, we are going to be deploying

0:09:12.240,0:09:15.200
Splunk on Linode, more specifically

0:09:15.200,0:09:17.120
Splunk ES. And this is the lab

0:09:17.120,0:09:19.200
environment. So we're going to spin up,

0:09:19.200,0:09:21.519
you know, Splunk ES on Linode. Now, again,

0:09:21.519,0:09:23.279
to follow through with this, you

0:09:23.279,0:09:25.760
know, Linode has been absolutely fantastic

0:09:25.760,0:09:28.320
with, you know, by providing all of

0:09:28.320,0:09:31.189
you guys with a way to get $100

0:09:31.189,0:09:33.279
in free Linode credit. All you

0:09:33.279,0:09:35.120
need to do is just click the link in the

0:09:35.120,0:09:37.440
description section and sign up, and

0:09:37.440,0:09:39.040
$100 will be added to your

0:09:39.040,0:09:40.959
account so that you can follow along

0:09:40.959,0:09:43.279
with this series. So we're going to

0:09:43.279,0:09:45.200
set up Splunk ES on Linode. And then

0:09:45.200,0:09:47.279
within my internal network, we're just

0:09:47.279,0:09:49.040
going to have a very basic infrastructure.

0:09:49.040,0:09:50.399
We're going to have the Ubuntu virtual

0:09:50.399,0:09:52.880
machine that is running Snort. This is the

0:09:52.880,0:09:54.880
same virtual machine that we had set up

0:09:54.880,0:09:57.680
and used to set up Snort and set up

0:09:57.680,0:10:00.309
Suricata and the one we had used with Wazuh.

0:10:01.360,0:10:03.519
And, yeah, that's essentially it. We're

0:10:03.519,0:10:04.720
going to have a very basic

0:10:04.720,0:10:06.399
infrastructure where we have an attacker

0:10:06.399,0:10:09.519
system that I'm going to be using to perform

0:10:09.519,0:10:11.600
a bit of network

0:10:11.600,0:10:15.040
intrusion detection emulation, whereby

0:10:15.040,0:10:17.519
I will essentially perform or run a

0:10:17.519,0:10:20.880
couple of commands or scripts to

0:10:20.880,0:10:23.279
essentially emulate malicious network

0:10:23.279,0:10:26.160
activity so that these logs are

0:10:26.160,0:10:28.320
essentially--so this traffic is

0:10:28.320,0:10:29.839
essentially logged--and that'll provide

0:10:29.839,0:10:32.800
us with a good idea as to how helpful

0:10:32.800,0:10:35.279
Splunk is for security event monitoring,

0:10:35.279,0:10:38.880
especially in the context of network intrusions.

0:10:40.320,0:10:41.920
So as I said, you don't really need to

0:10:41.920,0:10:44.240
have a Windows workstation. You simply

0:10:44.240,0:10:46.000
need to have the Ubuntu VM, and you can

0:10:46.000,0:10:48.800
pretty much run everything from it. And,

0:10:48.800,0:10:50.560
of course, you can set up the Splunk

0:10:50.560,0:10:54.240
Enterprise Security server on Linode

0:10:54.240,0:10:56.480
without any issues.

0:10:56.480,0:10:58.399
So that's the lab environment. We can now

0:10:58.399,0:11:00.000
get started with the practical

0:11:00.000,0:11:01.440
demonstration. So I'm going to switch

0:11:01.440,0:11:05.040
over to my Ubuntu virtual machine.

0:11:05.040,0:11:07.600
Alright. So I'm back on my Ubuntu

0:11:07.600,0:11:09.360
virtual machine, and you can see I have

0:11:09.360,0:11:11.279
Linode opened up here.

0:11:11.279,0:11:13.279
I haven't set anything up yet because

0:11:13.279,0:11:14.640
we're going to be walking through the

0:11:14.640,0:11:16.079
process together.

0:11:16.079,0:11:18.959
I then have the Splunk.com website here.

0:11:18.959,0:11:21.040
So if you're new to Splunk, then you need

0:11:21.040,0:11:22.640
to create a new account in order to

0:11:22.640,0:11:25.740
follow along. So just head over to

0:11:25.740,0:11:27.279
Splunk.com and, you know,

0:11:27.279,0:11:29.519
register for an account. It's free.

0:11:29.519,0:11:31.120
Once that is done,

0:11:31.120,0:11:33.120
you'll need to activate your account or

0:11:33.120,0:11:35.120
verify your account through

0:11:35.120,0:11:36.880
the verification email

0:11:36.880,0:11:39.680
they'll send you. Once that is done,

0:11:39.680,0:11:41.279
we can then move forward. Because in

0:11:41.279,0:11:44.320
order to access the actual

0:11:44.320,0:11:46.800
Splunk Universal Forwarder, you'll need to

0:11:46.800,0:11:48.720
have an account. And of course, you

0:11:48.720,0:11:50.639
know, in this case, I'll be going through

0:11:50.639,0:11:52.800
everything as we move along in a

0:11:52.800,0:11:55.519
structured manner. And

0:11:55.519,0:11:59.120
then to perform the actual NIDS tests,

0:12:00.160,0:12:01.780
we are going to be using the

0:12:01.780,0:12:03.839
testmyNIDS.org project,

0:12:03.839,0:12:06.480
which is on GitHub. So this is

0:12:06.480,0:12:08.880
essentially a bash script

0:12:08.880,0:12:11.440
that allows you to--as you can see here--

0:12:11.440,0:12:13.279
it allows you to essentially emulate or

0:12:13.279,0:12:16.800
simulate malicious network traffic. So,

0:12:16.800,0:12:19.440
previously, we had used

0:12:19.440,0:12:21.279
the website technique to essentially get

0:12:21.279,0:12:23.760
a Linux UID, and that traffic would be

0:12:23.760,0:12:26.240
logged as malicious, or

0:12:26.240,0:12:27.760
it could be logged as a potential

0:12:27.760,0:12:30.000
intrusion. And we can run a few other

0:12:30.000,0:12:33.360
checks like HTTP basic authentication,

0:12:33.360,0:12:35.519
bad certificate authorities,

0:12:35.519,0:12:38.639
an EXE or DLL download over HTTP. So,

0:12:38.639,0:12:40.720
you know, we can run tests that,

0:12:40.720,0:12:42.959
you know, will just make our

0:12:42.959,0:12:45.440
intrusion detection system blow up in

0:12:45.440,0:12:47.600
terms of alerts. And that's what we want

0:12:47.600,0:12:49.519
because we want to see how that data is

0:12:49.519,0:12:52.160
presented to us as a security engineer

0:12:52.160,0:12:55.040
on Splunk. With that being said, the first

0:12:55.040,0:12:58.030
step, of course, is to set up Splunk ES on Linode.

0:12:58.330,0:13:04.079
So just click on “Create a Linode” and click on “Marketplace.”

0:13:04.079,0:13:06.399
And they already have Splunk here. So

0:13:06.399,0:13:08.480
there we are. You can click on that there.

0:13:08.480,0:13:10.240
And if you click on this little info

0:13:10.240,0:13:12.399
button here, it'll give you an idea as to

0:13:12.399,0:13:14.320
how to deploy it on

0:13:14.320,0:13:16.480
Linode. And, of course, you have more

0:13:16.480,0:13:18.399
information regarding Splunk. So you have

0:13:18.399,0:13:20.480
the documentation link there. So I'll

0:13:20.480,0:13:22.959
just click on Splunk.

0:13:22.959,0:13:24.639
Once that is clicked, we can then head

0:13:24.639,0:13:26.720
over here. You'll need to specify the

0:13:26.720,0:13:28.959
Splunk admin user. I recommend using

0:13:28.959,0:13:32.510
“admin” to begin with and then specify a password.

0:13:33.440,0:13:35.519
If you're setting up, you know, Splunk on

0:13:35.519,0:13:37.600
a domain, then you can specify the

0:13:37.600,0:13:39.839
Linode API token to essentially create

0:13:39.839,0:13:42.320
the DNS records--that's if you're using

0:13:42.320,0:13:44.320
Linode's DNS service.

0:13:45.839,0:13:47.519
And then, of course, you need to add

0:13:47.519,0:13:49.519
the admin email for the server. So in

0:13:49.519,0:13:52.000
this case, I can just say, for example,

0:13:52.000,0:13:55.080
hackersploit@gmail.com.

0:13:55.519,0:13:57.360
Don't spam me on this email because I

0:13:57.360,0:13:59.519
don't respond anyway. So we can create

0:13:59.519,0:14:01.040
another user.

0:14:01.040,0:14:02.480
This is the username for the

0:14:02.480,0:14:04.720
Linode admin's SSH user. Please ensure

0:14:04.720,0:14:06.480
that the username does not contain any...

0:14:06.480,0:14:08.880
so we can just call this “admin.” And then

0:14:08.880,0:14:11.360
for the admin user, we'll just say

0:14:11.360,0:14:13.199
provide that there.

0:14:13.199,0:14:14.800
So the image--we're going to set it up on

0:14:14.800,0:14:18.079
Ubuntu 20.04. The region--I’ll say London

0:14:18.079,0:14:19.920
because that's closest to me.

0:14:19.920,0:14:22.240
As for the actual Linode plan,

0:14:22.240,0:14:24.720
Linode ES doesn't require that many

0:14:24.720,0:14:26.480
resources, especially because, you know,

0:14:26.480,0:14:28.720
the amount of data that we're processing

0:14:28.720,0:14:30.959
or the logs that are being forwarded to

0:14:30.959,0:14:34.320
Splunk are relatively few--so less than

0:14:34.320,0:14:36.160
100--which, if you've used Splunk before

0:14:36.160,0:14:37.920
for security event monitoring, you know

0:14:37.920,0:14:39.040
that that is

0:14:39.040,0:14:41.199
really, really small. In

0:14:41.199,0:14:43.199
fact, Splunk will actually tell you,

0:14:43.199,0:14:44.959
you know, that the amount of data

0:14:44.959,0:14:47.519
to begin with that you have imported or

0:14:47.519,0:14:50.670
forwarded is too little to make any sense of.

0:14:50.880,0:14:52.480
But that's where the Snort app for

0:14:52.480,0:14:54.800
Splunk comes into play. So I'll just say

0:14:54.800,0:14:56.000
“Splunk,”

0:14:56.000,0:14:59.360
and I'll provide my root password for the server.

0:14:59.360,0:15:02.079
And we can click on “Create.”

0:15:02.079,0:15:03.360
Alright. Now,

0:15:03.360,0:15:06.079
once this is set up and provisioned,

0:15:06.079,0:15:08.079
the actual installer is going to begin.

0:15:08.079,0:15:10.079
So it's going to set up because there is

0:15:10.079,0:15:13.410
an auto-installer setup that will set up Splunk.

0:15:13.410,0:15:15.199
Yes. For you. So, let it

0:15:15.199,0:15:16.880
provision. After that's done, you can

0:15:16.880,0:15:19.199
launch the Lish console to avoid logging

0:15:19.199,0:15:22.160
in via SSH. And of course, one thing that

0:15:22.160,0:15:24.000
I don't need to tell you

0:15:24.000,0:15:25.680
is, if you're setting this up for

0:15:25.680,0:15:27.680
production, then you need to make sure

0:15:27.680,0:15:29.759
you're securing your server. So do only

0:15:29.759,0:15:33.420
use SSH keys for authentication with the server.

0:15:33.759,0:15:35.920
If you're new to hardening and securing

0:15:35.920,0:15:37.759
a Linux server, you can check out the

0:15:37.759,0:15:39.360
previous series

0:15:39.360,0:15:41.920
that we did with Linux--the Linux Server

0:15:41.920,0:15:44.800
Security series. They'll give you,

0:15:44.800,0:15:46.959
you know, all the information you need to

0:15:46.959,0:15:49.759
secure a Linux server for production.

0:15:49.759,0:15:50.959
With that being said, I'm just going to

0:15:50.959,0:15:52.800
let it provision, after which we can

0:15:52.800,0:15:54.560
launch the Lish console to see what's

0:15:54.560,0:15:56.639
going on in the background. And we can

0:15:56.639,0:15:59.350
then get started, you know, officially

0:15:59.350,0:16:01.839
with how to set up Splunk. We then need

0:16:01.839,0:16:04.720
to set up the Universal Forwarder.

0:16:04.720,0:16:07.529
So, this is booting now.

0:16:08.639,0:16:11.120
Alright. So the server is booted, and

0:16:11.120,0:16:12.800
you can see I've just opened up the Lish

0:16:12.800,0:16:14.320
console here

0:16:14.320,0:16:15.920
to essentially view what's going on. As

0:16:15.920,0:16:18.000
you can see, it's begun setting up

0:16:18.000,0:16:20.399
Splunk ES. So just give this a couple of

0:16:20.399,0:16:22.809
minutes to essentially begin.

0:16:23.279,0:16:25.600
And once it's done, it'll actually

0:16:25.600,0:16:27.360
tell you that, and it'll provide you with the

0:16:27.360,0:16:28.800
login prompt.

0:16:28.800,0:16:30.399
But it's probably logged in as the root

0:16:30.399,0:16:32.000
user already. So

0:16:32.000,0:16:33.759
just let this complete. I'm just going to

0:16:33.759,0:16:36.880
wait for this to actually conclude.

0:16:36.880,0:16:40.000
Alright. So once Splunk ES is done,

0:16:40.000,0:16:42.880
or the actual Linode is done here

0:16:42.880,0:16:44.320
with the setup, you can see it's going to

0:16:44.320,0:16:46.240
tell you "installation complete,"

0:16:46.240,0:16:48.160
and you can then log in. Keep this

0:16:48.160,0:16:49.519
window open because this is going to be

0:16:49.519,0:16:50.880
very important, as we'll need to

0:16:50.880,0:16:53.440
configure a few firewall rules.

0:16:53.440,0:16:56.320
By default, this Linode comes with UFW,

0:16:56.320,0:16:58.720
which is the uncomplicated firewall for

0:16:58.720,0:17:00.079
Debian, or

0:17:00.079,0:17:02.000
it typically comes prepackaged with

0:17:02.000,0:17:04.959
Debian-based distributions like Ubuntu.

0:17:04.959,0:17:06.559
In this case, it's already added the

0:17:06.559,0:17:08.400
firewall rule for the port that we

0:17:08.400,0:17:10.000
wanted, but just keep it open because

0:17:10.000,0:17:12.559
we'll need to run a few checks. So you

0:17:12.559,0:17:14.000
can log in there. So I'm just going to

0:17:14.000,0:17:15.679
log in with the credentials that I

0:17:15.679,0:17:18.720
specified as the root user. And I can

0:17:18.720,0:17:22.160
just say sudo ufw status.

0:17:23.839,0:17:25.439
And you can see these are all the

0:17:25.439,0:17:28.160
allowed rules or the actual rules

0:17:28.160,0:17:30.400
configured for the firewall, which is

0:17:30.400,0:17:32.400
looking good so far.

0:17:32.400,0:17:35.679
So we can access the Splunk ES instance

0:17:35.679,0:17:37.840
that we set up by pasting in the IP of

0:17:37.840,0:17:42.080
the server and opening up port 8000.

0:17:42.080,0:17:44.080
That's going to open up Splunk ES for

0:17:44.080,0:17:45.760
you. So just give this a couple of

0:17:45.760,0:17:48.240
seconds. There we are. And the credentials

0:17:48.240,0:17:50.880
that we had used were "admin" and the

0:17:50.880,0:17:53.280
password that I created--that, you know,

0:17:53.280,0:17:54.559
of course, you'll be able to

0:17:54.559,0:17:57.200
specify yourself. So just sign in.

0:17:57.200,0:17:59.919
And once that is done, you'll be

0:17:59.919,0:18:04.560
brought to Splunk Enterprise Security here.

0:18:04.560,0:18:05.360
So there we are--explore

0:18:05.360,0:18:07.200
Splunk Enterprise.

0:18:10.000,0:18:11.360
And in this case, what we're going to be

0:18:11.360,0:18:14.080
doing--what we're going to start off with--

0:18:14.080,0:18:16.240
is we need to go through a few

0:18:16.240,0:18:19.350
configuration changes with Splunk itself.

0:18:19.760,0:18:22.880
So the idea, firstly, is to configure

0:18:22.880,0:18:26.120
the actual receiving of data.

0:18:26.120,0:18:27.360
So if you head over into "Settings,"

0:18:27.360,0:18:29.440
you can click on "Data," then just click

0:18:29.440,0:18:31.840
on "Forwarding and Receiving."

0:18:31.840,0:18:34.400
And once that is done--once that is

0:18:34.400,0:18:35.760
loaded up--

0:18:35.760,0:18:38.080
under "Receive Data," we need to

0:18:38.080,0:18:40.000
configure this instance to receive data

0:18:40.000,0:18:41.600
forwarded from other instances. So we

0:18:41.600,0:18:43.520
want to configure receiving,

0:18:43.520,0:18:46.799
and we just want to set the default receiving port.

0:18:46.799,0:18:50.400
So we can say "New Receiving Port,"

0:18:50.400,0:18:52.160
and the port is, of course, going to be

0:18:52.160,0:18:54.799
the default, which is 9997--which is why

0:18:54.799,0:18:56.640
that firewall rule was added. So I'll

0:18:56.640,0:18:58.182
click on Save.

0:18:58.880,0:19:01.200
Alright. So once that is done, we can

0:19:01.200,0:19:04.110
now install the Snort app

0:19:04.110,0:19:06.240
for Splunk. So click on "Apps" and head

0:19:06.240,0:19:08.480
over into "Find More Apps."

0:19:08.480,0:19:11.360
And because the Ubuntu server is running--

0:19:11.360,0:19:13.120
or the Ubuntu VM that I'm currently

0:19:13.120,0:19:15.919
working on is running--Snort 2, we'll need

0:19:15.919,0:19:18.160
the appropriate app here. So I'll just

0:19:18.160,0:19:20.160
search for "Snort" there. And we're not

0:19:20.160,0:19:22.320
looking for the Snort 3 JSON alerts,

0:19:22.320,0:19:24.320
although that, you know, could be quite

0:19:24.320,0:19:26.480
useful, but we want the Snort alert for

0:19:26.480,0:19:28.720
Splunk. Alright. So this app provides

0:19:28.720,0:19:30.880
field extraction. So that's really great

0:19:30.880,0:19:32.400
because performing your own field

0:19:32.400,0:19:34.960
extractions using regex

0:19:34.960,0:19:36.400
can be quite difficult if you're a

0:19:36.400,0:19:39.360
beginner. So fast and full,

0:19:39.360,0:19:42.400
as well as dashboards, saved searches,

0:19:42.400,0:19:45.600
reports, event types, tags, and event

0:19:45.600,0:19:48.080
search interfaces. So we'll install that.

0:19:48.080,0:19:50.240
Now you'll need to log in with

0:19:50.240,0:19:52.400
your Splunk account credentials that you,

0:19:52.400,0:19:55.120
you know, actually created on

0:19:55.120,0:19:57.760
splunk.com. So I'll just fill in my

0:19:57.760,0:20:00.400
information really quickly.

0:20:00.400,0:20:02.240
Alright. So I've put in my username and

0:20:02.240,0:20:04.240
password. So I'll just say I'll accept

0:20:04.240,0:20:06.320
the terms and conditions there. So log in

0:20:06.320,0:20:07.600
and install.

0:20:07.600,0:20:09.280
That's going to install it. There we are.

0:20:09.280,0:20:10.880
So we'll just hit "Done."

0:20:10.880,0:20:13.360
Now that that is done, if we head back over

0:20:13.360,0:20:16.400
into our dashboard--so I'll just click on

0:20:16.400,0:20:18.400
Splunk Enterprise there--

0:20:18.400,0:20:20.720
you can now see we have Snort

0:20:20.720,0:20:23.039
Alert for Splunk. So that already

0:20:23.039,0:20:25.600
comes preconfigured with a dashboard.

0:20:25.600,0:20:28.600
So we'll just let this load up here.

0:20:28.600,0:20:30.000
And you can see that we don't have

0:20:30.000,0:20:32.480
any data yet. So this will display

0:20:32.480,0:20:34.559
your events and sources, top source

0:20:34.559,0:20:36.480
countries, the events. This is very

0:20:36.480,0:20:38.480
important--these sources, top 10

0:20:38.480,0:20:41.039
classification. So that'll classify

0:20:41.039,0:20:44.400
your alerts in terms of the

0:20:44.400,0:20:46.640
type, which again will make sense in a

0:20:46.640,0:20:49.280
couple of seconds. So now that that is

0:20:49.280,0:20:51.600
done, we actually need to configure

0:20:51.600,0:20:54.480
the actual Splunk Universal Forwarder. So

0:20:54.480,0:20:56.480
I'll just open that up in a new tab. It's

0:20:56.480,0:20:59.120
absolutely free to download the Debian

0:20:59.120,0:21:01.840
client or the Splunk Universal

0:21:01.840,0:21:04.159
Forwarder Debian package. So Universal

0:21:04.159,0:21:06.960
Forwarders provide reliable, secure

0:21:06.960,0:21:09.440
data collection from remote

0:21:09.440,0:21:11.520
sources and forward that data into

0:21:11.520,0:21:14.159
Splunk software for indexing and

0:21:14.159,0:21:16.880
consolidation. They can scale to tens of

0:21:16.880,0:21:18.799
thousands of remote systems, collecting

0:21:18.799,0:21:20.720
terabytes of data. So

0:21:20.720,0:21:23.039
again, you can actually see why Splunk is

0:21:23.039,0:21:25.360
so powerful and why it's widely used

0:21:25.360,0:21:27.440
and deployed--because of the fact that

0:21:27.440,0:21:30.480
you can literally be...

0:21:30.480,0:21:32.640
literally forward a ton of data from a

0:21:32.640,0:21:35.840
ton of systems into Splunk. So because

0:21:35.840,0:21:38.480
Snort is running on this

0:21:38.480,0:21:40.480
Ubuntu VM, we need the Debian package. So

0:21:40.480,0:21:41.919
I'll click on Linux, and we want the

0:21:41.919,0:21:45.039
64-bit version. Again, you can choose one

0:21:45.039,0:21:46.559
based on your requirements. So if you're

0:21:46.559,0:21:49.840
running on Red Hat, Fedora, or CentOS, you

0:21:49.840,0:21:51.520
can use the RPM package. So I'll just

0:21:51.520,0:21:54.559
download the Debian package here.

0:21:54.559,0:21:56.080
Give that a couple of seconds. It's then

0:21:56.080,0:21:58.240
going to begin downloading it, and then

0:21:58.240,0:22:00.000
I'll walk you through the setup process.

0:22:00.000,0:22:01.840
So there we are.

0:22:01.840,0:22:04.260
It's begun the setup.

0:22:07.360,0:22:09.440
And once that is done, I'll open up my

0:22:09.440,0:22:10.799
terminal. So that's saved in the

0:22:10.799,0:22:12.960
Downloads directory. So

0:22:12.960,0:22:14.320
if we check--if we head over into the

0:22:14.320,0:22:15.840
Downloads directory--you can see we have

0:22:15.840,0:22:18.489
the Splunk Forwarder Debian package there.

0:22:19.200,0:22:21.679
So what we want to do, firstly, is we want

0:22:21.679,0:22:25.680
to move this package into the actual /opt

0:22:25.680,0:22:28.080
directory on Linux, which will

0:22:28.080,0:22:30.880
essentially allow us to, you know,

0:22:30.880,0:22:33.360
to set it up as optional software. And

0:22:33.360,0:22:35.280
it's really good to have all that

0:22:35.280,0:22:38.240
optional software stored in the

0:22:38.240,0:22:42.240
directory. So, once that is done and

0:22:42.240,0:22:44.320
once that's downloaded, we can say,

0:22:44.320,0:22:45.600
move

0:22:45.600,0:22:48.480
Splunk forward into opt,

0:22:48.480,0:22:50.400
and we'll need sudo privileges. So I'll

0:22:50.400,0:22:52.559
say sudo move. There we are. And I'll just

0:22:52.559,0:22:55.120
type in my password. Fantastic. So

0:22:55.120,0:22:57.360
now navigate to the opt directory. And to

0:22:57.360,0:23:00.320
install this, we can say sudo apt,

0:23:00.320,0:23:02.960
and then we can specify install. So we

0:23:02.960,0:23:05.120
can say sudo apt install,

0:23:05.120,0:23:06.960
and then we specify the package itself.

0:23:06.960,0:23:09.440
So Splunk forwarder,

0:23:09.440,0:23:11.440
and we're just going to hit enter. That's

0:23:11.440,0:23:13.520
going to install it for you.

0:23:13.520,0:23:16.880
Give that a couple of seconds.

0:23:19.440,0:23:21.520
Alright. So once that is installed, if

0:23:21.520,0:23:23.039
you list out the contents of this

0:23:23.039,0:23:24.559
directory, you're gonna have a Splunk

0:23:24.559,0:23:26.559
forwarder directory here. So I'll say cd

0:23:26.559,0:23:29.200
splunkforwarder. And under the binary

0:23:29.200,0:23:31.200
directory, we can navigate to that here.

0:23:31.200,0:23:32.720
We'll need to start--

0:23:32.720,0:23:35.600
we'll need to start Splunk. So we will

0:23:35.600,0:23:37.280
say sudo,

0:23:37.280,0:23:39.039
and the binary we want to run is called

0:23:39.039,0:23:41.279
splunk, and we'll accept the license.

0:23:41.279,0:23:42.799
The reason we're doing this is because

0:23:42.799,0:23:44.799
we need to configure it. So we need to

0:23:44.799,0:23:46.799
specify the username and password, or, you

0:23:46.799,0:23:49.279
know, create a username and password.

0:23:49.279,0:23:52.000
And once that is done, you'll actually

0:23:52.000,0:23:53.360
see what that looks like. So I'll just

0:23:53.360,0:23:55.679
say accept the license.

0:23:55.679,0:23:59.200
And, you can see in this case, let's see if I

0:23:59.200,0:24:01.200
typed that incorrectly. That should

0:24:01.200,0:24:03.600
actually start. So splunk start. I did not

0:24:03.600,0:24:05.440
specify start there.

0:24:05.440,0:24:06.799
There we are. So please enter an

0:24:06.799,0:24:09.679
administrator name. I'll just say admin.

0:24:09.679,0:24:12.000
So again, Splunk software must create an

0:24:12.000,0:24:14.320
administrator account during startup.

0:24:14.320,0:24:16.559
Otherwise, you cannot log in. So create

0:24:16.559,0:24:18.899
credentials for the administrator account.

0:24:20.640,0:24:22.320
So in this case, you can

0:24:22.320,0:24:23.600
create whatever you want. I'm just going

0:24:23.600,0:24:26.000
to fill in my credentials here.

0:24:26.000,0:24:28.640
Alright, so I've just entered my

0:24:28.640,0:24:30.320
administrator username and then, of

0:24:30.320,0:24:32.400
course, my password. So

0:24:32.400,0:24:33.840
that is done.

0:24:33.840,0:24:36.240
So it'll go through--

0:24:36.240,0:24:37.760
it'll essentially go through and check

0:24:37.760,0:24:40.400
the prerequisites. New certs have been

0:24:40.400,0:24:42.960
generated in the following directory,

0:24:42.960,0:24:45.200
and all the preliminary checks have

0:24:45.200,0:24:47.520
passed. So starting the Splunk server

0:24:47.520,0:24:49.440
daemon--so that started. You can also

0:24:49.440,0:24:52.159
enable it to run on system startup. So if

0:24:52.159,0:24:56.330
I say, you know, for example, sudo systemctl

0:24:56.720,0:24:58.910
status splunk,

0:24:59.520,0:25:01.840
let me type that correctly here. So

0:25:01.840,0:25:03.360
splunk--

0:25:03.360,0:25:07.520
sorry, systemctl,

0:25:07.520,0:25:10.240
and we can say splunkd.

0:25:10.240,0:25:12.880
Sorry. So we can say splunk. I'm not

0:25:12.880,0:25:15.039
really sure why that's not loading here.

0:25:15.039,0:25:17.520
But I do know that the daemon is running,

0:25:17.520,0:25:23.620
and there should be an init daemon for that.

0:25:23.620,0:25:24.799
But in any case,

0:25:24.799,0:25:27.360
you can always start it that way.

0:25:27.360,0:25:29.840
Once that is done, we will need to add

0:25:29.840,0:25:32.320
our forward server. So we need to add

0:25:32.320,0:25:34.960
the address of the server--the

0:25:34.960,0:25:37.039
Splunk server that we're forwarding our

0:25:37.039,0:25:39.600
logs to. We'll move on to what

0:25:39.600,0:25:42.480
logs we want to forward in a second. But

0:25:42.480,0:25:44.159
let's do that first. So again, we're going

0:25:44.159,0:25:45.799
to use the

0:25:47.520,0:25:51.220
Splunk binary, and we're going to say forward-server.

0:25:51.220,0:25:52.559
And we'll just copy the IP

0:25:52.559,0:25:56.419
address of your Splunk server here.

0:25:56.419,0:25:59.850
So there we are. And I'll paste that in there.

0:26:00.640,0:26:03.320
And then you need to type in the port--so

0:26:03.320,0:26:07.780
9997, that's the port to connect to. Hit enter.

0:26:08.400,0:26:10.799
So splunk forward--

0:26:11.279,0:26:13.279
yeah, we need to add it. I keep forgetting

0:26:13.279,0:26:16.910
the preliminary command. So add forward-server,

0:26:16.910,0:26:18.260
Splunk username.

0:26:18.320,0:26:21.919
So in this case, let me just put

0:26:21.919,0:26:25.840
in my credentials here.

0:26:26.640,0:26:29.440
Alright. And it's going to then add the

0:26:29.440,0:26:31.760
forwarding to that particular address.

0:26:31.760,0:26:33.760
Alright. Now that that is done,

0:26:33.760,0:26:35.440
we actually need to

0:26:35.440,0:26:37.919
configure a particular file,

0:26:37.919,0:26:40.720
and that is going to be the outputs.conf

0:26:40.720,0:26:43.039
directory. If it's already set up for us,

0:26:43.039,0:26:45.039
which it should be,

0:26:45.039,0:26:46.880
then we do not need to go through the

0:26:46.880,0:26:49.360
initial setup. So,

0:26:49.360,0:26:51.120
if we head over into the following

0:26:51.120,0:26:52.640
directory--so I'll just take a step back--

0:26:52.640,0:26:55.120
we're still in the Splunk forwarder directory.

0:26:55.279,0:26:59.739
We'll head over into the etc directory.

0:26:59.739,0:27:01.679
And under system,

0:27:01.679,0:27:05.039
we have a file under local, I think. It is

0:27:05.039,0:27:06.640
called outputs here. Right? So I'm going to say

0:27:06.640,0:27:09.680
sudo vim outputs.conf.

0:27:09.840,0:27:11.840
And really, the only thing that is

0:27:11.840,0:27:14.290
required here is,

0:27:14.290,0:27:16.159
of course, just leave the default

0:27:16.159,0:27:18.320
configuration as is. The default group is

0:27:18.320,0:27:21.760
fine. So tcpout:default-autolb-group,

0:27:21.760,0:27:23.279
that's fine. So make sure that the

0:27:23.279,0:27:25.840
server option here is configured--that's

0:27:25.840,0:27:29.100
the most important. And the tcpout-server

0:27:29.100,0:27:30.320
address is also configured in

0:27:30.320,0:27:32.000
this format. So we don't need to make any

0:27:32.000,0:27:34.670
changes there. So I'll just say quit and exit.

0:27:35.120,0:27:38.640
Once that is done, we also need to check

0:27:38.640,0:27:41.279
the actual inputs configuration file.

0:27:41.279,0:27:43.200
But before we do that,

0:27:43.200,0:27:45.279
let's take a look. So if you revisit the

0:27:45.279,0:27:46.880
Snort video,

0:27:46.880,0:27:48.880
you know that all the logs are stored

0:27:48.880,0:27:53.110
under /var/log/snort.

0:27:53.110,0:27:55.760
Right? So we have the alert log,

0:27:55.760,0:27:59.279
and we also have--so again, based on

0:27:59.279,0:28:02.000
the type of alerts

0:28:02.000,0:28:03.200
you want generated--so, you know,

0:28:03.200,0:28:05.440
if I say man snort here,

0:28:05.440,0:28:08.090
you can see that we have the alert mode.

0:28:08.090,0:28:09.440
So you can use the fast mode or the

0:28:09.440,0:28:11.360
full mode. In this case, I'll be using the

0:28:11.360,0:28:12.559
fast mode,

0:28:13.760,0:28:15.279
and I'll give you a description of what's

0:28:15.279,0:28:17.279
going on here. Right? So

0:28:17.279,0:28:19.919
full writes the alert to the alert

0:28:19.919,0:28:21.919
file with the full decoded header as

0:28:21.919,0:28:24.720
well as the alert message, which might be

0:28:24.720,0:28:27.279
important. So we can also do that as well.

0:28:27.279,0:28:29.600
So this was from the previous--from

0:28:29.600,0:28:31.760
the Snort video where we

0:28:31.760,0:28:33.360
had run...

0:28:33.360,0:28:35.840
essentially run Snort and, you know,

0:28:35.840,0:28:38.480
where we were identifying various alerts.

0:28:38.480,0:28:41.919
So, what we can do is, again, we'll

0:28:41.919,0:28:43.760
go through what needs to be created, but

0:28:43.760,0:28:45.600
we can run a quick test command just to

0:28:45.600,0:28:46.880
see whether

0:28:46.880,0:28:48.799
the actual alerts are being logged

0:28:48.799,0:28:50.320
within the alert file, because we have

0:28:50.320,0:28:53.039
alert.1. Ideally, we would only want

0:28:53.039,0:28:55.760
to forward this file into Splunk.

0:28:55.760,0:28:58.080
So, in order to do this, what I'm going

0:28:58.080,0:29:00.080
to do now is I'm just gonna run Snort

0:29:00.080,0:29:03.590
really quickly. So I'm going to say sudo snort -q,

0:29:03.919,0:29:06.000
for quiet, and then

0:29:06.000,0:29:10.500
the actual directory for the logs is /var/log/snort.

0:29:11.360,0:29:14.640
And then we can say the interface is enp0s3.

0:29:14.640,0:29:16.240
Again, make sure to replace that with

0:29:16.240,0:29:19.039
your own interface. The alert, we can

0:29:19.039,0:29:20.320
say full,

0:29:20.320,0:29:26.190
and the configuration is /etc/snort/snort.conf.

0:29:26.399,0:29:28.320
I believe we had another configuration

0:29:28.320,0:29:30.720
file. Yeah. We had used the snort.conf file.

0:29:30.720,0:29:32.399
So I'll hit enter.

0:29:32.399,0:29:35.560
And now let me open up my file explorer here.

0:29:35.840,0:29:38.720
We take a look at the var directory

0:29:38.720,0:29:42.240
under log. And under snort,

0:29:42.240,0:29:44.960
we have alert. There we are. So,

0:29:44.960,0:29:47.960
that has been modified. The last was

0:29:47.960,0:29:50.050
modified

0:29:51.200,0:29:53.919
right over there. Okay. So that's 19. Yeah.

0:29:53.919,0:29:55.679
So this is the last modified. So I know

0:29:55.679,0:29:58.000
this file is not human-readable. We

0:29:58.000,0:30:00.979
are not going to be forwarding this .log file.

0:30:00.979,0:30:02.960
So I'll just close that there.

0:30:02.960,0:30:07.440
So I'm just going to try and perform a few

0:30:07.440,0:30:09.679
checks on the network, like a few pings,

0:30:09.679,0:30:11.760
just to see if that's detected.

0:30:11.760,0:30:15.679
So I'll just, you know, perform a ping really quickly.

0:30:15.679,0:30:17.520
Again, the alerts will not be logged on

0:30:17.520,0:30:18.960
our terminal because they're being

0:30:18.960,0:30:21.200
logged, you know, into the respective

0:30:21.200,0:30:24.159
alert file or the alert log file. So I'll

0:30:24.159,0:30:26.080
just perform, you know, a few pings, as

0:30:26.080,0:30:27.679
I was saying, which I'm doing right now

0:30:27.679,0:30:29.520
on the attacker system.

0:30:29.520,0:30:31.760
Once that is done, let's see whether

0:30:31.760,0:30:33.760
those changes are being highlighted in

0:30:33.760,0:30:37.600
alert. Indeed, they are. Okay. So now,

0:30:40.159,0:30:42.399
as you can see here,

0:30:42.399,0:30:45.279
this is the full--

0:30:45.360,0:30:48.000
these are... So to begin with, we had used

0:30:48.000,0:30:52.729
the fast alert output mode.

0:30:54.000,0:30:56.080
And right over here, we then have the

0:30:56.080,0:31:00.159
full alert mode, which I'm not really sure how

0:31:00.159,0:31:01.919
we want to

0:31:01.919,0:31:05.360
go about doing this. But you can see,

0:31:05.360,0:31:07.360
we can actually make a few changes.

0:31:07.360,0:31:11.110
What we can do is we can get rid of this traffic here.

0:31:11.440,0:31:13.519
But you can see the message is actually

0:31:13.519,0:31:15.279
being logged. So

0:31:15.279,0:31:17.760
we can get rid of this here

0:31:17.760,0:31:25.749
because we don't want to mix fast alerts

0:31:26.080,0:31:31.519
with the full mode. So we can just get rid of that

0:31:31.519,0:31:33.611
there and save that.

0:31:34.159,0:31:37.840
Once that is done, I'll just say--

0:31:37.840,0:31:41.290
we actually need permissions to modify that file.

0:31:42.000,0:31:45.600
but you know what we can do is what i am

0:31:45.600,0:31:47.279
going to do actually is close without

0:31:47.279,0:31:49.519
saving is i'm just going to stop snort

0:31:49.519,0:31:50.399
there

0:31:50.399,0:31:52.080
and i'm just going to say

0:31:52.080,0:31:54.480
sudo remove var

0:31:54.480,0:31:56.799
log

0:31:56.960,0:31:59.120
and snort and we're going to remove

0:31:59.120,0:32:01.360
alert

0:32:01.360,0:32:02.720
all right and we're also going to remove

0:32:02.720,0:32:04.240
alert dot one

0:32:04.240,0:32:05.440
all right so i'm just going to run this

0:32:05.440,0:32:07.039
again just to see if that file is

0:32:07.039,0:32:08.240
generated

0:32:08.240,0:32:11.120
so there we are we have alert there

0:32:11.120,0:32:12.559
so now it's much cleaner so i'll just

0:32:12.559,0:32:14.240
run a few pings just to make sure that

0:32:14.240,0:32:16.480
the traffic is being locked all those

0:32:16.480,0:32:18.480
alerts are being logged

0:32:18.480,0:32:20.399
uh so there we are we have a few pings

0:32:20.399,0:32:21.519
there

0:32:21.519,0:32:24.640
and we can also you know just run a few

0:32:24.640,0:32:26.960
checks there okay so there we are we can

0:32:26.960,0:32:29.360
see that those are now being logged and

0:32:29.360,0:32:31.519
of course we can change the format based

0:32:31.519,0:32:32.320
on

0:32:32.320,0:32:33.519
you can change it based on your

0:32:33.519,0:32:35.039
requirements right

0:32:35.039,0:32:37.840
so um

0:32:38.000,0:32:39.919
now that that is done

0:32:39.919,0:32:42.000
what we can do is we can close that up

0:32:42.000,0:32:44.960
and we can actually leave snort running

0:32:44.960,0:32:46.320
as is

0:32:46.320,0:32:48.960
so what i'll do is i'm just going to

0:32:48.960,0:32:51.120
open up another tab

0:32:51.120,0:32:53.120
so i'll just you know i can say control

0:32:53.120,0:32:54.880
shift d there we are

0:32:54.880,0:32:56.799
and we're currently within the following

0:32:56.799,0:33:00.159
directory so opt opt splunk forward etsy

0:33:00.159,0:33:01.519
system local

0:33:01.519,0:33:03.120
so

0:33:03.120,0:33:06.000
once that is done we now need to add

0:33:06.000,0:33:08.080
uh we now need to add the files that we

0:33:08.080,0:33:09.919
would like to monitor or that we would

0:33:09.919,0:33:12.240
like to forward right so the log files

0:33:12.240,0:33:15.360
so i'll go back into the bin directory

0:33:15.360,0:33:17.679
so there we are cd bin because that's

0:33:17.679,0:33:19.360
where we have the splunk binary so i'll

0:33:19.360,0:33:20.960
say sudo

0:33:20.960,0:33:22.000
um

0:33:22.000,0:33:24.399
splunk

0:33:24.399,0:33:28.320
and we can say add monitor

0:33:28.320,0:33:30.720
and the file that we want to forward is

0:33:30.720,0:33:34.399
under var log snot and it is just alert

0:33:34.399,0:33:36.559
right so that's all that's really all

0:33:36.559,0:33:38.720
that we want to do right

0:33:38.720,0:33:41.600
and we can also utilize the fast alerts

0:33:41.600,0:33:44.399
but let's just do this for now

0:33:44.399,0:33:46.399
and we only want the alerts we don't

0:33:46.399,0:33:48.320
want the actual log files that contain

0:33:48.320,0:33:53.840
the packets themselves so i'll hit enter

0:33:54.480,0:33:56.399
all right so it's now going to forward

0:33:56.399,0:33:58.960
those alerts into splunk which pretty

0:33:58.960,0:34:02.159
much means that on our end we are done

0:34:02.159,0:34:04.000
however we still need to check one more

0:34:04.000,0:34:05.840
configuration file so i'll just take a

0:34:05.840,0:34:08.000
step back here and we'll head over into

0:34:08.000,0:34:10.879
the etsy directory under apps

0:34:10.879,0:34:13.119
and search

0:34:13.119,0:34:15.520
and then into local

0:34:15.520,0:34:16.720
when you think we'll need to root

0:34:16.720,0:34:18.320
permissions to access this so i'll just

0:34:18.320,0:34:20.079
switch to the root user and head over

0:34:20.079,0:34:21.520
into local

0:34:21.520,0:34:24.399
and we're looking for the inputs dot

0:34:24.399,0:34:26.560
conf file

0:34:26.560,0:34:28.079
uh right so we need to actually

0:34:28.079,0:34:29.760
configure this because this is very

0:34:29.760,0:34:31.040
important so

0:34:31.040,0:34:35.119
uh the first thing we want to do is let

0:34:35.119,0:34:35.919
us

0:34:35.919,0:34:38.639
add a new line here and within the

0:34:38.639,0:34:41.440
square brackets i'll just say splunk

0:34:41.440,0:34:44.240
uh tcp

0:34:44.240,0:34:46.399
and we then want to specify the port so

0:34:46.399,0:34:48.399
9997

0:34:48.399,0:34:49.679
let me make sure i type that in

0:34:49.679,0:34:51.520
correctly

0:34:51.520,0:34:54.240
we then need to actually put in the

0:34:54.240,0:34:56.960
connection

0:34:56.960,0:35:01.200
um so the connection host so connection

0:35:01.200,0:35:03.440
host is going to be equal to the ip

0:35:03.440,0:35:05.280
address of the splunk

0:35:05.280,0:35:06.560
server

0:35:06.560,0:35:08.960
so i'll just copy that there paste that

0:35:08.960,0:35:11.280
in there

0:35:11.280,0:35:14.000
once that is done

0:35:14.000,0:35:16.320
this is fine here disabled is set to

0:35:16.320,0:35:19.040
false we want index is going to be equal

0:35:19.040,0:35:20.320
to main

0:35:20.320,0:35:23.680
and then the source type

0:35:23.680,0:35:26.560
is going to be equal to snot

0:35:26.560,0:35:27.520
alert

0:35:27.520,0:35:28.960
full

0:35:28.960,0:35:31.280
and we can then say the source is equal

0:35:31.280,0:35:33.040
to snort all right so this is a very

0:35:33.040,0:35:35.280
important configuration so let me just

0:35:35.280,0:35:36.640
go through those options or

0:35:36.640,0:35:38.640
configurations again we have the splunk

0:35:38.640,0:35:40.320
tcp option

0:35:40.320,0:35:42.880
uh we then have the actual connection

0:35:42.880,0:35:45.520
host the monitor is set correctly to

0:35:45.520,0:35:46.640
that file

0:35:46.640,0:35:49.520
uh it's enabled index equals main source

0:35:49.520,0:35:51.680
type equals snorter that full source is

0:35:51.680,0:35:53.680
equal to snot fantastic so we'll write

0:35:53.680,0:35:54.720
in quit

0:35:54.720,0:35:57.040
uh once this is done

0:35:57.040,0:35:58.720
we'll need to restart splunk so i'll

0:35:58.720,0:36:00.800
switch back to my user lexis here and

0:36:00.800,0:36:04.560
we'll navigate back to the bin directory

0:36:04.560,0:36:06.400
so i'll say cd bin

0:36:06.400,0:36:08.800
and we'll say sudo

0:36:08.800,0:36:11.680
let me say splunk and we can then say

0:36:11.680,0:36:13.440
restart

0:36:13.440,0:36:15.680
all right hit enter

0:36:15.680,0:36:18.320
it's going to stop the splunk daemon

0:36:18.320,0:36:19.680
shutting it down

0:36:19.680,0:36:22.160
restart it and it's done successfully so

0:36:22.160,0:36:24.560
all the checks were completed without

0:36:24.560,0:36:27.119
any issue all right so

0:36:27.119,0:36:29.040
now that this is done we can actually go

0:36:29.040,0:36:31.440
back into splunk here and we'll navigate

0:36:31.440,0:36:33.280
to the dashboard

0:36:33.280,0:36:35.839
uh this is your splunk server right

0:36:35.839,0:36:37.440
and let's take a look at the messages

0:36:37.440,0:36:39.920
here that's just uh a few updates we

0:36:39.920,0:36:41.920
don't need to do anything there so if we

0:36:41.920,0:36:43.119
click on

0:36:43.119,0:36:45.599
search and reporting just to verify that

0:36:45.599,0:36:47.839
that data has indeed been for that i'll

0:36:47.839,0:36:49.280
just skip through this if we click on

0:36:49.280,0:36:51.040
data summary

0:36:51.040,0:36:52.880
under sources you should see that we

0:36:52.880,0:36:55.680
have the host and in my case the name of

0:36:55.680,0:36:58.640
the system is black box so that should

0:36:58.640,0:37:01.119
be reflected there so there we are black

0:37:01.119,0:37:03.280
box we have 42

0:37:03.280,0:37:06.800
logs or alerts if you will sources 42 we

0:37:06.800,0:37:08.640
can click on that there to just see the

0:37:08.640,0:37:11.280
data that has been logged indeed we can

0:37:11.280,0:37:13.040
see that has been done correctly so

0:37:13.040,0:37:14.880
source type is alert

0:37:14.880,0:37:17.280
uh we can see that it's imported you

0:37:17.280,0:37:19.440
know pretty much all the data or the you

0:37:19.440,0:37:21.119
know these are the this is the full log

0:37:21.119,0:37:23.599
whereby we have the reference to that

0:37:23.599,0:37:24.880
there

0:37:24.880,0:37:26.800
uh that's weird i didn't actually run

0:37:26.800,0:37:30.240
anything weird uh but uh there you go

0:37:30.240,0:37:32.720
um so now that this is done uh you can

0:37:32.720,0:37:34.880
use splunk to essentially visualize this

0:37:34.880,0:37:36.800
data you know however you want so you

0:37:36.800,0:37:39.359
know i can go into visualization

0:37:39.359,0:37:42.240
uh and we can click on maybe we can

0:37:42.240,0:37:44.720
create a um

0:37:44.720,0:37:46.880
we can select a few fields so if i go

0:37:46.880,0:37:50.240
back into the events here i can select a

0:37:50.240,0:37:52.240
few fields that i want displayed here

0:37:52.240,0:37:54.320
and i can you know essentially extract

0:37:54.320,0:37:57.040
the fields that i want with rejects

0:37:57.040,0:37:57.920
but

0:37:57.920,0:37:59.680
i don't think this is necessary in this

0:37:59.680,0:38:01.520
point because if we actually go back to

0:38:01.520,0:38:03.599
the dashboard

0:38:03.599,0:38:06.160
and we click on

0:38:06.160,0:38:10.079
let's see splunk snot alert for splunk

0:38:10.079,0:38:11.440
let's see if this is actually whether

0:38:11.440,0:38:15.200
this automates that process for us

0:38:15.200,0:38:17.280
uh there we are actually it looks like

0:38:17.280,0:38:21.599
it does so um classification bad traffic

0:38:21.599,0:38:24.160
so it looks like that is working

0:38:24.160,0:38:26.400
so what we can do now

0:38:26.400,0:38:28.720
is run a few

0:38:28.720,0:38:31.280
uh we can actually utilize this script

0:38:31.280,0:38:33.520
here the

0:38:33.520,0:38:37.119
uh the test my nids script here so all

0:38:37.119,0:38:39.440
you need to do to run it is just copy

0:38:39.440,0:38:41.520
this one liner script here or this

0:38:41.520,0:38:43.200
command that will download it into your

0:38:43.200,0:38:46.000
tmp directory and will then execute it

0:38:46.000,0:38:49.200
so you know to execute it within your

0:38:49.200,0:38:51.599
temp directory you can just uh execute

0:38:51.599,0:38:53.040
the actual

0:38:53.040,0:38:54.400
um

0:38:54.400,0:38:56.240
you know the actual binary there it is a

0:38:56.240,0:38:58.800
binary not a script

0:38:58.800,0:39:01.280
and uh once that is done you can then

0:39:01.280,0:39:03.520
select the option here so let me just do

0:39:03.520,0:39:05.920
that on my attacker system

0:39:05.920,0:39:08.880
i'm just gonna run it one more time so

0:39:08.880,0:39:14.359
um just going to say ls here and

0:39:16.160,0:39:18.960
if i uh open up the documentation so

0:39:18.960,0:39:21.839
firstly i will

0:39:21.839,0:39:23.440
i will run

0:39:23.440,0:39:26.640
a quick linux uid check so

0:39:26.640,0:39:28.960
i'll just hit enter

0:39:28.960,0:39:31.280
okay that is done i'll then perform a

0:39:31.280,0:39:35.119
http basic authentication

0:39:35.119,0:39:37.839
and a malware user agent so i'm doing

0:39:37.839,0:39:40.640
that right now

0:39:40.839,0:39:46.000
okay and we can run one more here so

0:39:46.000,0:39:48.720
uh let's see let's see let's see uh we

0:39:48.720,0:39:51.520
can try exe or dll download over http

0:39:51.520,0:39:55.280
that is surely going to be um

0:39:55.280,0:39:57.040
logged

0:39:57.040,0:39:59.839
or that's going to trigger an alert

0:39:59.839,0:40:00.640
so

0:40:00.640,0:40:03.040
uh do we have uh that is running all

0:40:03.040,0:40:05.280
right so snot is running that's great

0:40:05.280,0:40:08.079
uh so we know that the log is being uh

0:40:08.079,0:40:10.240
the actual alerts are being forwarded

0:40:10.240,0:40:12.960
absolutely fantastic so let's go back in

0:40:12.960,0:40:15.040
here i've already run those

0:40:15.040,0:40:18.400
uh those particular checks

0:40:18.400,0:40:20.160
so let me just refresh this i know it

0:40:20.160,0:40:22.160
usually takes a couple of seconds to a

0:40:22.160,0:40:24.400
couple of minutes but that data should

0:40:24.400,0:40:26.240
start should actually be reflected there

0:40:26.240,0:40:28.160
we are fantastic so

0:40:28.160,0:40:31.119
uh we can see that uh you know firstly

0:40:31.119,0:40:32.880
i'll just explain the dashboard here

0:40:32.880,0:40:33.760
because

0:40:33.760,0:40:36.160
uh this dashboard is automatically you

0:40:36.160,0:40:38.000
know set up for you by the snort app

0:40:38.000,0:40:39.920
which is really awesome as i said you

0:40:39.920,0:40:41.440
don't need to go through that process

0:40:41.440,0:40:42.560
yourself

0:40:42.560,0:40:44.560
so the first graph here essentially

0:40:44.560,0:40:46.400
tells you your events

0:40:46.400,0:40:48.560
uh and and it also displays uh you know

0:40:48.560,0:40:50.400
the total number of sources so you can

0:40:50.400,0:40:52.560
see that there you also have the time

0:40:52.560,0:40:54.480
uh and you saw you have your events and

0:40:54.480,0:40:56.079
then the timeline here and you can

0:40:56.079,0:40:58.880
essentially you know view a trend or the

0:40:58.880,0:41:01.680
trend of uh of events there you then

0:41:01.680,0:41:04.880
have the top uh the top source countries

0:41:04.880,0:41:07.040
right over here and if i just run

0:41:07.040,0:41:08.720
another check really quickly here

0:41:08.720,0:41:11.119
through the nids website

0:41:11.119,0:41:14.720
so uh let me just run the curl command

0:41:14.720,0:41:16.640
uh you should actually see that because

0:41:16.640,0:41:19.280
we are reaching out to uh you know a

0:41:19.280,0:41:21.280
connection made to an external server

0:41:21.280,0:41:23.680
that it should reflect that info under

0:41:23.680,0:41:25.760
the top countries the top source

0:41:25.760,0:41:26.800
countries

0:41:26.800,0:41:28.800
so uh we then have the events here which

0:41:28.800,0:41:31.280
uh you know you can click on um and then

0:41:31.280,0:41:33.119
of course you have the sources

0:41:33.119,0:41:36.079
so these are the uh snort event types

0:41:36.079,0:41:37.760
and these are actually the

0:41:37.760,0:41:39.680
classification so we can see potentially

0:41:39.680,0:41:42.640
bad traffic attempted information leak

0:41:42.640,0:41:44.720
and you know you can just refresh your

0:41:44.720,0:41:47.440
dashboard to get the latest

0:41:47.440,0:41:49.359
so we'll give that a couple of seconds

0:41:49.359,0:41:52.000
and you can also specify the actual uh

0:41:52.000,0:41:53.599
interval period

0:41:53.599,0:41:56.400
so uh i'll just wait for this uh let's

0:41:56.400,0:41:58.880
see if it's actually being logged or

0:41:58.880,0:42:00.319
whether we can see all of that so i'll

0:42:00.319,0:42:04.000
just go back into the dashboard here

0:42:04.000,0:42:04.800
and

0:42:04.800,0:42:07.359
we'll go into search and reporting and

0:42:07.359,0:42:09.920
if we click on the actual

0:42:09.920,0:42:13.040
data summary and the sources uh we can

0:42:13.040,0:42:15.359
see we have snort there and then vast

0:42:15.359,0:42:19.520
not alert so we click on snot there

0:42:19.520,0:42:22.000
okay so this is bad traffic that's

0:42:22.000,0:42:25.440
really weird because

0:42:26.079,0:42:27.920
the source is not we had added two

0:42:27.920,0:42:29.520
sources there

0:42:29.520,0:42:32.720
so data summary

0:42:32.720,0:42:34.800
let me just click on that there and if

0:42:34.800,0:42:36.960
we click on these sources there this is

0:42:36.960,0:42:40.800
the one that we want ideally

0:42:43.200,0:42:46.079
yeah so that looks like uh the correct

0:42:46.079,0:42:48.720
one there

0:42:49.599,0:42:51.680
yeah that's the correct traffic um uh i

0:42:51.680,0:42:55.119
think that's why uh the actual uh let me

0:42:55.119,0:42:56.960
see if i can find so snot alert for

0:42:56.960,0:43:00.640
splunk let me click on the app there

0:43:02.480,0:43:04.160
show filters it should be displaying

0:43:04.160,0:43:06.400
much more than that because i know yeah

0:43:06.400,0:43:08.319
they're not just four

0:43:08.319,0:43:09.920
so

0:43:09.920,0:43:12.640
uh if we actually head over into the

0:43:12.640,0:43:16.560
uh snot event search here

0:43:18.480,0:43:20.800
we can actually search for uh you know

0:43:20.800,0:43:25.359
we can utilize uh yeah so these are only

0:43:25.359,0:43:28.400
this is only monitoring the pings so

0:43:28.400,0:43:30.240
that's weird i'm not really sure why we

0:43:30.240,0:43:32.319
have two data sources i think it's to do

0:43:32.319,0:43:33.839
with the fact

0:43:33.839,0:43:37.040
uh that uh you know we had so let me

0:43:37.040,0:43:39.520
just go back here

0:43:39.520,0:43:42.640
apps search and sudo root

0:43:42.640,0:43:46.720
let me just check that here so cd local

0:43:46.720,0:43:47.839
vim

0:43:47.839,0:43:50.640
inputs dot look so there we are so the

0:43:50.640,0:43:53.280
source is snort

0:43:53.280,0:43:56.079
we already specified the source as not

0:43:56.079,0:43:57.599
there

0:43:57.599,0:43:59.520
but it's all it's adding

0:43:59.520,0:44:02.319
this particular you know the alert as uh

0:44:02.319,0:44:04.160
as a source as well

0:44:04.160,0:44:06.400
and then this the source type is not

0:44:06.400,0:44:09.040
alert full index main yeah that that

0:44:09.040,0:44:10.560
should be working that should be working

0:44:10.560,0:44:12.319
without any issues i'm not really sure

0:44:12.319,0:44:14.079
why that is the case but

0:44:14.079,0:44:16.480
we can actually customize what data set

0:44:16.480,0:44:18.000
we want to use

0:44:18.000,0:44:19.359
so uh

0:44:19.359,0:44:21.520
i think let me actually showcase how to

0:44:21.520,0:44:23.359
do that right now

0:44:23.359,0:44:25.839
um so apologies about that i actually

0:44:25.839,0:44:27.599
figured out what the issue was it was

0:44:27.599,0:44:30.319
because the system i was running

0:44:30.319,0:44:32.079
uh this particular

0:44:32.079,0:44:34.560
attacks from wasn't even connected to

0:44:34.560,0:44:36.800
the local network

0:44:36.800,0:44:38.880
and even though i was running these

0:44:38.880,0:44:41.040
these attacks i did realize that of

0:44:41.040,0:44:42.640
course they weren't working so i'm just

0:44:42.640,0:44:44.880
gonna i've just reconnected it

0:44:44.880,0:44:47.359
and what i'm gonna do is i'm just gonna

0:44:47.359,0:44:49.599
run this one more time

0:44:49.599,0:44:53.359
so just give me a second here and i'll

0:44:53.359,0:44:56.319
be able to do that one more time so

0:44:56.319,0:44:58.560
let me just navigate to that particular

0:44:58.560,0:45:00.079
directory

0:45:00.079,0:45:01.040
and

0:45:01.040,0:45:02.480
we'll actually see whether this will

0:45:02.480,0:45:04.400
work so

0:45:04.400,0:45:06.000
you can actually see there's much more

0:45:06.000,0:45:07.920
uh that's been captured in regards to

0:45:07.920,0:45:10.160
events and i'll be explaining this

0:45:10.160,0:45:12.480
dashboard in a couple of seconds

0:45:12.480,0:45:13.359
so

0:45:13.359,0:45:14.960
let me just uh

0:45:14.960,0:45:17.359
launch that first attack there so that

0:45:17.359,0:45:19.440
you know let me just launch that first

0:45:19.440,0:45:22.240
uh type of check and of course i'm using

0:45:22.240,0:45:26.400
test my nids here so uh unfortunately

0:45:26.400,0:45:28.000
that wasn't even being logged which is

0:45:28.000,0:45:30.000
why i was a bit confused as to why those

0:45:30.000,0:45:32.800
logs are not being displayed here

0:45:32.800,0:45:35.520
so i'll give that a couple of seconds

0:45:35.520,0:45:36.800
and

0:45:36.800,0:45:38.880
we'll be able to see this happen

0:45:38.880,0:45:41.920
in real time as well

0:45:41.920,0:45:44.560
all right so that is done so i've

0:45:44.560,0:45:46.319
essentially launched a couple of those

0:45:46.319,0:45:48.319
tests and uh

0:45:48.319,0:45:50.640
this as i said this is your default uh

0:45:50.640,0:45:52.560
dashboard that you're provided with here

0:45:52.560,0:45:53.520
so

0:45:53.520,0:45:55.760
um you know you can actually refresh uh

0:45:55.760,0:45:58.720
all of these um all of these panels here

0:45:58.720,0:46:00.800
if you will so that'll display the

0:46:00.800,0:46:03.920
latest and as i said here because i'd

0:46:03.920,0:46:05.839
had performed the actual

0:46:05.839,0:46:07.680
uh you know i'd perform the actual check

0:46:07.680,0:46:09.520
and then connected to an external server

0:46:09.520,0:46:11.680
you can see that you know the top source

0:46:11.680,0:46:13.680
countries are highlighted there

0:46:13.680,0:46:15.839
you can also refresh the number of

0:46:15.839,0:46:18.160
events as you can see here

0:46:18.160,0:46:20.319
and the number of sources so

0:46:20.319,0:46:22.319
uh you can also do that for the rest of

0:46:22.319,0:46:24.480
the panel so these are the top 10

0:46:24.480,0:46:26.800
classifications

0:46:26.800,0:46:28.960
in terms of events if you will and then

0:46:28.960,0:46:31.359
the snort event types as you can see

0:46:31.359,0:46:32.319
here

0:46:32.319,0:46:33.839
so for example in this case we have the

0:46:33.839,0:46:36.160
attack response id check which if we

0:46:36.160,0:46:37.520
click on

0:46:37.520,0:46:40.319
right over here

0:46:41.119,0:46:42.640
you can see that it actually displays

0:46:42.640,0:46:44.400
that and you can then uh you can then

0:46:44.400,0:46:46.400
click on the signature itself and this

0:46:46.400,0:46:48.880
is for statistics now if you click on

0:46:48.880,0:46:52.000
the snort event search tab right over

0:46:52.000,0:46:53.040
here

0:46:53.040,0:46:54.880
you can see that this allows you to

0:46:54.880,0:46:57.119
search based on the source ip the source

0:46:57.119,0:46:59.680
port the destination ip destination port

0:46:59.680,0:47:02.240
and the event type so i can check for

0:47:02.240,0:47:04.400
attack responses based on the rule set

0:47:04.400,0:47:06.480
that we had used previously

0:47:06.480,0:47:09.359
and i can also specify the timing right

0:47:09.359,0:47:12.079
so that's really fantastic there

0:47:12.079,0:47:14.640
so you can see that right over here we

0:47:14.640,0:47:16.240
have that logged

0:47:16.240,0:47:19.040
which is fantastic and

0:47:19.040,0:47:21.920
if we click on the snort world map

0:47:21.920,0:47:24.000
that'll essentially as you'll see in a

0:47:24.000,0:47:26.160
couple of seconds this will essentially

0:47:26.160,0:47:28.559
display the countries by the source ips

0:47:28.559,0:47:29.839
in this case it should display the

0:47:29.839,0:47:32.079
united states which makes sense

0:47:32.079,0:47:34.800
uh and there we are so again this is

0:47:34.800,0:47:37.119
extremely helpful especially if you work

0:47:37.119,0:47:39.839
in a sock and as i said there's multiple

0:47:39.839,0:47:41.920
uh you know security tools you can

0:47:41.920,0:47:45.040
integrate with uh with splunk

0:47:45.040,0:47:46.880
now one thing that i wanted to highlight

0:47:46.880,0:47:49.440
is you can if you click on edit i'll

0:47:49.440,0:47:51.200
just go back to the

0:47:51.200,0:47:53.200
event summary here because this is very

0:47:53.200,0:47:55.119
important

0:47:55.119,0:47:57.280
you can set this as your main dashboard

0:47:57.280,0:47:58.960
so if you right click here you can set

0:47:58.960,0:48:01.520
this as your home dashboard

0:48:01.520,0:48:03.599
so i'll just click on that there

0:48:03.599,0:48:05.440
and now you'll see on your dashboard

0:48:05.440,0:48:08.240
here if i just close that top menu

0:48:08.240,0:48:10.240
that will actually be displayed there so

0:48:10.240,0:48:12.319
give it a couple of seconds

0:48:12.319,0:48:14.079
and of course you can click on the cog

0:48:14.079,0:48:16.240
wheel here

0:48:16.240,0:48:19.280
and essentially display whatever

0:48:19.280,0:48:21.520
you know you can specify your default

0:48:21.520,0:48:23.200
dashboard now there are a couple of

0:48:23.200,0:48:25.599
other ones that are created by default

0:48:25.599,0:48:27.119
uh but yeah you can have that on your

0:48:27.119,0:48:28.400
dashboard

0:48:28.400,0:48:31.040
uh and uh you know if you actually click

0:48:31.040,0:48:33.839
on snot the snot alert for splunk here

0:48:33.839,0:48:36.240
and we'll just go back into that snot

0:48:36.240,0:48:38.240
event summary tab

0:48:38.240,0:48:40.880
uh you can actually edit the way these

0:48:40.880,0:48:44.240
um these particular panels are tiled so

0:48:44.240,0:48:46.079
uh you know you can convert it to a

0:48:46.079,0:48:48.880
pre-built panel or you know

0:48:48.880,0:48:50.400
you can you can actually convert it to a

0:48:50.400,0:48:52.960
pre-built panel you can get rid of it

0:48:52.960,0:48:54.720
uh you can also move them around based

0:48:54.720,0:48:57.440
on your own requirements and uh in this

0:48:57.440,0:48:59.680
case you can actually let's see if i can

0:48:59.680,0:49:00.880
show you can actually select the

0:49:00.880,0:49:02.480
visualization

0:49:02.480,0:49:04.240
uh so in this case i think the default

0:49:04.240,0:49:06.079
one is fine and you can then view the

0:49:06.079,0:49:07.920
report here so

0:49:07.920,0:49:08.960
um

0:49:08.960,0:49:11.359
if we click on this one here for example

0:49:11.359,0:49:13.280
we could actually use the bar graph to

0:49:13.280,0:49:15.280
display the you know the number of the

0:49:15.280,0:49:17.200
actual um

0:49:17.200,0:49:19.440
the top source countries uh and have

0:49:19.440,0:49:21.599
them displayed in a bar graph style but

0:49:21.599,0:49:23.280
we can just take it back into the pie

0:49:23.280,0:49:25.599
chart there and you can also change this

0:49:25.599,0:49:27.440
for the events as well

0:49:27.440,0:49:29.359
so uh you know if we wanted to view a

0:49:29.359,0:49:31.440
trend we can click on the bar graph

0:49:31.440,0:49:32.240
there

0:49:32.240,0:49:34.000
uh in this case i don't think that's

0:49:34.000,0:49:37.040
formatted correctly so uh if we just use

0:49:37.040,0:49:39.440
the the default one

0:49:39.440,0:49:42.880
uh which i believe was i think it was no

0:49:42.880,0:49:46.160
that wasn't the one i believe it was uh

0:49:46.160,0:49:47.920
let's see if i can identify it here it

0:49:47.920,0:49:50.800
was the number there we are so 26 uh so

0:49:50.800,0:49:52.640
as i said you can customize this based

0:49:52.640,0:49:53.839
on your own

0:49:53.839,0:49:55.440
uh you know

0:49:55.440,0:49:57.440
your own requirements so for example

0:49:57.440,0:49:59.839
this one might do well if it was in the

0:49:59.839,0:50:02.240
form of a bar graph so you know

0:50:02.240,0:50:04.240
you can utilize that if you feel that

0:50:04.240,0:50:06.319
that is appropriate

0:50:06.319,0:50:08.319
uh in this case uh you know we can also

0:50:08.319,0:50:11.920
specify uh the actual um you know we can

0:50:11.920,0:50:14.559
actually list the events themselves

0:50:14.559,0:50:16.079
uh let's see which other ones look

0:50:16.079,0:50:17.920
really good here

0:50:17.920,0:50:19.760
uh and uh yeah once you're done with the

0:50:19.760,0:50:22.079
customization you can then cancel or

0:50:22.079,0:50:24.559
save based on your requirements and you

0:50:24.559,0:50:27.200
can also filter on this particular tab

0:50:27.200,0:50:28.960
here you know through the source ip

0:50:28.960,0:50:31.280
destination ip etc

0:50:31.280,0:50:33.839
um let's see what else did i wanted to

0:50:33.839,0:50:35.599
did i want to highlight let me just

0:50:35.599,0:50:38.000
refresh this once more

0:50:38.000,0:50:39.760
and you know to essentially get the

0:50:39.760,0:50:42.480
latest data

0:50:42.480,0:50:44.480
and uh you can see uh in terms of the

0:50:44.480,0:50:46.480
fan the in terms of the panels this will

0:50:46.480,0:50:49.520
display the last 100 attempts

0:50:49.520,0:50:51.760
uh and uh you know you can go through

0:50:51.760,0:50:53.599
them like so

0:50:53.599,0:50:55.839
uh you can also view i think we've gone

0:50:55.839,0:50:57.119
through all of them but you have the

0:50:57.119,0:50:59.440
persistent sources so two or more days

0:50:59.440,0:51:01.359
of activity in the last 30 days so you

0:51:01.359,0:51:03.040
actually need a lot of data for that to

0:51:03.040,0:51:05.200
be displayed or to give you anything

0:51:05.200,0:51:06.400
useful

0:51:06.400,0:51:07.520
um

0:51:07.520,0:51:09.760
yeah so that is

0:51:09.760,0:51:11.680
what i wanted to highlight in regards to

0:51:11.680,0:51:14.079
the snot alert for splunk app and the

0:51:14.079,0:51:15.839
actual dashboards which i said it

0:51:15.839,0:51:17.359
already does for you

0:51:17.359,0:51:19.119
now you can create your own dashboard as

0:51:19.119,0:51:21.200
i said if i go back into apps and search

0:51:21.200,0:51:22.720
and reporting

0:51:22.720,0:51:25.200
based on your own sources so i'll just

0:51:25.200,0:51:27.280
click on data summary there and if i

0:51:27.280,0:51:29.280
click on sources

0:51:29.280,0:51:30.960
you can click on the

0:51:30.960,0:51:33.839
this source here for example and

0:51:33.839,0:51:36.640
you know in this case we can actually uh

0:51:36.640,0:51:39.680
just click on that there and i can click

0:51:39.680,0:51:41.920
on extract fields

0:51:41.920,0:51:43.359
and you can extract the fields with

0:51:43.359,0:51:46.319
rejects so i'll click on next there

0:51:46.319,0:51:47.760
and you can then select the fields that

0:51:47.760,0:51:50.400
you want so for example in this case we

0:51:50.400,0:51:52.720
would want the date and time

0:51:52.720,0:51:55.280
so i can just highlight that there so i

0:51:55.280,0:51:56.319
can say

0:51:56.319,0:51:59.520
time for example add the extraction

0:51:59.520,0:52:02.000
and then of course we have the source ip

0:52:02.000,0:52:03.839
and the port but i'll just highlight

0:52:03.839,0:52:05.680
them together but i think it's actually

0:52:05.680,0:52:07.440
recommended just to highlight the source

0:52:07.440,0:52:08.880
ip there

0:52:08.880,0:52:13.200
so source we can say crc src

0:52:13.200,0:52:14.559
underscore

0:52:14.559,0:52:15.520
ip

0:52:15.520,0:52:18.480
add that extraction and we then have the

0:52:18.480,0:52:20.800
destination ip which in this case uh

0:52:20.800,0:52:22.559
because this is uh

0:52:22.559,0:52:25.520
an sm snmp broadcast

0:52:25.520,0:52:27.520
request we can we know that that's the

0:52:27.520,0:52:30.880
destination ip so i'll say dst

0:52:30.880,0:52:33.040
underscore ip

0:52:33.040,0:52:36.720
add the extraction let's see what else

0:52:36.720,0:52:40.079
we can do um

0:52:40.079,0:52:41.440
in this case it's saying the extraction

0:52:41.440,0:52:42.960
field you're extracting if you're

0:52:42.960,0:52:45.040
extracting multiple fields try removing

0:52:45.040,0:52:47.040
one or more fields start with the

0:52:47.040,0:52:48.720
extractions that are embedded within

0:52:48.720,0:52:51.680
longer strings okay so let's try and use

0:52:51.680,0:52:54.400
another alert here

0:52:54.400,0:52:57.599
that was kind of interesting um let's

0:52:57.599,0:52:58.319
see

0:52:58.319,0:53:00.480
it's not displaying all of them here but

0:53:00.480,0:53:02.800
you get the idea once you're done

0:53:02.800,0:53:04.480
uh you know for example i can remove

0:53:04.480,0:53:06.079
that field here i'm just giving you an

0:53:06.079,0:53:08.720
example of that so remove that field

0:53:08.720,0:53:12.000
uh there we are i can then say next and

0:53:12.000,0:53:15.440
i can click on validate and save based

0:53:15.440,0:53:18.240
on those fields there hit finish

0:53:18.240,0:53:20.800
and then you know i can go back to

0:53:20.800,0:53:23.359
uh you know search and reporting

0:53:23.359,0:53:25.280
and if i wanted to create a very simple

0:53:25.280,0:53:27.040
visualization which i'll show you right

0:53:27.040,0:53:27.839
now

0:53:27.839,0:53:30.000
even though i don't really need those

0:53:30.000,0:53:31.920
extracted fields although they might be

0:53:31.920,0:53:33.280
useful so

0:53:33.280,0:53:36.079
i can click on those extracted fields

0:53:36.079,0:53:38.559
now i believe they should have been

0:53:38.559,0:53:39.760
added

0:53:39.760,0:53:41.200
i'm not really sure why they aren't

0:53:41.200,0:53:43.440
being highlighted here there we are so

0:53:43.440,0:53:45.200
source ip

0:53:45.200,0:53:47.760
uh we can also specify the source port

0:53:47.760,0:53:50.240
uh we all there there they are so i had

0:53:50.240,0:53:51.760
actually they took a while to be

0:53:51.760,0:53:53.599
displayed there so

0:53:53.599,0:53:56.559
uh so support that why why not we can

0:53:56.559,0:53:59.920
yeah i think that's pretty much it so

0:53:59.920,0:54:02.079
uh based on those we can actually build

0:54:02.079,0:54:04.480
an event type however if we go to

0:54:04.480,0:54:07.520
visualization and click on pivot here

0:54:07.520,0:54:10.640
selected fields is five hit ok

0:54:10.640,0:54:12.559
we can actually you know visualize this

0:54:12.559,0:54:14.319
however we want so for example if i

0:54:14.319,0:54:17.119
wanted a column chart here

0:54:17.119,0:54:19.680
number one will display the count

0:54:19.680,0:54:22.079
i can just add the

0:54:22.079,0:54:24.079
events

0:54:24.079,0:54:26.319
because that's the count and we should

0:54:26.319,0:54:28.720
have at the bottom the time which i did

0:54:28.720,0:54:32.559
specify uh we believe within that range

0:54:32.559,0:54:34.000
there

0:54:34.000,0:54:36.720
but that's not being highlighted here so

0:54:36.720,0:54:39.280
the number of events and you know you

0:54:39.280,0:54:41.839
can go ahead and click as you can

0:54:41.839,0:54:43.440
essentially save it

0:54:43.440,0:54:45.280
so you get the idea you don't really

0:54:45.280,0:54:46.880
need to do this because we have the

0:54:46.880,0:54:48.480
snort app here

0:54:48.480,0:54:50.079
which pretty much gives you the

0:54:50.079,0:54:52.880
summaries that are useful to you or for

0:54:52.880,0:54:53.839
you

0:54:53.839,0:54:56.559
and there we are so fantastic so that's

0:54:56.559,0:54:57.920
going to conclude the practical

0:54:57.920,0:55:01.119
demonstration side of this video

0:55:01.119,0:55:02.799
so uh thank you very much for watching

0:55:02.799,0:55:04.559
this video if you have any questions or

0:55:04.559,0:55:06.240
suggestions leave them in the comments

0:55:06.240,0:55:07.200
section

0:55:07.200,0:55:08.559
if you want to reach out to me you can

0:55:08.559,0:55:10.160
do so via

0:55:10.160,0:55:12.319
twitter or the discord server the links

0:55:12.319,0:55:14.240
to both of those are in the description

0:55:14.240,0:55:16.720
section furthermore we are now moving on

0:55:16.720,0:55:18.720
to part two so this will conclude part

0:55:18.720,0:55:21.040
one so part two will be available on the

0:55:21.040,0:55:24.559
lynnodes on 24 platform so uh the videos

0:55:24.559,0:55:26.559
are available uh on demand so all you

0:55:26.559,0:55:28.559
need to do just click uh click the link

0:55:28.559,0:55:31.599
in the description register for part two

0:55:31.599,0:55:33.520
after which an email will be sent to you

0:55:33.520,0:55:34.720
and you'll be given uh you know

0:55:34.720,0:55:37.200
immediate access to to the videos uh

0:55:37.200,0:55:40.000
within part two so uh thank you very

0:55:40.000,0:55:42.799
much uh for watching part one uh in the

0:55:42.799,0:55:45.040
next video in part two we'll get started

0:55:45.040,0:55:46.640
or we'll take a look at host intrusion

0:55:46.640,0:55:49.520
detection with os sec so i'll be seeing

0:55:49.520,0:55:53.640
you in the next video

0:55:59.130,0:56:12.240
[Music]

0:56:12.240,0:56:14.319
you