1 00:00:01,120 --> 00:00:03,520 Hello, everyone. Welcome back to the Blue 2 00:00:03,520 --> 00:00:05,440 Team training series brought to you by 3 00:00:05,440 --> 00:00:08,160 Linode and Hackersploit. In this video, 4 00:00:08,160 --> 00:00:10,160 we're going to be taking a look at how 5 00:00:10,160 --> 00:00:12,160 to set up or how to perform security 6 00:00:12,160 --> 00:00:14,400 event monitoring with Splunk, more 7 00:00:14,400 --> 00:00:16,800 specifically, Splunk Enterprise 8 00:00:16,800 --> 00:00:18,640 Security. Right? So the objective here 9 00:00:18,640 --> 00:00:21,439 will be to monitor intrusions and 10 00:00:21,439 --> 00:00:23,519 threats with Splunk. And you might be 11 00:00:23,519 --> 00:00:25,119 asking yourself, well, how are we going to 12 00:00:25,119 --> 00:00:28,400 do this? What setup are we using? Well, the 13 00:00:28,400 --> 00:00:30,480 scenario that I've set up for this video 14 00:00:30,480 --> 00:00:32,559 is we are essentially going to 15 00:00:32,559 --> 00:00:34,320 take all the knowledge that we've 16 00:00:34,320 --> 00:00:37,680 learned during the Snort video, and we 17 00:00:37,680 --> 00:00:39,360 are going to essentially forward all of 18 00:00:39,360 --> 00:00:42,719 the Snort logs into Splunk or have 19 00:00:42,719 --> 00:00:44,480 that done automatically through the 20 00:00:44,480 --> 00:00:47,680 Splunk Universal Forwarder so that we get 21 00:00:47,680 --> 00:00:50,320 the latest logs when Snort is running on 22 00:00:50,320 --> 00:00:52,399 our Ubuntu virtual machine. 23 00:00:52,399 --> 00:00:55,039 And the objective here is to use Splunk 24 00:00:55,039 --> 00:00:58,000 in conjunction with the Splunk's Snort app 25 00:00:58,000 --> 00:01:01,039 to essentially visualize and identify or 26 00:01:01,039 --> 00:01:03,359 monitor network intrusions and any 27 00:01:03,359 --> 00:01:06,720 malicious network traffic, you know, within the 28 00:01:06,720 --> 00:01:08,980 network that I'm monitoring. 29 00:01:08,980 --> 00:01:18,782 [Music]. 30 00:01:19,360 --> 00:01:21,680 At a very high level, what will we be 31 00:01:21,680 --> 00:01:23,280 covering? Well, firstly, we'll get an 32 00:01:23,280 --> 00:01:25,439 introduction to Splunk. Now before we 33 00:01:25,439 --> 00:01:28,400 move any further or we actually carry on, 34 00:01:28,400 --> 00:01:30,720 I do want to note that this video is not 35 00:01:30,720 --> 00:01:32,400 going to be focused on Splunk 36 00:01:32,400 --> 00:01:34,640 fundamentals. I'm going 37 00:01:34,640 --> 00:01:36,400 to assume that you already know what 38 00:01:36,400 --> 00:01:40,400 Splunk is and how it can be used, you know, 39 00:01:40,400 --> 00:01:42,079 and how it's used generally speaking. 40 00:01:42,079 --> 00:01:44,720 Because Splunk is not really a tool 41 00:01:44,720 --> 00:01:48,320 that is specific to security, for example. 42 00:01:48,320 --> 00:01:49,759 That's why they have the Splunk 43 00:01:49,759 --> 00:01:52,720 Enterprise Security version or edition. 44 00:01:52,720 --> 00:01:54,320 And I'm just going to assume that you 45 00:01:54,320 --> 00:01:56,079 know how to use Splunk at a very basic 46 00:01:56,079 --> 00:01:58,320 level. So once we get an introduction to 47 00:01:58,320 --> 00:02:00,960 Splunk, we'll go over Splunk Enterprise 48 00:02:00,960 --> 00:02:05,119 Security--the Enterprise Security edition--and how it 49 00:02:05,119 --> 00:02:06,640 can be used for security event 50 00:02:06,640 --> 00:02:08,399 monitoring, especially in our case 51 00:02:08,399 --> 00:02:10,879 because we want to essentially monitor 52 00:02:10,879 --> 00:02:13,280 the intrusion detection logs 53 00:02:13,280 --> 00:02:15,360 generated by Snort. 54 00:02:15,360 --> 00:02:16,800 So we'll then move on to deploying 55 00:02:16,800 --> 00:02:18,720 Splunk Enterprise Security on Linode, 56 00:02:18,720 --> 00:02:20,640 which is absolutely fantastic because 57 00:02:20,640 --> 00:02:22,560 they have a cloud image 58 00:02:22,560 --> 00:02:24,560 available for it that allows you to spin 59 00:02:24,560 --> 00:02:26,400 it up without going through the process 60 00:02:26,400 --> 00:02:28,720 of installing it and configuring it. So 61 00:02:28,720 --> 00:02:30,720 that'll set it up for us. 62 00:02:30,720 --> 00:02:32,800 We'll then take a look at how to 63 00:02:32,800 --> 00:02:35,280 configure Splunk, and how to set up the 64 00:02:35,280 --> 00:02:38,239 Splunk Universal Forwarder on the Ubuntu 65 00:02:38,239 --> 00:02:40,480 virtual machine that is running Snort so 66 00:02:40,480 --> 00:02:42,319 that we can forward those logs into 67 00:02:42,319 --> 00:02:44,560 Splunk. And then, of course, we'll take 68 00:02:44,560 --> 00:02:46,720 a look at the Splunk Snort event 69 00:02:46,720 --> 00:02:49,519 dashboard that will be provided to us by 70 00:02:49,519 --> 00:02:52,879 the Splunk Snort app. So if this sounds like 71 00:02:52,879 --> 00:02:55,360 gibberish to you, don't worry. It will make 72 00:02:55,360 --> 00:02:58,139 sense in a couple of minutes. 73 00:02:58,879 --> 00:03:00,959 With that being said, given the fact 74 00:03:00,959 --> 00:03:02,800 that we're going to be using, you know, 75 00:03:02,800 --> 00:03:04,400 we're going to be using Snort to 76 00:03:04,400 --> 00:03:06,959 generate alerts and monitor those alerts, 77 00:03:06,959 --> 00:03:09,040 if you have not gone through 78 00:03:09,040 --> 00:03:11,519 the actual Snort video, please do that as 79 00:03:11,519 --> 00:03:14,239 it'll help you set up Snort, and you can 80 00:03:14,239 --> 00:03:16,400 then run through this demo. With that 81 00:03:16,400 --> 00:03:19,280 being said, this is not a holistic video 82 00:03:19,280 --> 00:03:20,800 that will cover everything you can do 83 00:03:20,800 --> 00:03:23,440 with Splunk Enterprise Security. We are 84 00:03:23,440 --> 00:03:26,010 just focused on the intrusion 85 00:03:26,010 --> 00:03:27,760 detection logs produced 86 00:03:27,760 --> 00:03:30,000 by Snort and how they can be 87 00:03:30,000 --> 00:03:32,879 imported or forwarded to Splunk for, 88 00:03:32,879 --> 00:03:35,680 you know, analysis and monitoring. 89 00:03:35,680 --> 00:03:38,159 So the prerequisites are the same as 90 00:03:38,159 --> 00:03:39,760 the previous videos. The only difference 91 00:03:39,760 --> 00:03:41,680 is, you know, that you need to have a 92 00:03:41,680 --> 00:03:43,840 basic familiarity with Splunk and how to 93 00:03:43,840 --> 00:03:46,080 navigate around the various menu 94 00:03:46,080 --> 00:03:47,760 elements and, yeah, 95 00:03:47,760 --> 00:03:49,680 essentially just how to use it at a very 96 00:03:49,680 --> 00:03:51,360 basic level. If you're not familiar with 97 00:03:51,360 --> 00:03:54,239 Splunk, I'll give you a few resources at 98 00:03:54,239 --> 00:03:56,780 the end of these slides 99 00:03:56,780 --> 00:03:58,159 that'll help you out or help 100 00:03:58,159 --> 00:04:00,769 you get started. Alright. 101 00:04:00,769 --> 00:04:01,760 So let's get an introduction 102 00:04:01,760 --> 00:04:04,239 to Splunk. So what is Splunk? That's the 103 00:04:04,239 --> 00:04:05,680 main question. If you've never heard of 104 00:04:05,680 --> 00:04:08,480 Splunk, Splunk is an extremely powerful 105 00:04:08,480 --> 00:04:10,400 platform that is used to analyze data 106 00:04:10,400 --> 00:04:13,360 and logs produced by systems or machines, 107 00:04:13,360 --> 00:04:15,920 as Splunk likes to call them. So 108 00:04:15,920 --> 00:04:18,639 what problem is Splunk trying to solve 109 00:04:18,639 --> 00:04:20,880 here? Well, let's look at this from the 110 00:04:20,880 --> 00:04:24,880 perspective of Web 2.0 or, you know, the 111 00:04:24,880 --> 00:04:26,720 interconnected world we live in 112 00:04:26,720 --> 00:04:29,199 today. And we're going to be looking at 113 00:04:29,199 --> 00:04:31,199 it from the context of or from the 114 00:04:31,199 --> 00:04:33,360 perspective of security. 115 00:04:33,360 --> 00:04:35,759 So if we take a simple system--let's say 116 00:04:35,759 --> 00:04:38,720 we have a Windows operating system or a 117 00:04:38,720 --> 00:04:41,360 system running Windows--well, that Windows 118 00:04:41,360 --> 00:04:44,880 system produces a lot of data or logs 119 00:04:44,880 --> 00:04:47,040 that, you know, contain 120 00:04:47,040 --> 00:04:48,800 information that, you know, at first 121 00:04:48,800 --> 00:04:51,600 glance might not seem that important. But 122 00:04:51,600 --> 00:04:53,919 once you start getting into specific 123 00:04:53,919 --> 00:04:57,360 sectors like security, those logs start, 124 00:04:57,360 --> 00:04:59,680 you know, those logs have, you know, 125 00:04:59,680 --> 00:05:02,080 very important value to organizations. 126 00:05:02,080 --> 00:05:04,880 Now multiply that by a thousand systems. 127 00:05:04,880 --> 00:05:06,800 So let's say we have an organization. 128 00:05:06,800 --> 00:05:08,560 They have a thousand computers within 129 00:05:08,560 --> 00:05:10,479 their network or, you know, distributed 130 00:05:10,479 --> 00:05:13,520 worldwide. And all of these systems, 131 00:05:13,520 --> 00:05:14,960 you know, need to be secured. Their 132 00:05:14,960 --> 00:05:17,919 security needs to be monitored. So how do 133 00:05:17,919 --> 00:05:20,560 we monitor all of this? Well, this is 134 00:05:20,560 --> 00:05:22,639 where Splunk comes into play. So Splunk 135 00:05:22,639 --> 00:05:25,280 allows you to essentially funnel all of 136 00:05:25,280 --> 00:05:27,800 this data produced by systems or 137 00:05:27,800 --> 00:05:30,720 machines into Splunk. And then Splunk allows you 138 00:05:30,720 --> 00:05:32,560 to monitor, search, and analyze this 139 00:05:32,560 --> 00:05:35,280 machine-generated data and the logs 140 00:05:35,280 --> 00:05:37,840 through a web interface. So in order to 141 00:05:37,840 --> 00:05:39,680 use Splunk, you'll need to import your 142 00:05:39,680 --> 00:05:42,479 own data or logs. Alternatively, you can 143 00:05:42,479 --> 00:05:45,280 utilize the Splunk Universal Forwarder to 144 00:05:45,280 --> 00:05:47,759 forward logs and data to Splunk for 145 00:05:47,759 --> 00:05:51,360 analysis and, of course, visualization, etc. 146 00:05:51,360 --> 00:05:53,280 Now, Splunk does so much more that I 147 00:05:53,280 --> 00:05:55,199 really can't go over all of the features 148 00:05:55,199 --> 00:05:56,880 here. But as I said, we're looking at this 149 00:05:56,880 --> 00:06:00,400 from the lens of a security engineer. 150 00:06:00,400 --> 00:06:02,240 Alright. So Splunk collates all the 151 00:06:02,240 --> 00:06:04,800 data and logs from various sources and 152 00:06:04,800 --> 00:06:06,720 provides you with a central index that 153 00:06:06,720 --> 00:06:08,800 you can search through. Splunk also 154 00:06:08,800 --> 00:06:11,039 provides you with robust visualization 155 00:06:11,039 --> 00:06:12,720 and reporting tools that allow you to 156 00:06:12,720 --> 00:06:15,360 identify the data that interests you, 157 00:06:15,360 --> 00:06:17,440 transform the data into results, and 158 00:06:17,440 --> 00:06:19,840 visualize the answers in the form of a 159 00:06:19,840 --> 00:06:23,280 report, chart, graph, etc. Alright. So what 160 00:06:23,280 --> 00:06:25,360 I'm saying here is that Splunk allows 161 00:06:25,360 --> 00:06:28,080 you to take all of this security-related 162 00:06:28,080 --> 00:06:31,600 logs and data and make sense of them and 163 00:06:31,600 --> 00:06:33,520 essentially get the answers that you're 164 00:06:33,520 --> 00:06:35,520 looking for. So, for example, from the 165 00:06:35,520 --> 00:06:37,680 perspective of a security engineer, what 166 00:06:37,680 --> 00:06:40,240 do you want from all of this data? Well, 167 00:06:40,240 --> 00:06:42,160 at a very high level, you want to know 168 00:06:42,160 --> 00:06:44,080 whether something is going wrong and 169 00:06:44,080 --> 00:06:46,400 what could go wrong. In the context of 170 00:06:46,400 --> 00:06:48,800 security, a network could be compromised. 171 00:06:48,800 --> 00:06:50,560 There could be some malicious network 172 00:06:50,560 --> 00:06:53,120 traffic or activity going on. A system 173 00:06:53,120 --> 00:06:55,919 could be compromised, etc., etc. You get the 174 00:06:55,919 --> 00:06:58,160 idea. So we need that data to be 175 00:06:58,160 --> 00:07:00,560 displayed to us as a security engineer. 176 00:07:00,560 --> 00:07:02,560 And Splunk is really one of the best 177 00:07:02,560 --> 00:07:04,960 tools, you know, when it comes down to, 178 00:07:04,960 --> 00:07:08,000 you know, taking a lot of data 179 00:07:08,000 --> 00:07:09,840 and then identifying the data that 180 00:07:09,840 --> 00:07:11,840 interests you, transforming that data 181 00:07:11,840 --> 00:07:14,960 into results, and then visualizing that 182 00:07:14,960 --> 00:07:17,360 data in the form of a report, chart, or 183 00:07:17,360 --> 00:07:19,759 graph. Right. So that's really what we're 184 00:07:19,759 --> 00:07:21,599 going to be doing. And as I said, going 185 00:07:21,599 --> 00:07:23,520 back to the scenario, we're going to be 186 00:07:23,520 --> 00:07:26,080 focusing on how to, you know, essentially 187 00:07:26,080 --> 00:07:28,800 get in or how to forward 188 00:07:28,800 --> 00:07:33,360 the logs created--or the logs and alerts created--by 189 00:07:33,360 --> 00:07:36,000 Snort into Splunk for analysis. And 190 00:07:36,000 --> 00:07:39,280 luckily for us, Splunk has a Snort app or 191 00:07:39,280 --> 00:07:40,960 plug-in, if you will, that will 192 00:07:40,960 --> 00:07:43,680 essentially simplify this process. 193 00:07:44,100 --> 00:07:47,360 So, let's get an idea as to, you know, how we 194 00:07:47,360 --> 00:07:49,120 can use Splunk for security event 195 00:07:49,120 --> 00:07:51,759 monitoring. So Splunk Enterprise Security, 196 00:07:51,759 --> 00:07:54,800 also known as Splunk ES, is a security 197 00:07:54,800 --> 00:07:56,800 information and event management 198 00:07:56,800 --> 00:07:59,199 solution, also known as a SIEM. 199 00:07:59,199 --> 00:08:01,360 It is used by security 200 00:08:01,360 --> 00:08:03,680 teams to quickly detect and respond to 201 00:08:03,680 --> 00:08:06,160 internal and external attacks or threats 202 00:08:06,160 --> 00:08:09,680 or intrusions. So Splunk ES can be used 203 00:08:09,680 --> 00:08:11,759 for security event monitoring, incident 204 00:08:11,759 --> 00:08:15,919 response, and running a SOC or Security Operations Center. 205 00:08:15,919 --> 00:08:18,080 In this video, we'll be using Splunk ES 206 00:08:18,080 --> 00:08:20,000 to monitor and visualize the Snort 207 00:08:20,000 --> 00:08:22,240 intrusion alerts. This will be 208 00:08:22,240 --> 00:08:24,400 facilitated through the help of the Snort 209 00:08:24,400 --> 00:08:26,639 app for Splunk and the Splunk Universal 210 00:08:26,639 --> 00:08:29,280 Forwarder. Now, the Splunk Universal Forwarder 211 00:08:29,280 --> 00:08:31,199 is pretty much the most important 212 00:08:31,199 --> 00:08:33,039 element of what we'll be exploring 213 00:08:33,039 --> 00:08:35,200 because what it does--and this is really 214 00:08:35,200 --> 00:08:37,200 cool--is it automatically 215 00:08:37,200 --> 00:08:39,279 forwards the latest logs, 216 00:08:39,279 --> 00:08:42,479 even when Snort is running. It forwards those 217 00:08:42,479 --> 00:08:45,040 alerts and logs into Splunk, and you can 218 00:08:45,040 --> 00:08:46,560 see them in real time, which is 219 00:08:46,560 --> 00:08:49,440 absolutely fantastic. 220 00:08:49,440 --> 00:08:52,320 So as I said, if you're new to Splunk, 221 00:08:52,320 --> 00:08:54,800 then these resources are really helpful 222 00:08:54,800 --> 00:08:57,120 for you. Splunk offers really great 223 00:08:57,120 --> 00:08:59,040 tutorials and courses designed for 224 00:08:59,040 --> 00:09:00,720 absolute beginners. You can check that 225 00:09:00,720 --> 00:09:02,959 out by clicking on the link within this 226 00:09:02,959 --> 00:09:05,600 slide. And you can learn more about the 227 00:09:05,600 --> 00:09:08,160 Splunk Enterprise Security edition from 228 00:09:08,160 --> 00:09:09,760 that particular link. 229 00:09:09,760 --> 00:09:12,240 Now, as I said, we are going to be deploying 230 00:09:12,240 --> 00:09:15,200 Splunk on Linode, more specifically 231 00:09:15,200 --> 00:09:17,120 Splunk ES. And this is the lab 232 00:09:17,120 --> 00:09:19,200 environment. So we're going to spin up, 233 00:09:19,200 --> 00:09:21,519 you know, Splunk ES on Linode. Now, again, 234 00:09:21,519 --> 00:09:23,279 to follow through with this, you 235 00:09:23,279 --> 00:09:25,760 know, Linode has been absolutely fantastic 236 00:09:25,760 --> 00:09:28,320 with, you know, by providing all of 237 00:09:28,320 --> 00:09:31,189 you guys with a way to get $100 238 00:09:31,189 --> 00:09:33,279 in free Linode credit. All you 239 00:09:33,279 --> 00:09:35,120 need to do is just click the link in the 240 00:09:35,120 --> 00:09:37,440 description section and sign up, and 241 00:09:37,440 --> 00:09:39,040 $100 will be added to your 242 00:09:39,040 --> 00:09:40,959 account so that you can follow along 243 00:09:40,959 --> 00:09:43,279 with this series. So we're going to 244 00:09:43,279 --> 00:09:45,200 set up Splunk ES on Linode. And then 245 00:09:45,200 --> 00:09:47,279 within my internal network, we're just 246 00:09:47,279 --> 00:09:49,040 going to have a very basic infrastructure. 247 00:09:49,040 --> 00:09:50,399 We're going to have the Ubuntu virtual 248 00:09:50,399 --> 00:09:52,880 machine that is running Snort. This is the 249 00:09:52,880 --> 00:09:54,880 same virtual machine that we had set up 250 00:09:54,880 --> 00:09:57,680 and used to set up Snort and set up 251 00:09:57,680 --> 00:10:00,309 Suricata and the one we had used with Wazuh. 252 00:10:01,360 --> 00:10:03,519 And, yeah, that's essentially it. We're 253 00:10:03,519 --> 00:10:04,720 going to have a very basic 254 00:10:04,720 --> 00:10:06,399 infrastructure where we have an attacker 255 00:10:06,399 --> 00:10:09,519 system that I'm going to be using to perform 256 00:10:09,519 --> 00:10:11,600 a bit of network 257 00:10:11,600 --> 00:10:15,040 intrusion detection emulation, whereby 258 00:10:15,040 --> 00:10:17,519 I will essentially perform or run a 259 00:10:17,519 --> 00:10:20,880 couple of commands or scripts to 260 00:10:20,880 --> 00:10:23,279 essentially emulate malicious network 261 00:10:23,279 --> 00:10:26,160 activity so that these logs are 262 00:10:26,160 --> 00:10:28,320 essentially--so this traffic is 263 00:10:28,320 --> 00:10:29,839 essentially logged--and that'll provide 264 00:10:29,839 --> 00:10:32,800 us with a good idea as to how helpful 265 00:10:32,800 --> 00:10:35,279 Splunk is for security event monitoring, 266 00:10:35,279 --> 00:10:38,880 especially in the context of network intrusions. 267 00:10:40,320 --> 00:10:41,920 So as I said, you don't really need to 268 00:10:41,920 --> 00:10:44,240 have a Windows workstation. You simply 269 00:10:44,240 --> 00:10:46,000 need to have the Ubuntu VM, and you can 270 00:10:46,000 --> 00:10:48,800 pretty much run everything from it. And, 271 00:10:48,800 --> 00:10:50,560 of course, you can set up the Splunk 272 00:10:50,560 --> 00:10:54,240 Enterprise Security server on Linode 273 00:10:54,240 --> 00:10:56,480 without any issues. 274 00:10:56,480 --> 00:10:58,399 So that's the lab environment. We can now 275 00:10:58,399 --> 00:11:00,000 get started with the practical 276 00:11:00,000 --> 00:11:01,440 demonstration. So I'm going to switch 277 00:11:01,440 --> 00:11:05,040 over to my Ubuntu virtual machine. 278 00:11:05,040 --> 00:11:07,600 Alright. So I'm back on my Ubuntu 279 00:11:07,600 --> 00:11:09,360 virtual machine, and you can see I have 280 00:11:09,360 --> 00:11:11,279 Linode opened up here. 281 00:11:11,279 --> 00:11:13,279 I haven't set anything up yet because 282 00:11:13,279 --> 00:11:14,640 we're going to be walking through the 283 00:11:14,640 --> 00:11:16,079 process together. 284 00:11:16,079 --> 00:11:18,959 I then have the Splunk.com website here. 285 00:11:18,959 --> 00:11:21,040 So if you're new to Splunk, then you need 286 00:11:21,040 --> 00:11:22,640 to create a new account in order to 287 00:11:22,640 --> 00:11:25,740 follow along. So just head over to 288 00:11:25,740 --> 00:11:27,279 Splunk.com and, you know, 289 00:11:27,279 --> 00:11:29,519 register for an account. It's free. 290 00:11:29,519 --> 00:11:31,120 Once that is done, 291 00:11:31,120 --> 00:11:33,120 you'll need to activate your account or 292 00:11:33,120 --> 00:11:35,120 verify your account through 293 00:11:35,120 --> 00:11:36,880 the verification email 294 00:11:36,880 --> 00:11:39,680 they'll send you. Once that is done, 295 00:11:39,680 --> 00:11:41,279 we can then move forward. Because in 296 00:11:41,279 --> 00:11:44,320 order to access the actual 297 00:11:44,320 --> 00:11:46,800 Splunk Universal Forwarder, you'll need to 298 00:11:46,800 --> 00:11:48,720 have an account. And of course, you 299 00:11:48,720 --> 00:11:50,639 know, in this case, I'll be going through 300 00:11:50,639 --> 00:11:52,800 everything as we move along in a 301 00:11:52,800 --> 00:11:55,519 structured manner. And 302 00:11:55,519 --> 00:11:59,120 then to perform the actual NIDS tests, 303 00:12:00,160 --> 00:12:01,780 we are going to be using the 304 00:12:01,780 --> 00:12:03,839 testmyNIDS.org project, 305 00:12:03,839 --> 00:12:06,480 which is on GitHub. So this is 306 00:12:06,480 --> 00:12:08,880 essentially a bash script 307 00:12:08,880 --> 00:12:11,440 that allows you to--as you can see here-- 308 00:12:11,440 --> 00:12:13,279 it allows you to essentially emulate or 309 00:12:13,279 --> 00:12:16,800 simulate malicious network traffic. So, 310 00:12:16,800 --> 00:12:19,440 previously, we had used 311 00:12:19,440 --> 00:12:21,279 the website technique to essentially get 312 00:12:21,279 --> 00:12:23,760 a Linux UID, and that traffic would be 313 00:12:23,760 --> 00:12:26,240 logged as malicious, or 314 00:12:26,240 --> 00:12:27,760 it could be logged as a potential 315 00:12:27,760 --> 00:12:30,000 intrusion. And we can run a few other 316 00:12:30,000 --> 00:12:33,360 checks like HTTP basic authentication, 317 00:12:33,360 --> 00:12:35,519 bad certificate authorities, 318 00:12:35,519 --> 00:12:38,639 an EXE or DLL download over HTTP. So, 319 00:12:38,639 --> 00:12:40,720 you know, we can run tests that, 320 00:12:40,720 --> 00:12:42,959 you know, will just make our 321 00:12:42,959 --> 00:12:45,440 intrusion detection system blow up in 322 00:12:45,440 --> 00:12:47,600 terms of alerts. And that's what we want 323 00:12:47,600 --> 00:12:49,519 because we want to see how that data is 324 00:12:49,519 --> 00:12:52,160 presented to us as a security engineer 325 00:12:52,160 --> 00:12:55,040 on Splunk. With that being said, the first 326 00:12:55,040 --> 00:12:58,030 step, of course, is to set up Splunk ES on Linode. 327 00:12:58,330 --> 00:13:04,079 So just click on “Create a Linode” and click on “Marketplace.” 328 00:13:04,079 --> 00:13:06,399 And they already have Splunk here. So 329 00:13:06,399 --> 00:13:08,480 there we are. You can click on that there. 330 00:13:08,480 --> 00:13:10,240 And if you click on this little info 331 00:13:10,240 --> 00:13:12,399 button here, it'll give you an idea as to 332 00:13:12,399 --> 00:13:14,320 how to deploy it on 333 00:13:14,320 --> 00:13:16,480 Linode. And, of course, you have more 334 00:13:16,480 --> 00:13:18,399 information regarding Splunk. So you have 335 00:13:18,399 --> 00:13:20,480 the documentation link there. So I'll 336 00:13:20,480 --> 00:13:22,959 just click on Splunk. 337 00:13:22,959 --> 00:13:24,639 Once that is clicked, we can then head 338 00:13:24,639 --> 00:13:26,720 over here. You'll need to specify the 339 00:13:26,720 --> 00:13:28,959 Splunk admin user. I recommend using 340 00:13:28,959 --> 00:13:32,510 “admin” to begin with and then specify a password. 341 00:13:33,440 --> 00:13:35,519 If you're setting up, you know, Splunk on 342 00:13:35,519 --> 00:13:37,600 a domain, then you can specify the 343 00:13:37,600 --> 00:13:39,839 Linode API token to essentially create 344 00:13:39,839 --> 00:13:42,320 the DNS records--that's if you're using 345 00:13:42,320 --> 00:13:44,320 Linode's DNS service. 346 00:13:45,839 --> 00:13:47,519 And then, of course, you need to add 347 00:13:47,519 --> 00:13:49,519 the admin email for the server. So in 348 00:13:49,519 --> 00:13:52,000 this case, I can just say, for example, 349 00:13:52,000 --> 00:13:55,080 hackersploit@gmail.com. 350 00:13:55,519 --> 00:13:57,360 Don't spam me on this email because I 351 00:13:57,360 --> 00:13:59,519 don't respond anyway. So we can create 352 00:13:59,519 --> 00:14:01,040 another user. 353 00:14:01,040 --> 00:14:02,480 This is the username for the 354 00:14:02,480 --> 00:14:04,720 Linode admin's SSH user. Please ensure 355 00:14:04,720 --> 00:14:06,480 that the username does not contain any... 356 00:14:06,480 --> 00:14:08,880 so we can just call this “admin.” And then 357 00:14:08,880 --> 00:14:11,360 for the admin user, we'll just say 358 00:14:11,360 --> 00:14:13,199 provide that there. 359 00:14:13,199 --> 00:14:14,800 So the image--we're going to set it up on 360 00:14:14,800 --> 00:14:18,079 Ubuntu 20.04. The region--I’ll say London 361 00:14:18,079 --> 00:14:19,920 because that's closest to me. 362 00:14:19,920 --> 00:14:22,240 As for the actual Linode plan, 363 00:14:22,240 --> 00:14:24,720 Linode ES doesn't require that many 364 00:14:24,720 --> 00:14:26,480 resources, especially because, you know, 365 00:14:26,480 --> 00:14:28,720 the amount of data that we're processing 366 00:14:28,720 --> 00:14:30,959 or the logs that are being forwarded to 367 00:14:30,959 --> 00:14:34,320 Splunk are relatively few--so less than 368 00:14:34,320 --> 00:14:36,160 100--which, if you've used Splunk before 369 00:14:36,160 --> 00:14:37,920 for security event monitoring, you know 370 00:14:37,920 --> 00:14:39,040 that that is 371 00:14:39,040 --> 00:14:41,199 really, really small. In 372 00:14:41,199 --> 00:14:43,199 fact, Splunk will actually tell you, 373 00:14:43,199 --> 00:14:44,959 you know, that the amount of data 374 00:14:44,959 --> 00:14:47,519 to begin with that you have imported or 375 00:14:47,519 --> 00:14:50,670 forwarded is too little to make any sense of. 376 00:14:50,880 --> 00:14:52,480 But that's where the Snort app for 377 00:14:52,480 --> 00:14:54,800 Splunk comes into play. So I'll just say 378 00:14:54,800 --> 00:14:56,000 “Splunk,” 379 00:14:56,000 --> 00:14:59,360 and I'll provide my root password for the server. 380 00:14:59,360 --> 00:15:02,079 And we can click on “Create.” 381 00:15:02,079 --> 00:15:03,360 Alright. Now, 382 00:15:03,360 --> 00:15:06,079 once this is set up and provisioned, 383 00:15:06,079 --> 00:15:08,079 the actual installer is going to begin. 384 00:15:08,079 --> 00:15:10,079 So it's going to set up because there is 385 00:15:10,079 --> 00:15:13,410 an auto-installer setup that will set up Splunk. 386 00:15:13,410 --> 00:15:15,199 Yes. For you. So, let it 387 00:15:15,199 --> 00:15:16,880 provision. After that's done, you can 388 00:15:16,880 --> 00:15:19,199 launch the Lish console to avoid logging 389 00:15:19,199 --> 00:15:22,160 in via SSH. And of course, one thing that 390 00:15:22,160 --> 00:15:24,000 I don't need to tell you 391 00:15:24,000 --> 00:15:25,680 is, if you're setting this up for 392 00:15:25,680 --> 00:15:27,680 production, then you need to make sure 393 00:15:27,680 --> 00:15:29,759 you're securing your server. So do only 394 00:15:29,759 --> 00:15:33,420 use SSH keys for authentication with the server. 395 00:15:33,759 --> 00:15:35,920 If you're new to hardening and securing 396 00:15:35,920 --> 00:15:37,759 a Linux server, you can check out the 397 00:15:37,759 --> 00:15:39,360 previous series 398 00:15:39,360 --> 00:15:41,920 that we did with Linux--the Linux Server 399 00:15:41,920 --> 00:15:44,800 Security series. They'll give you, 400 00:15:44,800 --> 00:15:46,959 you know, all the information you need to 401 00:15:46,959 --> 00:15:49,759 secure a Linux server for production. 402 00:15:49,759 --> 00:15:50,959 With that being said, I'm just going to 403 00:15:50,959 --> 00:15:52,800 let it provision, after which we can 404 00:15:52,800 --> 00:15:54,560 launch the Lish console to see what's 405 00:15:54,560 --> 00:15:56,639 going on in the background. And we can 406 00:15:56,639 --> 00:15:59,350 then get started, you know, officially 407 00:15:59,350 --> 00:16:01,839 with how to set up Splunk. We then need 408 00:16:01,839 --> 00:16:04,720 to set up the Universal Forwarder. 409 00:16:04,720 --> 00:16:07,529 So, this is booting now. 410 00:16:08,639 --> 00:16:11,120 Alright. So the server is booted, and 411 00:16:11,120 --> 00:16:12,800 you can see I've just opened up the Lish 412 00:16:12,800 --> 00:16:14,320 console here 413 00:16:14,320 --> 00:16:15,920 to essentially view what's going on. As 414 00:16:15,920 --> 00:16:18,000 you can see, it's begun setting up 415 00:16:18,000 --> 00:16:20,399 Splunk ES. So just give this a couple of 416 00:16:20,399 --> 00:16:22,809 minutes to essentially begin. 417 00:16:23,279 --> 00:16:25,600 And once it's done, it'll actually 418 00:16:25,600 --> 00:16:27,360 tell you that, and it'll provide you with the 419 00:16:27,360 --> 00:16:28,800 login prompt. 420 00:16:28,800 --> 00:16:30,399 But it's probably logged in as the root 421 00:16:30,399 --> 00:16:32,000 user already. So 422 00:16:32,000 --> 00:16:33,759 just let this complete. I'm just going to 423 00:16:33,759 --> 00:16:36,880 wait for this to actually conclude. 424 00:16:36,880 --> 00:16:40,000 Alright. So once Splunk ES is done, 425 00:16:40,000 --> 00:16:42,880 or the actual Linode is done here 426 00:16:42,880 --> 00:16:44,320 with the setup, you can see it's going to 427 00:16:44,320 --> 00:16:46,240 tell you "installation complete," 428 00:16:46,240 --> 00:16:48,160 and you can then log in. Keep this 429 00:16:48,160 --> 00:16:49,519 window open because this is going to be 430 00:16:49,519 --> 00:16:50,880 very important, as we'll need to 431 00:16:50,880 --> 00:16:53,440 configure a few firewall rules. 432 00:16:53,440 --> 00:16:56,320 By default, this Linode comes with UFW, 433 00:16:56,320 --> 00:16:58,720 which is the uncomplicated firewall for 434 00:16:58,720 --> 00:17:00,079 Debian, or 435 00:17:00,079 --> 00:17:02,000 it typically comes prepackaged with 436 00:17:02,000 --> 00:17:04,959 Debian-based distributions like Ubuntu. 437 00:17:04,959 --> 00:17:06,559 In this case, it's already added the 438 00:17:06,559 --> 00:17:08,400 firewall rule for the port that we 439 00:17:08,400 --> 00:17:10,000 wanted, but just keep it open because 440 00:17:10,000 --> 00:17:12,559 we'll need to run a few checks. So you 441 00:17:12,559 --> 00:17:14,000 can log in there. So I'm just going to 442 00:17:14,000 --> 00:17:15,679 log in with the credentials that I 443 00:17:15,679 --> 00:17:18,720 specified as the root user. And I can 444 00:17:18,720 --> 00:17:22,160 just say sudo ufw status. 445 00:17:23,839 --> 00:17:25,439 And you can see these are all the 446 00:17:25,439 --> 00:17:28,160 allowed rules or the actual rules 447 00:17:28,160 --> 00:17:30,400 configured for the firewall, which is 448 00:17:30,400 --> 00:17:32,400 looking good so far. 449 00:17:32,400 --> 00:17:35,679 So we can access the Splunk ES instance 450 00:17:35,679 --> 00:17:37,840 that we set up by pasting in the IP of 451 00:17:37,840 --> 00:17:42,080 the server and opening up port 8000. 452 00:17:42,080 --> 00:17:44,080 That's going to open up Splunk ES for 453 00:17:44,080 --> 00:17:45,760 you. So just give this a couple of 454 00:17:45,760 --> 00:17:48,240 seconds. There we are. And the credentials 455 00:17:48,240 --> 00:17:50,880 that we had used were "admin" and the 456 00:17:50,880 --> 00:17:53,280 password that I created--that, you know, 457 00:17:53,280 --> 00:17:54,559 of course, you'll be able to 458 00:17:54,559 --> 00:17:57,200 specify yourself. So just sign in. 459 00:17:57,200 --> 00:17:59,919 And once that is done, you'll be 460 00:17:59,919 --> 00:18:04,560 brought to Splunk Enterprise Security here. 461 00:18:04,560 --> 00:18:05,360 So there we are--explore 462 00:18:05,360 --> 00:18:07,200 Splunk Enterprise. 463 00:18:10,000 --> 00:18:11,360 And in this case, what we're going to be 464 00:18:11,360 --> 00:18:14,080 doing--what we're going to start off with-- 465 00:18:14,080 --> 00:18:16,240 is we need to go through a few 466 00:18:16,240 --> 00:18:19,350 configuration changes with Splunk itself. 467 00:18:19,760 --> 00:18:22,880 So the idea, firstly, is to configure 468 00:18:22,880 --> 00:18:26,120 the actual receiving of data. 469 00:18:26,120 --> 00:18:27,360 So if you head over into "Settings," 470 00:18:27,360 --> 00:18:29,440 you can click on "Data," then just click 471 00:18:29,440 --> 00:18:31,840 on "Forwarding and Receiving." 472 00:18:31,840 --> 00:18:34,400 And once that is done--once that is 473 00:18:34,400 --> 00:18:35,760 loaded up-- 474 00:18:35,760 --> 00:18:38,080 under "Receive Data," we need to 475 00:18:38,080 --> 00:18:40,000 configure this instance to receive data 476 00:18:40,000 --> 00:18:41,600 forwarded from other instances. So we 477 00:18:41,600 --> 00:18:43,520 want to configure receiving, 478 00:18:43,520 --> 00:18:46,799 and we just want to set the default receiving port. 479 00:18:46,799 --> 00:18:50,400 So we can say "New Receiving Port," 480 00:18:50,400 --> 00:18:52,160 and the port is, of course, going to be 481 00:18:52,160 --> 00:18:54,799 the default, which is 9997--which is why 482 00:18:54,799 --> 00:18:56,640 that firewall rule was added. So I'll 483 00:18:56,640 --> 00:18:58,182 click on Save. 484 00:18:58,880 --> 00:19:01,200 Alright. So once that is done, we can 485 00:19:01,200 --> 00:19:04,110 now install the Snort app 486 00:19:04,110 --> 00:19:06,240 for Splunk. So click on "Apps" and head 487 00:19:06,240 --> 00:19:08,480 over into "Find More Apps." 488 00:19:08,480 --> 00:19:11,360 And because the Ubuntu server is running-- 489 00:19:11,360 --> 00:19:13,120 or the Ubuntu VM that I'm currently 490 00:19:13,120 --> 00:19:15,919 working on is running--Snort 2, we'll need 491 00:19:15,919 --> 00:19:18,160 the appropriate app here. So I'll just 492 00:19:18,160 --> 00:19:20,160 search for "Snort" there. And we're not 493 00:19:20,160 --> 00:19:22,320 looking for the Snort 3 JSON alerts, 494 00:19:22,320 --> 00:19:24,320 although that, you know, could be quite 495 00:19:24,320 --> 00:19:26,480 useful, but we want the Snort alert for 496 00:19:26,480 --> 00:19:28,720 Splunk. Alright. So this app provides 497 00:19:28,720 --> 00:19:30,880 field extraction. So that's really great 498 00:19:30,880 --> 00:19:32,400 because performing your own field 499 00:19:32,400 --> 00:19:34,960 extractions using regex 500 00:19:34,960 --> 00:19:36,400 can be quite difficult if you're a 501 00:19:36,400 --> 00:19:39,360 beginner. So fast and full, 502 00:19:39,360 --> 00:19:42,400 as well as dashboards, saved searches, 503 00:19:42,400 --> 00:19:45,600 reports, event types, tags, and event 504 00:19:45,600 --> 00:19:48,080 search interfaces. So we'll install that. 505 00:19:48,080 --> 00:19:50,240 Now you'll need to log in with 506 00:19:50,240 --> 00:19:52,400 your Splunk account credentials that you, 507 00:19:52,400 --> 00:19:55,120 you know, actually created on 508 00:19:55,120 --> 00:19:57,760 splunk.com. So I'll just fill in my 509 00:19:57,760 --> 00:20:00,400 information really quickly. 510 00:20:00,400 --> 00:20:02,240 Alright. So I've put in my username and 511 00:20:02,240 --> 00:20:04,240 password. So I'll just say I'll accept 512 00:20:04,240 --> 00:20:06,320 the terms and conditions there. So log in 513 00:20:06,320 --> 00:20:07,600 and install. 514 00:20:07,600 --> 00:20:09,280 That's going to install it. There we are. 515 00:20:09,280 --> 00:20:10,880 So we'll just hit "Done." 516 00:20:10,880 --> 00:20:13,360 Now that that is done, if we head back over 517 00:20:13,360 --> 00:20:16,400 into our dashboard--so I'll just click on 518 00:20:16,400 --> 00:20:18,400 Splunk Enterprise there-- 519 00:20:18,400 --> 00:20:20,720 you can now see we have Snort 520 00:20:20,720 --> 00:20:23,039 Alert for Splunk. So that already 521 00:20:23,039 --> 00:20:25,600 comes preconfigured with a dashboard. 522 00:20:25,600 --> 00:20:28,600 So we'll just let this load up here. 523 00:20:28,600 --> 00:20:30,000 And you can see that we don't have 524 00:20:30,000 --> 00:20:32,480 any data yet. So this will display 525 00:20:32,480 --> 00:20:34,559 your events and sources, top source 526 00:20:34,559 --> 00:20:36,480 countries, the events. This is very 527 00:20:36,480 --> 00:20:38,480 important--these sources, top 10 528 00:20:38,480 --> 00:20:41,039 classification. So that'll classify 529 00:20:41,039 --> 00:20:44,400 your alerts in terms of the 530 00:20:44,400 --> 00:20:46,640 type, which again will make sense in a 531 00:20:46,640 --> 00:20:49,280 couple of seconds. So now that that is 532 00:20:49,280 --> 00:20:51,600 done, we actually need to configure 533 00:20:51,600 --> 00:20:54,480 the actual Splunk Universal Forwarder. So 534 00:20:54,480 --> 00:20:56,480 I'll just open that up in a new tab. It's 535 00:20:56,480 --> 00:20:59,120 absolutely free to download the Debian 536 00:20:59,120 --> 00:21:01,840 client or the Splunk Universal 537 00:21:01,840 --> 00:21:04,159 Forwarder Debian package. So Universal 538 00:21:04,159 --> 00:21:06,960 Forwarders provide reliable, secure 539 00:21:06,960 --> 00:21:09,440 data collection from remote 540 00:21:09,440 --> 00:21:11,520 sources and forward that data into 541 00:21:11,520 --> 00:21:14,159 Splunk software for indexing and 542 00:21:14,159 --> 00:21:16,880 consolidation. They can scale to tens of 543 00:21:16,880 --> 00:21:18,799 thousands of remote systems, collecting 544 00:21:18,799 --> 00:21:20,720 terabytes of data. So 545 00:21:20,720 --> 00:21:23,039 again, you can actually see why Splunk is 546 00:21:23,039 --> 00:21:25,360 so powerful and why it's widely used 547 00:21:25,360 --> 00:21:27,440 and deployed--because of the fact that 548 00:21:27,440 --> 00:21:30,480 you can literally be... 549 00:21:30,480 --> 00:21:32,640 literally forward a ton of data from a 550 00:21:32,640 --> 00:21:35,840 ton of systems into Splunk. So because 551 00:21:35,840 --> 00:21:38,480 Snort is running on this 552 00:21:38,480 --> 00:21:40,480 Ubuntu VM, we need the Debian package. So 553 00:21:40,480 --> 00:21:41,919 I'll click on Linux, and we want the 554 00:21:41,919 --> 00:21:45,039 64-bit version. Again, you can choose one 555 00:21:45,039 --> 00:21:46,559 based on your requirements. So if you're 556 00:21:46,559 --> 00:21:49,840 running on Red Hat, Fedora, or CentOS, you 557 00:21:49,840 --> 00:21:51,520 can use the RPM package. So I'll just 558 00:21:51,520 --> 00:21:54,559 download the Debian package here. 559 00:21:54,559 --> 00:21:56,080 Give that a couple of seconds. It's then 560 00:21:56,080 --> 00:21:58,240 going to begin downloading it, and then 561 00:21:58,240 --> 00:22:00,000 I'll walk you through the setup process. 562 00:22:00,000 --> 00:22:01,840 So there we are. 563 00:22:01,840 --> 00:22:04,260 It's begun the setup. 564 00:22:07,360 --> 00:22:09,440 And once that is done, I'll open up my 565 00:22:09,440 --> 00:22:10,799 terminal. So that's saved in the 566 00:22:10,799 --> 00:22:12,960 Downloads directory. So 567 00:22:12,960 --> 00:22:14,320 if we check--if we head over into the 568 00:22:14,320 --> 00:22:15,840 Downloads directory--you can see we have 569 00:22:15,840 --> 00:22:18,489 the Splunk Forwarder Debian package there. 570 00:22:19,200 --> 00:22:21,679 So what we want to do, firstly, is we want 571 00:22:21,679 --> 00:22:25,680 to move this package into the actual /opt 572 00:22:25,680 --> 00:22:28,080 directory on Linux, which will 573 00:22:28,080 --> 00:22:30,880 essentially allow us to, you know, 574 00:22:30,880 --> 00:22:33,360 to set it up as optional software. And 575 00:22:33,360 --> 00:22:35,280 it's really good to have all that 576 00:22:35,280 --> 00:22:38,240 optional software stored in the 577 00:22:38,240 --> 00:22:42,240 directory. So, once that is done and 578 00:22:42,240 --> 00:22:44,320 once that's downloaded, we can say, 579 00:22:44,320 --> 00:22:45,600 move 580 00:22:45,600 --> 00:22:48,480 Splunk forward into opt, 581 00:22:48,480 --> 00:22:50,400 and we'll need sudo privileges. So I'll 582 00:22:50,400 --> 00:22:52,559 say sudo move. There we are. And I'll just 583 00:22:52,559 --> 00:22:55,120 type in my password. Fantastic. So 584 00:22:55,120 --> 00:22:57,360 now navigate to the opt directory. And to 585 00:22:57,360 --> 00:23:00,320 install this, we can say sudo apt, 586 00:23:00,320 --> 00:23:02,960 and then we can specify install. So we 587 00:23:02,960 --> 00:23:05,120 can say sudo apt install, 588 00:23:05,120 --> 00:23:06,960 and then we specify the package itself. 589 00:23:06,960 --> 00:23:09,440 So Splunk forwarder, 590 00:23:09,440 --> 00:23:11,440 and we're just going to hit enter. That's 591 00:23:11,440 --> 00:23:13,520 going to install it for you. 592 00:23:13,520 --> 00:23:16,880 Give that a couple of seconds. 593 00:23:19,440 --> 00:23:21,520 Alright. So once that is installed, if 594 00:23:21,520 --> 00:23:23,039 you list out the contents of this 595 00:23:23,039 --> 00:23:24,559 directory, you're gonna have a Splunk 596 00:23:24,559 --> 00:23:26,559 forwarder directory here. So I'll say cd 597 00:23:26,559 --> 00:23:29,200 splunkforwarder. And under the binary 598 00:23:29,200 --> 00:23:31,200 directory, we can navigate to that here. 599 00:23:31,200 --> 00:23:32,720 We'll need to start-- 600 00:23:32,720 --> 00:23:35,600 we'll need to start Splunk. So we will 601 00:23:35,600 --> 00:23:37,280 say sudo, 602 00:23:37,280 --> 00:23:39,039 and the binary we want to run is called 603 00:23:39,039 --> 00:23:41,279 splunk, and we'll accept the license. 604 00:23:41,279 --> 00:23:42,799 The reason we're doing this is because 605 00:23:42,799 --> 00:23:44,799 we need to configure it. So we need to 606 00:23:44,799 --> 00:23:46,799 specify the username and password, or, you 607 00:23:46,799 --> 00:23:49,279 know, create a username and password. 608 00:23:49,279 --> 00:23:52,000 And once that is done, you'll actually 609 00:23:52,000 --> 00:23:53,360 see what that looks like. So I'll just 610 00:23:53,360 --> 00:23:55,679 say accept the license. 611 00:23:55,679 --> 00:23:59,200 And, you can see in this case, let's see if I 612 00:23:59,200 --> 00:24:01,200 typed that incorrectly. That should 613 00:24:01,200 --> 00:24:03,600 actually start. So splunk start. I did not 614 00:24:03,600 --> 00:24:05,440 specify start there. 615 00:24:05,440 --> 00:24:06,799 There we are. So please enter an 616 00:24:06,799 --> 00:24:09,679 administrator name. I'll just say admin. 617 00:24:09,679 --> 00:24:12,000 So again, Splunk software must create an 618 00:24:12,000 --> 00:24:14,320 administrator account during startup. 619 00:24:14,320 --> 00:24:16,559 Otherwise, you cannot log in. So create 620 00:24:16,559 --> 00:24:18,899 credentials for the administrator account. 621 00:24:20,640 --> 00:24:22,320 So in this case, you can 622 00:24:22,320 --> 00:24:23,600 create whatever you want. I'm just going 623 00:24:23,600 --> 00:24:26,000 to fill in my credentials here. 624 00:24:26,000 --> 00:24:28,640 Alright, so I've just entered my 625 00:24:28,640 --> 00:24:30,320 administrator username and then, of 626 00:24:30,320 --> 00:24:32,400 course, my password. So 627 00:24:32,400 --> 00:24:33,840 that is done. 628 00:24:33,840 --> 00:24:36,240 So it'll go through-- 629 00:24:36,240 --> 00:24:37,760 it'll essentially go through and check 630 00:24:37,760 --> 00:24:40,400 the prerequisites. New certs have been 631 00:24:40,400 --> 00:24:42,960 generated in the following directory, 632 00:24:42,960 --> 00:24:45,200 and all the preliminary checks have 633 00:24:45,200 --> 00:24:47,520 passed. So starting the Splunk server 634 00:24:47,520 --> 00:24:49,440 daemon--so that started. You can also 635 00:24:49,440 --> 00:24:52,159 enable it to run on system startup. So if 636 00:24:52,159 --> 00:24:56,330 I say, you know, for example, sudo systemctl 637 00:24:56,720 --> 00:24:58,910 status splunk, 638 00:24:59,520 --> 00:25:01,840 let me type that correctly here. So 639 00:25:01,840 --> 00:25:03,360 splunk-- 640 00:25:03,360 --> 00:25:07,520 sorry, systemctl, 641 00:25:07,520 --> 00:25:10,240 and we can say splunkd. 642 00:25:10,240 --> 00:25:12,880 Sorry. So we can say splunk. I'm not 643 00:25:12,880 --> 00:25:15,039 really sure why that's not loading here. 644 00:25:15,039 --> 00:25:17,520 But I do know that the daemon is running, 645 00:25:17,520 --> 00:25:23,620 and there should be an init daemon for that. 646 00:25:23,620 --> 00:25:24,799 But in any case, 647 00:25:24,799 --> 00:25:27,360 you can always start it that way. 648 00:25:27,360 --> 00:25:29,840 Once that is done, we will need to add 649 00:25:29,840 --> 00:25:32,320 our forward server. So we need to add 650 00:25:32,320 --> 00:25:34,960 the address of the server--the 651 00:25:34,960 --> 00:25:37,039 Splunk server that we're forwarding our 652 00:25:37,039 --> 00:25:39,600 logs to. We'll move on to what 653 00:25:39,600 --> 00:25:42,480 logs we want to forward in a second. But 654 00:25:42,480 --> 00:25:44,159 let's do that first. So again, we're going 655 00:25:44,159 --> 00:25:45,799 to use the 656 00:25:47,520 --> 00:25:51,220 Splunk binary, and we're going to say forward-server. 657 00:25:51,220 --> 00:25:52,559 And we'll just copy the IP 658 00:25:52,559 --> 00:25:56,419 address of your Splunk server here. 659 00:25:56,419 --> 00:25:59,850 So there we are. And I'll paste that in there. 660 00:26:00,640 --> 00:26:03,320 And then you need to type in the port--so 661 00:26:03,320 --> 00:26:07,780 9997, that's the port to connect to. Hit enter. 662 00:26:08,400 --> 00:26:10,799 So splunk forward-- 663 00:26:11,279 --> 00:26:13,279 yeah, we need to add it. I keep forgetting 664 00:26:13,279 --> 00:26:16,910 the preliminary command. So add forward-server, 665 00:26:16,910 --> 00:26:18,260 Splunk username. 666 00:26:18,320 --> 00:26:21,919 So in this case, let me just put 667 00:26:21,919 --> 00:26:25,840 in my credentials here. 668 00:26:26,640 --> 00:26:29,440 Alright. And it's going to then add the 669 00:26:29,440 --> 00:26:31,760 forwarding to that particular address. 670 00:26:31,760 --> 00:26:33,760 Alright. Now that that is done, 671 00:26:33,760 --> 00:26:35,440 we actually need to 672 00:26:35,440 --> 00:26:37,919 configure a particular file, 673 00:26:37,919 --> 00:26:40,720 and that is going to be the outputs.conf 674 00:26:40,720 --> 00:26:43,039 directory. If it's already set up for us, 675 00:26:43,039 --> 00:26:45,039 which it should be, 676 00:26:45,039 --> 00:26:46,880 then we do not need to go through the 677 00:26:46,880 --> 00:26:49,360 initial setup. So, 678 00:26:49,360 --> 00:26:51,120 if we head over into the following 679 00:26:51,120 --> 00:26:52,640 directory--so I'll just take a step back-- 680 00:26:52,640 --> 00:26:55,120 we're still in the Splunk forwarder directory. 681 00:26:55,279 --> 00:26:59,739 We'll head over into the etc directory. 682 00:26:59,739 --> 00:27:01,679 And under system, 683 00:27:01,679 --> 00:27:05,039 we have a file under local, I think. It is 684 00:27:05,039 --> 00:27:06,640 called outputs here. Right? So I'm going to say 685 00:27:06,640 --> 00:27:09,680 sudo vim outputs.conf. 686 00:27:09,840 --> 00:27:11,840 And really, the only thing that is 687 00:27:11,840 --> 00:27:14,290 required here is, 688 00:27:14,290 --> 00:27:16,159 of course, just leave the default 689 00:27:16,159 --> 00:27:18,320 configuration as is. The default group is 690 00:27:18,320 --> 00:27:21,760 fine. So tcpout:default-autolb-group, 691 00:27:21,760 --> 00:27:23,279 that's fine. So make sure that the 692 00:27:23,279 --> 00:27:25,840 server option here is configured--that's 693 00:27:25,840 --> 00:27:29,100 the most important. And the tcpout-server 694 00:27:29,100 --> 00:27:30,320 address is also configured in 695 00:27:30,320 --> 00:27:32,000 this format. So we don't need to make any 696 00:27:32,000 --> 00:27:34,670 changes there. So I'll just say quit and exit. 697 00:27:35,120 --> 00:27:38,640 Once that is done, we also need to check 698 00:27:38,640 --> 00:27:41,279 the actual inputs configuration file. 699 00:27:41,279 --> 00:27:43,200 But before we do that, 700 00:27:43,200 --> 00:27:45,279 let's take a look. So if you revisit the 701 00:27:45,279 --> 00:27:46,880 Snort video, 702 00:27:46,880 --> 00:27:48,880 you know that all the logs are stored 703 00:27:48,880 --> 00:27:53,110 under /var/log/snort. 704 00:27:53,110 --> 00:27:55,760 Right? So we have the alert log, 705 00:27:55,760 --> 00:27:59,279 and we also have--so again, based on 706 00:27:59,279 --> 00:28:02,000 the type of alerts 707 00:28:02,000 --> 00:28:03,200 you want generated--so, you know, 708 00:28:03,200 --> 00:28:05,440 if I say man snort here, 709 00:28:05,440 --> 00:28:08,090 you can see that we have the alert mode. 710 00:28:08,090 --> 00:28:09,440 So you can use the fast mode or the 711 00:28:09,440 --> 00:28:11,360 full mode. In this case, I'll be using the 712 00:28:11,360 --> 00:28:12,559 fast mode, 713 00:28:13,760 --> 00:28:15,279 and I'll give you a description of what's 714 00:28:15,279 --> 00:28:17,279 going on here. Right? So 715 00:28:17,279 --> 00:28:19,919 full writes the alert to the alert 716 00:28:19,919 --> 00:28:21,919 file with the full decoded header as 717 00:28:21,919 --> 00:28:24,720 well as the alert message, which might be 718 00:28:24,720 --> 00:28:27,279 important. So we can also do that as well. 719 00:28:27,279 --> 00:28:29,600 So this was from the previous--from 720 00:28:29,600 --> 00:28:31,760 the Snort video where we 721 00:28:31,760 --> 00:28:33,360 had run... 722 00:28:33,360 --> 00:28:35,840 essentially run Snort and, you know, 723 00:28:35,840 --> 00:28:38,480 where we were identifying various alerts. 724 00:28:38,480 --> 00:28:41,919 So, what we can do is, again, we'll 725 00:28:41,919 --> 00:28:43,760 go through what needs to be created, but 726 00:28:43,760 --> 00:28:45,600 we can run a quick test command just to 727 00:28:45,600 --> 00:28:46,880 see whether 728 00:28:46,880 --> 00:28:48,799 the actual alerts are being logged 729 00:28:48,799 --> 00:28:50,320 within the alert file, because we have 730 00:28:50,320 --> 00:28:53,039 alert.1. Ideally, we would only want 731 00:28:53,039 --> 00:28:55,760 to forward this file into Splunk. 732 00:28:55,760 --> 00:28:58,080 So, in order to do this, what I'm going 733 00:28:58,080 --> 00:29:00,080 to do now is I'm just gonna run Snort 734 00:29:00,080 --> 00:29:03,590 really quickly. So I'm going to say sudo snort -q, 735 00:29:03,919 --> 00:29:06,000 for quiet, and then 736 00:29:06,000 --> 00:29:10,500 the actual directory for the logs is /var/log/snort. 737 00:29:11,360 --> 00:29:14,640 And then we can say the interface is enp0s3. 738 00:29:14,640 --> 00:29:16,240 Again, make sure to replace that with 739 00:29:16,240 --> 00:29:19,039 your own interface. The alert, we can 740 00:29:19,039 --> 00:29:20,320 say full, 741 00:29:20,320 --> 00:29:26,190 and the configuration is /etc/snort/snort.conf. 742 00:29:26,399 --> 00:29:28,320 I believe we had another configuration 743 00:29:28,320 --> 00:29:30,720 file. Yeah. We had used the snort.conf file. 744 00:29:30,720 --> 00:29:32,399 So I'll hit enter. 745 00:29:32,399 --> 00:29:35,560 And now let me open up my file explorer here. 746 00:29:35,840 --> 00:29:38,720 We take a look at the var directory 747 00:29:38,720 --> 00:29:42,240 under log. And under snort, 748 00:29:42,240 --> 00:29:44,960 we have alert. There we are. So, 749 00:29:44,960 --> 00:29:47,960 that has been modified. The last was 750 00:29:47,960 --> 00:29:50,050 modified 751 00:29:51,200 --> 00:29:53,919 right over there. Okay. So that's 19. Yeah. 752 00:29:53,919 --> 00:29:55,679 So this is the last modified. So I know 753 00:29:55,679 --> 00:29:58,000 this file is not human-readable. We 754 00:29:58,000 --> 00:30:00,979 are not going to be forwarding this .log file. 755 00:30:00,979 --> 00:30:02,960 So I'll just close that there. 756 00:30:02,960 --> 00:30:07,440 So I'm just going to try and perform a few 757 00:30:07,440 --> 00:30:09,679 checks on the network, like a few pings, 758 00:30:09,679 --> 00:30:11,760 just to see if that's detected. 759 00:30:11,760 --> 00:30:15,679 So I'll just, you know, perform a ping really quickly. 760 00:30:15,679 --> 00:30:17,520 Again, the alerts will not be logged on 761 00:30:17,520 --> 00:30:18,960 our terminal because they're being 762 00:30:18,960 --> 00:30:21,200 logged, you know, into the respective 763 00:30:21,200 --> 00:30:24,159 alert file or the alert log file. So I'll 764 00:30:24,159 --> 00:30:26,080 just perform, you know, a few pings, as 765 00:30:26,080 --> 00:30:27,679 I was saying, which I'm doing right now 766 00:30:27,679 --> 00:30:29,520 on the attacker system. 767 00:30:29,520 --> 00:30:31,760 Once that is done, let's see whether 768 00:30:31,760 --> 00:30:33,760 those changes are being highlighted in 769 00:30:33,760 --> 00:30:37,600 alert. Indeed, they are. Okay. So now, 770 00:30:40,159 --> 00:30:42,399 as you can see here, 771 00:30:42,399 --> 00:30:45,279 this is the full-- 772 00:30:45,360 --> 00:30:48,000 these are... So to begin with, we had used 773 00:30:48,000 --> 00:30:52,729 the fast alert output mode. 774 00:30:54,000 --> 00:30:56,080 And right over here, we then have the 775 00:30:56,080 --> 00:31:00,159 full alert mode, which I'm not really sure how 776 00:31:00,159 --> 00:31:01,919 we want to 777 00:31:01,919 --> 00:31:05,360 go about doing this. But you can see, 778 00:31:05,360 --> 00:31:07,360 we can actually make a few changes. 779 00:31:07,360 --> 00:31:11,110 What we can do is we can get rid of this traffic here. 780 00:31:11,440 --> 00:31:13,519 But you can see the message is actually 781 00:31:13,519 --> 00:31:15,279 being logged. So 782 00:31:15,279 --> 00:31:17,760 we can get rid of this here 783 00:31:17,760 --> 00:31:25,749 because we don't want to mix fast alerts 784 00:31:26,080 --> 00:31:31,519 with the full mode. So we can just get rid of that 785 00:31:31,519 --> 00:31:33,611 there and save that. 786 00:31:34,159 --> 00:31:37,840 Once that is done, I'll just say-- 787 00:31:37,840 --> 00:31:41,290 we actually need permissions to modify that file. 788 00:31:42,000 --> 00:31:45,600 but you know what we can do is what i am 789 00:31:45,600 --> 00:31:47,279 going to do actually is close without 790 00:31:47,279 --> 00:31:49,519 saving is i'm just going to stop snort 791 00:31:49,519 --> 00:31:50,399 there 792 00:31:50,399 --> 00:31:52,080 and i'm just going to say 793 00:31:52,080 --> 00:31:54,480 sudo remove var 794 00:31:54,480 --> 00:31:56,799 log 795 00:31:56,960 --> 00:31:59,120 and snort and we're going to remove 796 00:31:59,120 --> 00:32:01,360 alert 797 00:32:01,360 --> 00:32:02,720 all right and we're also going to remove 798 00:32:02,720 --> 00:32:04,240 alert dot one 799 00:32:04,240 --> 00:32:05,440 all right so i'm just going to run this 800 00:32:05,440 --> 00:32:07,039 again just to see if that file is 801 00:32:07,039 --> 00:32:08,240 generated 802 00:32:08,240 --> 00:32:11,120 so there we are we have alert there 803 00:32:11,120 --> 00:32:12,559 so now it's much cleaner so i'll just 804 00:32:12,559 --> 00:32:14,240 run a few pings just to make sure that 805 00:32:14,240 --> 00:32:16,480 the traffic is being locked all those 806 00:32:16,480 --> 00:32:18,480 alerts are being logged 807 00:32:18,480 --> 00:32:20,399 uh so there we are we have a few pings 808 00:32:20,399 --> 00:32:21,519 there 809 00:32:21,519 --> 00:32:24,640 and we can also you know just run a few 810 00:32:24,640 --> 00:32:26,960 checks there okay so there we are we can 811 00:32:26,960 --> 00:32:29,360 see that those are now being logged and 812 00:32:29,360 --> 00:32:31,519 of course we can change the format based 813 00:32:31,519 --> 00:32:32,320 on 814 00:32:32,320 --> 00:32:33,519 you can change it based on your 815 00:32:33,519 --> 00:32:35,039 requirements right 816 00:32:35,039 --> 00:32:37,840 so um 817 00:32:38,000 --> 00:32:39,919 now that that is done 818 00:32:39,919 --> 00:32:42,000 what we can do is we can close that up 819 00:32:42,000 --> 00:32:44,960 and we can actually leave snort running 820 00:32:44,960 --> 00:32:46,320 as is 821 00:32:46,320 --> 00:32:48,960 so what i'll do is i'm just going to 822 00:32:48,960 --> 00:32:51,120 open up another tab 823 00:32:51,120 --> 00:32:53,120 so i'll just you know i can say control 824 00:32:53,120 --> 00:32:54,880 shift d there we are 825 00:32:54,880 --> 00:32:56,799 and we're currently within the following 826 00:32:56,799 --> 00:33:00,159 directory so opt opt splunk forward etsy 827 00:33:00,159 --> 00:33:01,519 system local 828 00:33:01,519 --> 00:33:03,120 so 829 00:33:03,120 --> 00:33:06,000 once that is done we now need to add 830 00:33:06,000 --> 00:33:08,080 uh we now need to add the files that we 831 00:33:08,080 --> 00:33:09,919 would like to monitor or that we would 832 00:33:09,919 --> 00:33:12,240 like to forward right so the log files 833 00:33:12,240 --> 00:33:15,360 so i'll go back into the bin directory 834 00:33:15,360 --> 00:33:17,679 so there we are cd bin because that's 835 00:33:17,679 --> 00:33:19,360 where we have the splunk binary so i'll 836 00:33:19,360 --> 00:33:20,960 say sudo 837 00:33:20,960 --> 00:33:22,000 um 838 00:33:22,000 --> 00:33:24,399 splunk 839 00:33:24,399 --> 00:33:28,320 and we can say add monitor 840 00:33:28,320 --> 00:33:30,720 and the file that we want to forward is 841 00:33:30,720 --> 00:33:34,399 under var log snot and it is just alert 842 00:33:34,399 --> 00:33:36,559 right so that's all that's really all 843 00:33:36,559 --> 00:33:38,720 that we want to do right 844 00:33:38,720 --> 00:33:41,600 and we can also utilize the fast alerts 845 00:33:41,600 --> 00:33:44,399 but let's just do this for now 846 00:33:44,399 --> 00:33:46,399 and we only want the alerts we don't 847 00:33:46,399 --> 00:33:48,320 want the actual log files that contain 848 00:33:48,320 --> 00:33:53,840 the packets themselves so i'll hit enter 849 00:33:54,480 --> 00:33:56,399 all right so it's now going to forward 850 00:33:56,399 --> 00:33:58,960 those alerts into splunk which pretty 851 00:33:58,960 --> 00:34:02,159 much means that on our end we are done 852 00:34:02,159 --> 00:34:04,000 however we still need to check one more 853 00:34:04,000 --> 00:34:05,840 configuration file so i'll just take a 854 00:34:05,840 --> 00:34:08,000 step back here and we'll head over into 855 00:34:08,000 --> 00:34:10,879 the etsy directory under apps 856 00:34:10,879 --> 00:34:13,119 and search 857 00:34:13,119 --> 00:34:15,520 and then into local 858 00:34:15,520 --> 00:34:16,720 when you think we'll need to root 859 00:34:16,720 --> 00:34:18,320 permissions to access this so i'll just 860 00:34:18,320 --> 00:34:20,079 switch to the root user and head over 861 00:34:20,079 --> 00:34:21,520 into local 862 00:34:21,520 --> 00:34:24,399 and we're looking for the inputs dot 863 00:34:24,399 --> 00:34:26,560 conf file 864 00:34:26,560 --> 00:34:28,079 uh right so we need to actually 865 00:34:28,079 --> 00:34:29,760 configure this because this is very 866 00:34:29,760 --> 00:34:31,040 important so 867 00:34:31,040 --> 00:34:35,119 uh the first thing we want to do is let 868 00:34:35,119 --> 00:34:35,919 us 869 00:34:35,919 --> 00:34:38,639 add a new line here and within the 870 00:34:38,639 --> 00:34:41,440 square brackets i'll just say splunk 871 00:34:41,440 --> 00:34:44,240 uh tcp 872 00:34:44,240 --> 00:34:46,399 and we then want to specify the port so 873 00:34:46,399 --> 00:34:48,399 9997 874 00:34:48,399 --> 00:34:49,679 let me make sure i type that in 875 00:34:49,679 --> 00:34:51,520 correctly 876 00:34:51,520 --> 00:34:54,240 we then need to actually put in the 877 00:34:54,240 --> 00:34:56,960 connection 878 00:34:56,960 --> 00:35:01,200 um so the connection host so connection 879 00:35:01,200 --> 00:35:03,440 host is going to be equal to the ip 880 00:35:03,440 --> 00:35:05,280 address of the splunk 881 00:35:05,280 --> 00:35:06,560 server 882 00:35:06,560 --> 00:35:08,960 so i'll just copy that there paste that 883 00:35:08,960 --> 00:35:11,280 in there 884 00:35:11,280 --> 00:35:14,000 once that is done 885 00:35:14,000 --> 00:35:16,320 this is fine here disabled is set to 886 00:35:16,320 --> 00:35:19,040 false we want index is going to be equal 887 00:35:19,040 --> 00:35:20,320 to main 888 00:35:20,320 --> 00:35:23,680 and then the source type 889 00:35:23,680 --> 00:35:26,560 is going to be equal to snot 890 00:35:26,560 --> 00:35:27,520 alert 891 00:35:27,520 --> 00:35:28,960 full 892 00:35:28,960 --> 00:35:31,280 and we can then say the source is equal 893 00:35:31,280 --> 00:35:33,040 to snort all right so this is a very 894 00:35:33,040 --> 00:35:35,280 important configuration so let me just 895 00:35:35,280 --> 00:35:36,640 go through those options or 896 00:35:36,640 --> 00:35:38,640 configurations again we have the splunk 897 00:35:38,640 --> 00:35:40,320 tcp option 898 00:35:40,320 --> 00:35:42,880 uh we then have the actual connection 899 00:35:42,880 --> 00:35:45,520 host the monitor is set correctly to 900 00:35:45,520 --> 00:35:46,640 that file 901 00:35:46,640 --> 00:35:49,520 uh it's enabled index equals main source 902 00:35:49,520 --> 00:35:51,680 type equals snorter that full source is 903 00:35:51,680 --> 00:35:53,680 equal to snot fantastic so we'll write 904 00:35:53,680 --> 00:35:54,720 in quit 905 00:35:54,720 --> 00:35:57,040 uh once this is done 906 00:35:57,040 --> 00:35:58,720 we'll need to restart splunk so i'll 907 00:35:58,720 --> 00:36:00,800 switch back to my user lexis here and 908 00:36:00,800 --> 00:36:04,560 we'll navigate back to the bin directory 909 00:36:04,560 --> 00:36:06,400 so i'll say cd bin 910 00:36:06,400 --> 00:36:08,800 and we'll say sudo 911 00:36:08,800 --> 00:36:11,680 let me say splunk and we can then say 912 00:36:11,680 --> 00:36:13,440 restart 913 00:36:13,440 --> 00:36:15,680 all right hit enter 914 00:36:15,680 --> 00:36:18,320 it's going to stop the splunk daemon 915 00:36:18,320 --> 00:36:19,680 shutting it down 916 00:36:19,680 --> 00:36:22,160 restart it and it's done successfully so 917 00:36:22,160 --> 00:36:24,560 all the checks were completed without 918 00:36:24,560 --> 00:36:27,119 any issue all right so 919 00:36:27,119 --> 00:36:29,040 now that this is done we can actually go 920 00:36:29,040 --> 00:36:31,440 back into splunk here and we'll navigate 921 00:36:31,440 --> 00:36:33,280 to the dashboard 922 00:36:33,280 --> 00:36:35,839 uh this is your splunk server right 923 00:36:35,839 --> 00:36:37,440 and let's take a look at the messages 924 00:36:37,440 --> 00:36:39,920 here that's just uh a few updates we 925 00:36:39,920 --> 00:36:41,920 don't need to do anything there so if we 926 00:36:41,920 --> 00:36:43,119 click on 927 00:36:43,119 --> 00:36:45,599 search and reporting just to verify that 928 00:36:45,599 --> 00:36:47,839 that data has indeed been for that i'll 929 00:36:47,839 --> 00:36:49,280 just skip through this if we click on 930 00:36:49,280 --> 00:36:51,040 data summary 931 00:36:51,040 --> 00:36:52,880 under sources you should see that we 932 00:36:52,880 --> 00:36:55,680 have the host and in my case the name of 933 00:36:55,680 --> 00:36:58,640 the system is black box so that should 934 00:36:58,640 --> 00:37:01,119 be reflected there so there we are black 935 00:37:01,119 --> 00:37:03,280 box we have 42 936 00:37:03,280 --> 00:37:06,800 logs or alerts if you will sources 42 we 937 00:37:06,800 --> 00:37:08,640 can click on that there to just see the 938 00:37:08,640 --> 00:37:11,280 data that has been logged indeed we can 939 00:37:11,280 --> 00:37:13,040 see that has been done correctly so 940 00:37:13,040 --> 00:37:14,880 source type is alert 941 00:37:14,880 --> 00:37:17,280 uh we can see that it's imported you 942 00:37:17,280 --> 00:37:19,440 know pretty much all the data or the you 943 00:37:19,440 --> 00:37:21,119 know these are the this is the full log 944 00:37:21,119 --> 00:37:23,599 whereby we have the reference to that 945 00:37:23,599 --> 00:37:24,880 there 946 00:37:24,880 --> 00:37:26,800 uh that's weird i didn't actually run 947 00:37:26,800 --> 00:37:30,240 anything weird uh but uh there you go 948 00:37:30,240 --> 00:37:32,720 um so now that this is done uh you can 949 00:37:32,720 --> 00:37:34,880 use splunk to essentially visualize this 950 00:37:34,880 --> 00:37:36,800 data you know however you want so you 951 00:37:36,800 --> 00:37:39,359 know i can go into visualization 952 00:37:39,359 --> 00:37:42,240 uh and we can click on maybe we can 953 00:37:42,240 --> 00:37:44,720 create a um 954 00:37:44,720 --> 00:37:46,880 we can select a few fields so if i go 955 00:37:46,880 --> 00:37:50,240 back into the events here i can select a 956 00:37:50,240 --> 00:37:52,240 few fields that i want displayed here 957 00:37:52,240 --> 00:37:54,320 and i can you know essentially extract 958 00:37:54,320 --> 00:37:57,040 the fields that i want with rejects 959 00:37:57,040 --> 00:37:57,920 but 960 00:37:57,920 --> 00:37:59,680 i don't think this is necessary in this 961 00:37:59,680 --> 00:38:01,520 point because if we actually go back to 962 00:38:01,520 --> 00:38:03,599 the dashboard 963 00:38:03,599 --> 00:38:06,160 and we click on 964 00:38:06,160 --> 00:38:10,079 let's see splunk snot alert for splunk 965 00:38:10,079 --> 00:38:11,440 let's see if this is actually whether 966 00:38:11,440 --> 00:38:15,200 this automates that process for us 967 00:38:15,200 --> 00:38:17,280 uh there we are actually it looks like 968 00:38:17,280 --> 00:38:21,599 it does so um classification bad traffic 969 00:38:21,599 --> 00:38:24,160 so it looks like that is working 970 00:38:24,160 --> 00:38:26,400 so what we can do now 971 00:38:26,400 --> 00:38:28,720 is run a few 972 00:38:28,720 --> 00:38:31,280 uh we can actually utilize this script 973 00:38:31,280 --> 00:38:33,520 here the 974 00:38:33,520 --> 00:38:37,119 uh the test my nids script here so all 975 00:38:37,119 --> 00:38:39,440 you need to do to run it is just copy 976 00:38:39,440 --> 00:38:41,520 this one liner script here or this 977 00:38:41,520 --> 00:38:43,200 command that will download it into your 978 00:38:43,200 --> 00:38:46,000 tmp directory and will then execute it 979 00:38:46,000 --> 00:38:49,200 so you know to execute it within your 980 00:38:49,200 --> 00:38:51,599 temp directory you can just uh execute 981 00:38:51,599 --> 00:38:53,040 the actual 982 00:38:53,040 --> 00:38:54,400 um 983 00:38:54,400 --> 00:38:56,240 you know the actual binary there it is a 984 00:38:56,240 --> 00:38:58,800 binary not a script 985 00:38:58,800 --> 00:39:01,280 and uh once that is done you can then 986 00:39:01,280 --> 00:39:03,520 select the option here so let me just do 987 00:39:03,520 --> 00:39:05,920 that on my attacker system 988 00:39:05,920 --> 00:39:08,880 i'm just gonna run it one more time so 989 00:39:08,880 --> 00:39:14,359 um just going to say ls here and 990 00:39:16,160 --> 00:39:18,960 if i uh open up the documentation so 991 00:39:18,960 --> 00:39:21,839 firstly i will 992 00:39:21,839 --> 00:39:23,440 i will run 993 00:39:23,440 --> 00:39:26,640 a quick linux uid check so 994 00:39:26,640 --> 00:39:28,960 i'll just hit enter 995 00:39:28,960 --> 00:39:31,280 okay that is done i'll then perform a 996 00:39:31,280 --> 00:39:35,119 http basic authentication 997 00:39:35,119 --> 00:39:37,839 and a malware user agent so i'm doing 998 00:39:37,839 --> 00:39:40,640 that right now 999 00:39:40,839 --> 00:39:46,000 okay and we can run one more here so 1000 00:39:46,000 --> 00:39:48,720 uh let's see let's see let's see uh we 1001 00:39:48,720 --> 00:39:51,520 can try exe or dll download over http 1002 00:39:51,520 --> 00:39:55,280 that is surely going to be um 1003 00:39:55,280 --> 00:39:57,040 logged 1004 00:39:57,040 --> 00:39:59,839 or that's going to trigger an alert 1005 00:39:59,839 --> 00:40:00,640 so 1006 00:40:00,640 --> 00:40:03,040 uh do we have uh that is running all 1007 00:40:03,040 --> 00:40:05,280 right so snot is running that's great 1008 00:40:05,280 --> 00:40:08,079 uh so we know that the log is being uh 1009 00:40:08,079 --> 00:40:10,240 the actual alerts are being forwarded 1010 00:40:10,240 --> 00:40:12,960 absolutely fantastic so let's go back in 1011 00:40:12,960 --> 00:40:15,040 here i've already run those 1012 00:40:15,040 --> 00:40:18,400 uh those particular checks 1013 00:40:18,400 --> 00:40:20,160 so let me just refresh this i know it 1014 00:40:20,160 --> 00:40:22,160 usually takes a couple of seconds to a 1015 00:40:22,160 --> 00:40:24,400 couple of minutes but that data should 1016 00:40:24,400 --> 00:40:26,240 start should actually be reflected there 1017 00:40:26,240 --> 00:40:28,160 we are fantastic so 1018 00:40:28,160 --> 00:40:31,119 uh we can see that uh you know firstly 1019 00:40:31,119 --> 00:40:32,880 i'll just explain the dashboard here 1020 00:40:32,880 --> 00:40:33,760 because 1021 00:40:33,760 --> 00:40:36,160 uh this dashboard is automatically you 1022 00:40:36,160 --> 00:40:38,000 know set up for you by the snort app 1023 00:40:38,000 --> 00:40:39,920 which is really awesome as i said you 1024 00:40:39,920 --> 00:40:41,440 don't need to go through that process 1025 00:40:41,440 --> 00:40:42,560 yourself 1026 00:40:42,560 --> 00:40:44,560 so the first graph here essentially 1027 00:40:44,560 --> 00:40:46,400 tells you your events 1028 00:40:46,400 --> 00:40:48,560 uh and and it also displays uh you know 1029 00:40:48,560 --> 00:40:50,400 the total number of sources so you can 1030 00:40:50,400 --> 00:40:52,560 see that there you also have the time 1031 00:40:52,560 --> 00:40:54,480 uh and you saw you have your events and 1032 00:40:54,480 --> 00:40:56,079 then the timeline here and you can 1033 00:40:56,079 --> 00:40:58,880 essentially you know view a trend or the 1034 00:40:58,880 --> 00:41:01,680 trend of uh of events there you then 1035 00:41:01,680 --> 00:41:04,880 have the top uh the top source countries 1036 00:41:04,880 --> 00:41:07,040 right over here and if i just run 1037 00:41:07,040 --> 00:41:08,720 another check really quickly here 1038 00:41:08,720 --> 00:41:11,119 through the nids website 1039 00:41:11,119 --> 00:41:14,720 so uh let me just run the curl command 1040 00:41:14,720 --> 00:41:16,640 uh you should actually see that because 1041 00:41:16,640 --> 00:41:19,280 we are reaching out to uh you know a 1042 00:41:19,280 --> 00:41:21,280 connection made to an external server 1043 00:41:21,280 --> 00:41:23,680 that it should reflect that info under 1044 00:41:23,680 --> 00:41:25,760 the top countries the top source 1045 00:41:25,760 --> 00:41:26,800 countries 1046 00:41:26,800 --> 00:41:28,800 so uh we then have the events here which 1047 00:41:28,800 --> 00:41:31,280 uh you know you can click on um and then 1048 00:41:31,280 --> 00:41:33,119 of course you have the sources 1049 00:41:33,119 --> 00:41:36,079 so these are the uh snort event types 1050 00:41:36,079 --> 00:41:37,760 and these are actually the 1051 00:41:37,760 --> 00:41:39,680 classification so we can see potentially 1052 00:41:39,680 --> 00:41:42,640 bad traffic attempted information leak 1053 00:41:42,640 --> 00:41:44,720 and you know you can just refresh your 1054 00:41:44,720 --> 00:41:47,440 dashboard to get the latest 1055 00:41:47,440 --> 00:41:49,359 so we'll give that a couple of seconds 1056 00:41:49,359 --> 00:41:52,000 and you can also specify the actual uh 1057 00:41:52,000 --> 00:41:53,599 interval period 1058 00:41:53,599 --> 00:41:56,400 so uh i'll just wait for this uh let's 1059 00:41:56,400 --> 00:41:58,880 see if it's actually being logged or 1060 00:41:58,880 --> 00:42:00,319 whether we can see all of that so i'll 1061 00:42:00,319 --> 00:42:04,000 just go back into the dashboard here 1062 00:42:04,000 --> 00:42:04,800 and 1063 00:42:04,800 --> 00:42:07,359 we'll go into search and reporting and 1064 00:42:07,359 --> 00:42:09,920 if we click on the actual 1065 00:42:09,920 --> 00:42:13,040 data summary and the sources uh we can 1066 00:42:13,040 --> 00:42:15,359 see we have snort there and then vast 1067 00:42:15,359 --> 00:42:19,520 not alert so we click on snot there 1068 00:42:19,520 --> 00:42:22,000 okay so this is bad traffic that's 1069 00:42:22,000 --> 00:42:25,440 really weird because 1070 00:42:26,079 --> 00:42:27,920 the source is not we had added two 1071 00:42:27,920 --> 00:42:29,520 sources there 1072 00:42:29,520 --> 00:42:32,720 so data summary 1073 00:42:32,720 --> 00:42:34,800 let me just click on that there and if 1074 00:42:34,800 --> 00:42:36,960 we click on these sources there this is 1075 00:42:36,960 --> 00:42:40,800 the one that we want ideally 1076 00:42:43,200 --> 00:42:46,079 yeah so that looks like uh the correct 1077 00:42:46,079 --> 00:42:48,720 one there 1078 00:42:49,599 --> 00:42:51,680 yeah that's the correct traffic um uh i 1079 00:42:51,680 --> 00:42:55,119 think that's why uh the actual uh let me 1080 00:42:55,119 --> 00:42:56,960 see if i can find so snot alert for 1081 00:42:56,960 --> 00:43:00,640 splunk let me click on the app there 1082 00:43:02,480 --> 00:43:04,160 show filters it should be displaying 1083 00:43:04,160 --> 00:43:06,400 much more than that because i know yeah 1084 00:43:06,400 --> 00:43:08,319 they're not just four 1085 00:43:08,319 --> 00:43:09,920 so 1086 00:43:09,920 --> 00:43:12,640 uh if we actually head over into the 1087 00:43:12,640 --> 00:43:16,560 uh snot event search here 1088 00:43:18,480 --> 00:43:20,800 we can actually search for uh you know 1089 00:43:20,800 --> 00:43:25,359 we can utilize uh yeah so these are only 1090 00:43:25,359 --> 00:43:28,400 this is only monitoring the pings so 1091 00:43:28,400 --> 00:43:30,240 that's weird i'm not really sure why we 1092 00:43:30,240 --> 00:43:32,319 have two data sources i think it's to do 1093 00:43:32,319 --> 00:43:33,839 with the fact 1094 00:43:33,839 --> 00:43:37,040 uh that uh you know we had so let me 1095 00:43:37,040 --> 00:43:39,520 just go back here 1096 00:43:39,520 --> 00:43:42,640 apps search and sudo root 1097 00:43:42,640 --> 00:43:46,720 let me just check that here so cd local 1098 00:43:46,720 --> 00:43:47,839 vim 1099 00:43:47,839 --> 00:43:50,640 inputs dot look so there we are so the 1100 00:43:50,640 --> 00:43:53,280 source is snort 1101 00:43:53,280 --> 00:43:56,079 we already specified the source as not 1102 00:43:56,079 --> 00:43:57,599 there 1103 00:43:57,599 --> 00:43:59,520 but it's all it's adding 1104 00:43:59,520 --> 00:44:02,319 this particular you know the alert as uh 1105 00:44:02,319 --> 00:44:04,160 as a source as well 1106 00:44:04,160 --> 00:44:06,400 and then this the source type is not 1107 00:44:06,400 --> 00:44:09,040 alert full index main yeah that that 1108 00:44:09,040 --> 00:44:10,560 should be working that should be working 1109 00:44:10,560 --> 00:44:12,319 without any issues i'm not really sure 1110 00:44:12,319 --> 00:44:14,079 why that is the case but 1111 00:44:14,079 --> 00:44:16,480 we can actually customize what data set 1112 00:44:16,480 --> 00:44:18,000 we want to use 1113 00:44:18,000 --> 00:44:19,359 so uh 1114 00:44:19,359 --> 00:44:21,520 i think let me actually showcase how to 1115 00:44:21,520 --> 00:44:23,359 do that right now 1116 00:44:23,359 --> 00:44:25,839 um so apologies about that i actually 1117 00:44:25,839 --> 00:44:27,599 figured out what the issue was it was 1118 00:44:27,599 --> 00:44:30,319 because the system i was running 1119 00:44:30,319 --> 00:44:32,079 uh this particular 1120 00:44:32,079 --> 00:44:34,560 attacks from wasn't even connected to 1121 00:44:34,560 --> 00:44:36,800 the local network 1122 00:44:36,800 --> 00:44:38,880 and even though i was running these 1123 00:44:38,880 --> 00:44:41,040 these attacks i did realize that of 1124 00:44:41,040 --> 00:44:42,640 course they weren't working so i'm just 1125 00:44:42,640 --> 00:44:44,880 gonna i've just reconnected it 1126 00:44:44,880 --> 00:44:47,359 and what i'm gonna do is i'm just gonna 1127 00:44:47,359 --> 00:44:49,599 run this one more time 1128 00:44:49,599 --> 00:44:53,359 so just give me a second here and i'll 1129 00:44:53,359 --> 00:44:56,319 be able to do that one more time so 1130 00:44:56,319 --> 00:44:58,560 let me just navigate to that particular 1131 00:44:58,560 --> 00:45:00,079 directory 1132 00:45:00,079 --> 00:45:01,040 and 1133 00:45:01,040 --> 00:45:02,480 we'll actually see whether this will 1134 00:45:02,480 --> 00:45:04,400 work so 1135 00:45:04,400 --> 00:45:06,000 you can actually see there's much more 1136 00:45:06,000 --> 00:45:07,920 uh that's been captured in regards to 1137 00:45:07,920 --> 00:45:10,160 events and i'll be explaining this 1138 00:45:10,160 --> 00:45:12,480 dashboard in a couple of seconds 1139 00:45:12,480 --> 00:45:13,359 so 1140 00:45:13,359 --> 00:45:14,960 let me just uh 1141 00:45:14,960 --> 00:45:17,359 launch that first attack there so that 1142 00:45:17,359 --> 00:45:19,440 you know let me just launch that first 1143 00:45:19,440 --> 00:45:22,240 uh type of check and of course i'm using 1144 00:45:22,240 --> 00:45:26,400 test my nids here so uh unfortunately 1145 00:45:26,400 --> 00:45:28,000 that wasn't even being logged which is 1146 00:45:28,000 --> 00:45:30,000 why i was a bit confused as to why those 1147 00:45:30,000 --> 00:45:32,800 logs are not being displayed here 1148 00:45:32,800 --> 00:45:35,520 so i'll give that a couple of seconds 1149 00:45:35,520 --> 00:45:36,800 and 1150 00:45:36,800 --> 00:45:38,880 we'll be able to see this happen 1151 00:45:38,880 --> 00:45:41,920 in real time as well 1152 00:45:41,920 --> 00:45:44,560 all right so that is done so i've 1153 00:45:44,560 --> 00:45:46,319 essentially launched a couple of those 1154 00:45:46,319 --> 00:45:48,319 tests and uh 1155 00:45:48,319 --> 00:45:50,640 this as i said this is your default uh 1156 00:45:50,640 --> 00:45:52,560 dashboard that you're provided with here 1157 00:45:52,560 --> 00:45:53,520 so 1158 00:45:53,520 --> 00:45:55,760 um you know you can actually refresh uh 1159 00:45:55,760 --> 00:45:58,720 all of these um all of these panels here 1160 00:45:58,720 --> 00:46:00,800 if you will so that'll display the 1161 00:46:00,800 --> 00:46:03,920 latest and as i said here because i'd 1162 00:46:03,920 --> 00:46:05,839 had performed the actual 1163 00:46:05,839 --> 00:46:07,680 uh you know i'd perform the actual check 1164 00:46:07,680 --> 00:46:09,520 and then connected to an external server 1165 00:46:09,520 --> 00:46:11,680 you can see that you know the top source 1166 00:46:11,680 --> 00:46:13,680 countries are highlighted there 1167 00:46:13,680 --> 00:46:15,839 you can also refresh the number of 1168 00:46:15,839 --> 00:46:18,160 events as you can see here 1169 00:46:18,160 --> 00:46:20,319 and the number of sources so 1170 00:46:20,319 --> 00:46:22,319 uh you can also do that for the rest of 1171 00:46:22,319 --> 00:46:24,480 the panel so these are the top 10 1172 00:46:24,480 --> 00:46:26,800 classifications 1173 00:46:26,800 --> 00:46:28,960 in terms of events if you will and then 1174 00:46:28,960 --> 00:46:31,359 the snort event types as you can see 1175 00:46:31,359 --> 00:46:32,319 here 1176 00:46:32,319 --> 00:46:33,839 so for example in this case we have the 1177 00:46:33,839 --> 00:46:36,160 attack response id check which if we 1178 00:46:36,160 --> 00:46:37,520 click on 1179 00:46:37,520 --> 00:46:40,319 right over here 1180 00:46:41,119 --> 00:46:42,640 you can see that it actually displays 1181 00:46:42,640 --> 00:46:44,400 that and you can then uh you can then 1182 00:46:44,400 --> 00:46:46,400 click on the signature itself and this 1183 00:46:46,400 --> 00:46:48,880 is for statistics now if you click on 1184 00:46:48,880 --> 00:46:52,000 the snort event search tab right over 1185 00:46:52,000 --> 00:46:53,040 here 1186 00:46:53,040 --> 00:46:54,880 you can see that this allows you to 1187 00:46:54,880 --> 00:46:57,119 search based on the source ip the source 1188 00:46:57,119 --> 00:46:59,680 port the destination ip destination port 1189 00:46:59,680 --> 00:47:02,240 and the event type so i can check for 1190 00:47:02,240 --> 00:47:04,400 attack responses based on the rule set 1191 00:47:04,400 --> 00:47:06,480 that we had used previously 1192 00:47:06,480 --> 00:47:09,359 and i can also specify the timing right 1193 00:47:09,359 --> 00:47:12,079 so that's really fantastic there 1194 00:47:12,079 --> 00:47:14,640 so you can see that right over here we 1195 00:47:14,640 --> 00:47:16,240 have that logged 1196 00:47:16,240 --> 00:47:19,040 which is fantastic and 1197 00:47:19,040 --> 00:47:21,920 if we click on the snort world map 1198 00:47:21,920 --> 00:47:24,000 that'll essentially as you'll see in a 1199 00:47:24,000 --> 00:47:26,160 couple of seconds this will essentially 1200 00:47:26,160 --> 00:47:28,559 display the countries by the source ips 1201 00:47:28,559 --> 00:47:29,839 in this case it should display the 1202 00:47:29,839 --> 00:47:32,079 united states which makes sense 1203 00:47:32,079 --> 00:47:34,800 uh and there we are so again this is 1204 00:47:34,800 --> 00:47:37,119 extremely helpful especially if you work 1205 00:47:37,119 --> 00:47:39,839 in a sock and as i said there's multiple 1206 00:47:39,839 --> 00:47:41,920 uh you know security tools you can 1207 00:47:41,920 --> 00:47:45,040 integrate with uh with splunk 1208 00:47:45,040 --> 00:47:46,880 now one thing that i wanted to highlight 1209 00:47:46,880 --> 00:47:49,440 is you can if you click on edit i'll 1210 00:47:49,440 --> 00:47:51,200 just go back to the 1211 00:47:51,200 --> 00:47:53,200 event summary here because this is very 1212 00:47:53,200 --> 00:47:55,119 important 1213 00:47:55,119 --> 00:47:57,280 you can set this as your main dashboard 1214 00:47:57,280 --> 00:47:58,960 so if you right click here you can set 1215 00:47:58,960 --> 00:48:01,520 this as your home dashboard 1216 00:48:01,520 --> 00:48:03,599 so i'll just click on that there 1217 00:48:03,599 --> 00:48:05,440 and now you'll see on your dashboard 1218 00:48:05,440 --> 00:48:08,240 here if i just close that top menu 1219 00:48:08,240 --> 00:48:10,240 that will actually be displayed there so 1220 00:48:10,240 --> 00:48:12,319 give it a couple of seconds 1221 00:48:12,319 --> 00:48:14,079 and of course you can click on the cog 1222 00:48:14,079 --> 00:48:16,240 wheel here 1223 00:48:16,240 --> 00:48:19,280 and essentially display whatever 1224 00:48:19,280 --> 00:48:21,520 you know you can specify your default 1225 00:48:21,520 --> 00:48:23,200 dashboard now there are a couple of 1226 00:48:23,200 --> 00:48:25,599 other ones that are created by default 1227 00:48:25,599 --> 00:48:27,119 uh but yeah you can have that on your 1228 00:48:27,119 --> 00:48:28,400 dashboard 1229 00:48:28,400 --> 00:48:31,040 uh and uh you know if you actually click 1230 00:48:31,040 --> 00:48:33,839 on snot the snot alert for splunk here 1231 00:48:33,839 --> 00:48:36,240 and we'll just go back into that snot 1232 00:48:36,240 --> 00:48:38,240 event summary tab 1233 00:48:38,240 --> 00:48:40,880 uh you can actually edit the way these 1234 00:48:40,880 --> 00:48:44,240 um these particular panels are tiled so 1235 00:48:44,240 --> 00:48:46,079 uh you know you can convert it to a 1236 00:48:46,079 --> 00:48:48,880 pre-built panel or you know 1237 00:48:48,880 --> 00:48:50,400 you can you can actually convert it to a 1238 00:48:50,400 --> 00:48:52,960 pre-built panel you can get rid of it 1239 00:48:52,960 --> 00:48:54,720 uh you can also move them around based 1240 00:48:54,720 --> 00:48:57,440 on your own requirements and uh in this 1241 00:48:57,440 --> 00:48:59,680 case you can actually let's see if i can 1242 00:48:59,680 --> 00:49:00,880 show you can actually select the 1243 00:49:00,880 --> 00:49:02,480 visualization 1244 00:49:02,480 --> 00:49:04,240 uh so in this case i think the default 1245 00:49:04,240 --> 00:49:06,079 one is fine and you can then view the 1246 00:49:06,079 --> 00:49:07,920 report here so 1247 00:49:07,920 --> 00:49:08,960 um 1248 00:49:08,960 --> 00:49:11,359 if we click on this one here for example 1249 00:49:11,359 --> 00:49:13,280 we could actually use the bar graph to 1250 00:49:13,280 --> 00:49:15,280 display the you know the number of the 1251 00:49:15,280 --> 00:49:17,200 actual um 1252 00:49:17,200 --> 00:49:19,440 the top source countries uh and have 1253 00:49:19,440 --> 00:49:21,599 them displayed in a bar graph style but 1254 00:49:21,599 --> 00:49:23,280 we can just take it back into the pie 1255 00:49:23,280 --> 00:49:25,599 chart there and you can also change this 1256 00:49:25,599 --> 00:49:27,440 for the events as well 1257 00:49:27,440 --> 00:49:29,359 so uh you know if we wanted to view a 1258 00:49:29,359 --> 00:49:31,440 trend we can click on the bar graph 1259 00:49:31,440 --> 00:49:32,240 there 1260 00:49:32,240 --> 00:49:34,000 uh in this case i don't think that's 1261 00:49:34,000 --> 00:49:37,040 formatted correctly so uh if we just use 1262 00:49:37,040 --> 00:49:39,440 the the default one 1263 00:49:39,440 --> 00:49:42,880 uh which i believe was i think it was no 1264 00:49:42,880 --> 00:49:46,160 that wasn't the one i believe it was uh 1265 00:49:46,160 --> 00:49:47,920 let's see if i can identify it here it 1266 00:49:47,920 --> 00:49:50,800 was the number there we are so 26 uh so 1267 00:49:50,800 --> 00:49:52,640 as i said you can customize this based 1268 00:49:52,640 --> 00:49:53,839 on your own 1269 00:49:53,839 --> 00:49:55,440 uh you know 1270 00:49:55,440 --> 00:49:57,440 your own requirements so for example 1271 00:49:57,440 --> 00:49:59,839 this one might do well if it was in the 1272 00:49:59,839 --> 00:50:02,240 form of a bar graph so you know 1273 00:50:02,240 --> 00:50:04,240 you can utilize that if you feel that 1274 00:50:04,240 --> 00:50:06,319 that is appropriate 1275 00:50:06,319 --> 00:50:08,319 uh in this case uh you know we can also 1276 00:50:08,319 --> 00:50:11,920 specify uh the actual um you know we can 1277 00:50:11,920 --> 00:50:14,559 actually list the events themselves 1278 00:50:14,559 --> 00:50:16,079 uh let's see which other ones look 1279 00:50:16,079 --> 00:50:17,920 really good here 1280 00:50:17,920 --> 00:50:19,760 uh and uh yeah once you're done with the 1281 00:50:19,760 --> 00:50:22,079 customization you can then cancel or 1282 00:50:22,079 --> 00:50:24,559 save based on your requirements and you 1283 00:50:24,559 --> 00:50:27,200 can also filter on this particular tab 1284 00:50:27,200 --> 00:50:28,960 here you know through the source ip 1285 00:50:28,960 --> 00:50:31,280 destination ip etc 1286 00:50:31,280 --> 00:50:33,839 um let's see what else did i wanted to 1287 00:50:33,839 --> 00:50:35,599 did i want to highlight let me just 1288 00:50:35,599 --> 00:50:38,000 refresh this once more 1289 00:50:38,000 --> 00:50:39,760 and you know to essentially get the 1290 00:50:39,760 --> 00:50:42,480 latest data 1291 00:50:42,480 --> 00:50:44,480 and uh you can see uh in terms of the 1292 00:50:44,480 --> 00:50:46,480 fan the in terms of the panels this will 1293 00:50:46,480 --> 00:50:49,520 display the last 100 attempts 1294 00:50:49,520 --> 00:50:51,760 uh and uh you know you can go through 1295 00:50:51,760 --> 00:50:53,599 them like so 1296 00:50:53,599 --> 00:50:55,839 uh you can also view i think we've gone 1297 00:50:55,839 --> 00:50:57,119 through all of them but you have the 1298 00:50:57,119 --> 00:50:59,440 persistent sources so two or more days 1299 00:50:59,440 --> 00:51:01,359 of activity in the last 30 days so you 1300 00:51:01,359 --> 00:51:03,040 actually need a lot of data for that to 1301 00:51:03,040 --> 00:51:05,200 be displayed or to give you anything 1302 00:51:05,200 --> 00:51:06,400 useful 1303 00:51:06,400 --> 00:51:07,520 um 1304 00:51:07,520 --> 00:51:09,760 yeah so that is 1305 00:51:09,760 --> 00:51:11,680 what i wanted to highlight in regards to 1306 00:51:11,680 --> 00:51:14,079 the snot alert for splunk app and the 1307 00:51:14,079 --> 00:51:15,839 actual dashboards which i said it 1308 00:51:15,839 --> 00:51:17,359 already does for you 1309 00:51:17,359 --> 00:51:19,119 now you can create your own dashboard as 1310 00:51:19,119 --> 00:51:21,200 i said if i go back into apps and search 1311 00:51:21,200 --> 00:51:22,720 and reporting 1312 00:51:22,720 --> 00:51:25,200 based on your own sources so i'll just 1313 00:51:25,200 --> 00:51:27,280 click on data summary there and if i 1314 00:51:27,280 --> 00:51:29,280 click on sources 1315 00:51:29,280 --> 00:51:30,960 you can click on the 1316 00:51:30,960 --> 00:51:33,839 this source here for example and 1317 00:51:33,839 --> 00:51:36,640 you know in this case we can actually uh 1318 00:51:36,640 --> 00:51:39,680 just click on that there and i can click 1319 00:51:39,680 --> 00:51:41,920 on extract fields 1320 00:51:41,920 --> 00:51:43,359 and you can extract the fields with 1321 00:51:43,359 --> 00:51:46,319 rejects so i'll click on next there 1322 00:51:46,319 --> 00:51:47,760 and you can then select the fields that 1323 00:51:47,760 --> 00:51:50,400 you want so for example in this case we 1324 00:51:50,400 --> 00:51:52,720 would want the date and time 1325 00:51:52,720 --> 00:51:55,280 so i can just highlight that there so i 1326 00:51:55,280 --> 00:51:56,319 can say 1327 00:51:56,319 --> 00:51:59,520 time for example add the extraction 1328 00:51:59,520 --> 00:52:02,000 and then of course we have the source ip 1329 00:52:02,000 --> 00:52:03,839 and the port but i'll just highlight 1330 00:52:03,839 --> 00:52:05,680 them together but i think it's actually 1331 00:52:05,680 --> 00:52:07,440 recommended just to highlight the source 1332 00:52:07,440 --> 00:52:08,880 ip there 1333 00:52:08,880 --> 00:52:13,200 so source we can say crc src 1334 00:52:13,200 --> 00:52:14,559 underscore 1335 00:52:14,559 --> 00:52:15,520 ip 1336 00:52:15,520 --> 00:52:18,480 add that extraction and we then have the 1337 00:52:18,480 --> 00:52:20,800 destination ip which in this case uh 1338 00:52:20,800 --> 00:52:22,559 because this is uh 1339 00:52:22,559 --> 00:52:25,520 an sm snmp broadcast 1340 00:52:25,520 --> 00:52:27,520 request we can we know that that's the 1341 00:52:27,520 --> 00:52:30,880 destination ip so i'll say dst 1342 00:52:30,880 --> 00:52:33,040 underscore ip 1343 00:52:33,040 --> 00:52:36,720 add the extraction let's see what else 1344 00:52:36,720 --> 00:52:40,079 we can do um 1345 00:52:40,079 --> 00:52:41,440 in this case it's saying the extraction 1346 00:52:41,440 --> 00:52:42,960 field you're extracting if you're 1347 00:52:42,960 --> 00:52:45,040 extracting multiple fields try removing 1348 00:52:45,040 --> 00:52:47,040 one or more fields start with the 1349 00:52:47,040 --> 00:52:48,720 extractions that are embedded within 1350 00:52:48,720 --> 00:52:51,680 longer strings okay so let's try and use 1351 00:52:51,680 --> 00:52:54,400 another alert here 1352 00:52:54,400 --> 00:52:57,599 that was kind of interesting um let's 1353 00:52:57,599 --> 00:52:58,319 see 1354 00:52:58,319 --> 00:53:00,480 it's not displaying all of them here but 1355 00:53:00,480 --> 00:53:02,800 you get the idea once you're done 1356 00:53:02,800 --> 00:53:04,480 uh you know for example i can remove 1357 00:53:04,480 --> 00:53:06,079 that field here i'm just giving you an 1358 00:53:06,079 --> 00:53:08,720 example of that so remove that field 1359 00:53:08,720 --> 00:53:12,000 uh there we are i can then say next and 1360 00:53:12,000 --> 00:53:15,440 i can click on validate and save based 1361 00:53:15,440 --> 00:53:18,240 on those fields there hit finish 1362 00:53:18,240 --> 00:53:20,800 and then you know i can go back to 1363 00:53:20,800 --> 00:53:23,359 uh you know search and reporting 1364 00:53:23,359 --> 00:53:25,280 and if i wanted to create a very simple 1365 00:53:25,280 --> 00:53:27,040 visualization which i'll show you right 1366 00:53:27,040 --> 00:53:27,839 now 1367 00:53:27,839 --> 00:53:30,000 even though i don't really need those 1368 00:53:30,000 --> 00:53:31,920 extracted fields although they might be 1369 00:53:31,920 --> 00:53:33,280 useful so 1370 00:53:33,280 --> 00:53:36,079 i can click on those extracted fields 1371 00:53:36,079 --> 00:53:38,559 now i believe they should have been 1372 00:53:38,559 --> 00:53:39,760 added 1373 00:53:39,760 --> 00:53:41,200 i'm not really sure why they aren't 1374 00:53:41,200 --> 00:53:43,440 being highlighted here there we are so 1375 00:53:43,440 --> 00:53:45,200 source ip 1376 00:53:45,200 --> 00:53:47,760 uh we can also specify the source port 1377 00:53:47,760 --> 00:53:50,240 uh we all there there they are so i had 1378 00:53:50,240 --> 00:53:51,760 actually they took a while to be 1379 00:53:51,760 --> 00:53:53,599 displayed there so 1380 00:53:53,599 --> 00:53:56,559 uh so support that why why not we can 1381 00:53:56,559 --> 00:53:59,920 yeah i think that's pretty much it so 1382 00:53:59,920 --> 00:54:02,079 uh based on those we can actually build 1383 00:54:02,079 --> 00:54:04,480 an event type however if we go to 1384 00:54:04,480 --> 00:54:07,520 visualization and click on pivot here 1385 00:54:07,520 --> 00:54:10,640 selected fields is five hit ok 1386 00:54:10,640 --> 00:54:12,559 we can actually you know visualize this 1387 00:54:12,559 --> 00:54:14,319 however we want so for example if i 1388 00:54:14,319 --> 00:54:17,119 wanted a column chart here 1389 00:54:17,119 --> 00:54:19,680 number one will display the count 1390 00:54:19,680 --> 00:54:22,079 i can just add the 1391 00:54:22,079 --> 00:54:24,079 events 1392 00:54:24,079 --> 00:54:26,319 because that's the count and we should 1393 00:54:26,319 --> 00:54:28,720 have at the bottom the time which i did 1394 00:54:28,720 --> 00:54:32,559 specify uh we believe within that range 1395 00:54:32,559 --> 00:54:34,000 there 1396 00:54:34,000 --> 00:54:36,720 but that's not being highlighted here so 1397 00:54:36,720 --> 00:54:39,280 the number of events and you know you 1398 00:54:39,280 --> 00:54:41,839 can go ahead and click as you can 1399 00:54:41,839 --> 00:54:43,440 essentially save it 1400 00:54:43,440 --> 00:54:45,280 so you get the idea you don't really 1401 00:54:45,280 --> 00:54:46,880 need to do this because we have the 1402 00:54:46,880 --> 00:54:48,480 snort app here 1403 00:54:48,480 --> 00:54:50,079 which pretty much gives you the 1404 00:54:50,079 --> 00:54:52,880 summaries that are useful to you or for 1405 00:54:52,880 --> 00:54:53,839 you 1406 00:54:53,839 --> 00:54:56,559 and there we are so fantastic so that's 1407 00:54:56,559 --> 00:54:57,920 going to conclude the practical 1408 00:54:57,920 --> 00:55:01,119 demonstration side of this video 1409 00:55:01,119 --> 00:55:02,799 so uh thank you very much for watching 1410 00:55:02,799 --> 00:55:04,559 this video if you have any questions or 1411 00:55:04,559 --> 00:55:06,240 suggestions leave them in the comments 1412 00:55:06,240 --> 00:55:07,200 section 1413 00:55:07,200 --> 00:55:08,559 if you want to reach out to me you can 1414 00:55:08,559 --> 00:55:10,160 do so via 1415 00:55:10,160 --> 00:55:12,319 twitter or the discord server the links 1416 00:55:12,319 --> 00:55:14,240 to both of those are in the description 1417 00:55:14,240 --> 00:55:16,720 section furthermore we are now moving on 1418 00:55:16,720 --> 00:55:18,720 to part two so this will conclude part 1419 00:55:18,720 --> 00:55:21,040 one so part two will be available on the 1420 00:55:21,040 --> 00:55:24,559 lynnodes on 24 platform so uh the videos 1421 00:55:24,559 --> 00:55:26,559 are available uh on demand so all you 1422 00:55:26,559 --> 00:55:28,559 need to do just click uh click the link 1423 00:55:28,559 --> 00:55:31,599 in the description register for part two 1424 00:55:31,599 --> 00:55:33,520 after which an email will be sent to you 1425 00:55:33,520 --> 00:55:34,720 and you'll be given uh you know 1426 00:55:34,720 --> 00:55:37,200 immediate access to to the videos uh 1427 00:55:37,200 --> 00:55:40,000 within part two so uh thank you very 1428 00:55:40,000 --> 00:55:42,799 much uh for watching part one uh in the 1429 00:55:42,799 --> 00:55:45,040 next video in part two we'll get started 1430 00:55:45,040 --> 00:55:46,640 or we'll take a look at host intrusion 1431 00:55:46,640 --> 00:55:49,520 detection with os sec so i'll be seeing 1432 00:55:49,520 --> 00:55:53,640 you in the next video 1433 00:55:59,130 --> 00:56:12,240 [Music] 1434 00:56:12,240 --> 00:56:14,319 you