WEBVTT 00:00:01.120 --> 00:00:03.520 Hello, everyone. Welcome back to the Blue 00:00:03.520 --> 00:00:05.440 Team training series brought to you by 00:00:05.440 --> 00:00:08.160 Linode and Hackersploit. In this video, 00:00:08.160 --> 00:00:10.160 we're going to be taking a look at how 00:00:10.160 --> 00:00:12.160 to set up or how to perform security 00:00:12.160 --> 00:00:14.400 event monitoring with Splunk, more 00:00:14.400 --> 00:00:16.800 specifically, Splunk Enterprise 00:00:16.800 --> 00:00:18.640 Security. Right? So the objective here 00:00:18.640 --> 00:00:21.439 will be to monitor intrusions and 00:00:21.439 --> 00:00:23.519 threats with Splunk. And you might be 00:00:23.519 --> 00:00:25.119 asking yourself, well, how are we going to 00:00:25.119 --> 00:00:28.400 do this? What setup are we using? Well, the 00:00:28.400 --> 00:00:30.480 scenario that I've set up for this video 00:00:30.480 --> 00:00:32.559 is we are essentially going to 00:00:32.559 --> 00:00:34.320 take all the knowledge that we've 00:00:34.320 --> 00:00:37.680 learned during the Snort video, and we 00:00:37.680 --> 00:00:39.360 are going to essentially forward all of 00:00:39.360 --> 00:00:42.719 the Snort logs into Splunk or have 00:00:42.719 --> 00:00:44.480 that done automatically through the 00:00:44.480 --> 00:00:47.680 Splunk Universal Forwarder so that we get 00:00:47.680 --> 00:00:50.320 the latest logs when Snort is running on 00:00:50.320 --> 00:00:52.399 our Ubuntu virtual machine. 00:00:52.399 --> 00:00:55.039 And the objective here is to use Splunk 00:00:55.039 --> 00:00:58.000 in conjunction with the Splunk's Snort app 00:00:58.000 --> 00:01:01.039 to essentially visualize and identify or 00:01:01.039 --> 00:01:03.359 monitor network intrusions and any 00:01:03.359 --> 00:01:06.720 malicious network traffic, you know, within the 00:01:06.720 --> 00:01:08.980 network that I'm monitoring. 00:01:08.980 --> 00:01:18.782 [Music]. 00:01:19.360 --> 00:01:21.680 At a very high level, what will we be 00:01:21.680 --> 00:01:23.280 covering? Well, firstly, we'll get an 00:01:23.280 --> 00:01:25.439 introduction to Splunk. Now before we 00:01:25.439 --> 00:01:28.400 move any further or we actually carry on, 00:01:28.400 --> 00:01:30.720 I do want to note that this video is not 00:01:30.720 --> 00:01:32.400 going to be focused on Splunk 00:01:32.400 --> 00:01:34.640 fundamentals. I'm going 00:01:34.640 --> 00:01:36.400 to assume that you already know what 00:01:36.400 --> 00:01:40.400 Splunk is and how it can be used, you know, 00:01:40.400 --> 00:01:42.079 and how it's used generally speaking. 00:01:42.079 --> 00:01:44.720 Because Splunk is not really a tool 00:01:44.720 --> 00:01:48.320 that is specific to security, for example. 00:01:48.320 --> 00:01:49.759 That's why they have the Splunk 00:01:49.759 --> 00:01:52.720 Enterprise Security version or edition. 00:01:52.720 --> 00:01:54.320 And I'm just going to assume that you 00:01:54.320 --> 00:01:56.079 know how to use Splunk at a very basic 00:01:56.079 --> 00:01:58.320 level. So once we get an introduction to 00:01:58.320 --> 00:02:00.960 Splunk, we'll go over Splunk Enterprise 00:02:00.960 --> 00:02:05.119 Security--the Enterprise Security edition--and how it 00:02:05.119 --> 00:02:06.640 can be used for security event 00:02:06.640 --> 00:02:08.399 monitoring, especially in our case 00:02:08.399 --> 00:02:10.879 because we want to essentially monitor 00:02:10.879 --> 00:02:13.280 the intrusion detection logs 00:02:13.280 --> 00:02:15.360 generated by Snort. 00:02:15.360 --> 00:02:16.800 So we'll then move on to deploying 00:02:16.800 --> 00:02:18.720 Splunk Enterprise Security on Linode, 00:02:18.720 --> 00:02:20.640 which is absolutely fantastic because 00:02:20.640 --> 00:02:22.560 they have a cloud image 00:02:22.560 --> 00:02:24.560 available for it that allows you to spin 00:02:24.560 --> 00:02:26.400 it up without going through the process 00:02:26.400 --> 00:02:28.720 of installing it and configuring it. So 00:02:28.720 --> 00:02:30.720 that'll set it up for us. 00:02:30.720 --> 00:02:32.800 We'll then take a look at how to 00:02:32.800 --> 00:02:35.280 configure Splunk, and how to set up the 00:02:35.280 --> 00:02:38.239 Splunk Universal Forwarder on the Ubuntu 00:02:38.239 --> 00:02:40.480 virtual machine that is running Snort so 00:02:40.480 --> 00:02:42.319 that we can forward those logs into 00:02:42.319 --> 00:02:44.560 Splunk. And then, of course, we'll take 00:02:44.560 --> 00:02:46.720 a look at the Splunk Snort event 00:02:46.720 --> 00:02:49.519 dashboard that will be provided to us by 00:02:49.519 --> 00:02:52.879 the Splunk Snort app. So if this sounds like 00:02:52.879 --> 00:02:55.360 gibberish to you, don't worry. It will make 00:02:55.360 --> 00:02:58.139 sense in a couple of minutes. 00:02:58.879 --> 00:03:00.959 With that being said, given the fact 00:03:00.959 --> 00:03:02.800 that we're going to be using, you know, 00:03:02.800 --> 00:03:04.400 we're going to be using Snort to 00:03:04.400 --> 00:03:06.959 generate alerts and monitor those alerts, 00:03:06.959 --> 00:03:09.040 if you have not gone through 00:03:09.040 --> 00:03:11.519 the actual Snort video, please do that as 00:03:11.519 --> 00:03:14.239 it'll help you set up Snort, and you can 00:03:14.239 --> 00:03:16.400 then run through this demo. With that 00:03:16.400 --> 00:03:19.280 being said, this is not a holistic video 00:03:19.280 --> 00:03:20.800 that will cover everything you can do 00:03:20.800 --> 00:03:23.440 with Splunk Enterprise Security. We are 00:03:23.440 --> 00:03:26.010 just focused on the intrusion 00:03:26.010 --> 00:03:27.760 detection logs produced 00:03:27.760 --> 00:03:30.000 by Snort and how they can be 00:03:30.000 --> 00:03:32.879 imported or forwarded to Splunk for, 00:03:32.879 --> 00:03:35.680 you know, analysis and monitoring. 00:03:35.680 --> 00:03:38.159 So the prerequisites are the same as 00:03:38.159 --> 00:03:39.760 the previous videos. The only difference 00:03:39.760 --> 00:03:41.680 is, you know, that you need to have a 00:03:41.680 --> 00:03:43.840 basic familiarity with Splunk and how to 00:03:43.840 --> 00:03:46.080 navigate around the various menu 00:03:46.080 --> 00:03:47.760 elements and, yeah, 00:03:47.760 --> 00:03:49.680 essentially just how to use it at a very 00:03:49.680 --> 00:03:51.360 basic level. If you're not familiar with 00:03:51.360 --> 00:03:54.239 Splunk, I'll give you a few resources at 00:03:54.239 --> 00:03:56.780 the end of these slides 00:03:56.780 --> 00:03:58.159 that'll help you out or help 00:03:58.159 --> 00:04:00.769 you get started. Alright. 00:04:00.769 --> 00:04:01.760 So let's get an introduction 00:04:01.760 --> 00:04:04.239 to Splunk. So what is Splunk? That's the 00:04:04.239 --> 00:04:05.680 main question. If you've never heard of 00:04:05.680 --> 00:04:08.480 Splunk, Splunk is an extremely powerful 00:04:08.480 --> 00:04:10.400 platform that is used to analyze data 00:04:10.400 --> 00:04:13.360 and logs produced by systems or machines, 00:04:13.360 --> 00:04:15.920 as Splunk likes to call them. So 00:04:15.920 --> 00:04:18.639 what problem is Splunk trying to solve 00:04:18.639 --> 00:04:20.880 here? Well, let's look at this from the 00:04:20.880 --> 00:04:24.880 perspective of Web 2.0 or, you know, the 00:04:24.880 --> 00:04:26.720 interconnected world we live in 00:04:26.720 --> 00:04:29.199 today. And we're going to be looking at 00:04:29.199 --> 00:04:31.199 it from the context of or from the 00:04:31.199 --> 00:04:33.360 perspective of security. 00:04:33.360 --> 00:04:35.759 So if we take a simple system--let's say 00:04:35.759 --> 00:04:38.720 we have a Windows operating system or a 00:04:38.720 --> 00:04:41.360 system running Windows--well, that Windows 00:04:41.360 --> 00:04:44.880 system produces a lot of data or logs 00:04:44.880 --> 00:04:47.040 that, you know, contain 00:04:47.040 --> 00:04:48.800 information that, you know, at first 00:04:48.800 --> 00:04:51.600 glance might not seem that important. But 00:04:51.600 --> 00:04:53.919 once you start getting into specific 00:04:53.919 --> 00:04:57.360 sectors like security, those logs start, 00:04:57.360 --> 00:04:59.680 you know, those logs have, you know, 00:04:59.680 --> 00:05:02.080 very important value to organizations. 00:05:02.080 --> 00:05:04.880 Now multiply that by a thousand systems. 00:05:04.880 --> 00:05:06.800 So let's say we have an organization. 00:05:06.800 --> 00:05:08.560 They have a thousand computers within 00:05:08.560 --> 00:05:10.479 their network or, you know, distributed 00:05:10.479 --> 00:05:13.520 worldwide. And all of these systems, 00:05:13.520 --> 00:05:14.960 you know, need to be secured. Their 00:05:14.960 --> 00:05:17.919 security needs to be monitored. So how do 00:05:17.919 --> 00:05:20.560 we monitor all of this? Well, this is 00:05:20.560 --> 00:05:22.639 where Splunk comes into play. So Splunk 00:05:22.639 --> 00:05:25.280 allows you to essentially funnel all of 00:05:25.280 --> 00:05:27.800 this data produced by systems or 00:05:27.800 --> 00:05:30.720 machines into Splunk. And then Splunk allows you 00:05:30.720 --> 00:05:32.560 to monitor, search, and analyze this 00:05:32.560 --> 00:05:35.280 machine-generated data and the logs 00:05:35.280 --> 00:05:37.840 through a web interface. So in order to 00:05:37.840 --> 00:05:39.680 use Splunk, you'll need to import your 00:05:39.680 --> 00:05:42.479 own data or logs. Alternatively, you can 00:05:42.479 --> 00:05:45.280 utilize the Splunk Universal Forwarder to 00:05:45.280 --> 00:05:47.759 forward logs and data to Splunk for 00:05:47.759 --> 00:05:51.360 analysis and, of course, visualization, etc. 00:05:51.360 --> 00:05:53.280 Now, Splunk does so much more that I 00:05:53.280 --> 00:05:55.199 really can't go over all of the features 00:05:55.199 --> 00:05:56.880 here. But as I said, we're looking at this 00:05:56.880 --> 00:06:00.400 from the lens of a security engineer. 00:06:00.400 --> 00:06:02.240 Alright. So Splunk collates all the 00:06:02.240 --> 00:06:04.800 data and logs from various sources and 00:06:04.800 --> 00:06:06.720 provides you with a central index that 00:06:06.720 --> 00:06:08.800 you can search through. Splunk also 00:06:08.800 --> 00:06:11.039 provides you with robust visualization 00:06:11.039 --> 00:06:12.720 and reporting tools that allow you to 00:06:12.720 --> 00:06:15.360 identify the data that interests you, 00:06:15.360 --> 00:06:17.440 transform the data into results, and 00:06:17.440 --> 00:06:19.840 visualize the answers in the form of a 00:06:19.840 --> 00:06:23.280 report, chart, graph, etc. Alright. So what 00:06:23.280 --> 00:06:25.360 I'm saying here is that Splunk allows 00:06:25.360 --> 00:06:28.080 you to take all of this security-related 00:06:28.080 --> 00:06:31.600 logs and data and make sense of them and 00:06:31.600 --> 00:06:33.520 essentially get the answers that you're 00:06:33.520 --> 00:06:35.520 looking for. So, for example, from the 00:06:35.520 --> 00:06:37.680 perspective of a security engineer, what 00:06:37.680 --> 00:06:40.240 do you want from all of this data? Well, 00:06:40.240 --> 00:06:42.160 at a very high level, you want to know 00:06:42.160 --> 00:06:44.080 whether something is going wrong and 00:06:44.080 --> 00:06:46.400 what could go wrong. In the context of 00:06:46.400 --> 00:06:48.800 security, a network could be compromised. 00:06:48.800 --> 00:06:50.560 There could be some malicious network 00:06:50.560 --> 00:06:53.120 traffic or activity going on. A system 00:06:53.120 --> 00:06:55.919 could be compromised, etc., etc. You get the 00:06:55.919 --> 00:06:58.160 idea. So we need that data to be 00:06:58.160 --> 00:07:00.560 displayed to us as a security engineer. 00:07:00.560 --> 00:07:02.560 And Splunk is really one of the best 00:07:02.560 --> 00:07:04.960 tools, you know, when it comes down to, 00:07:04.960 --> 00:07:08.000 you know, taking a lot of data 00:07:08.000 --> 00:07:09.840 and then identifying the data that 00:07:09.840 --> 00:07:11.840 interests you, transforming that data 00:07:11.840 --> 00:07:14.960 into results, and then visualizing that 00:07:14.960 --> 00:07:17.360 data in the form of a report, chart, or 00:07:17.360 --> 00:07:19.759 graph. Right. So that's really what we're 00:07:19.759 --> 00:07:21.599 going to be doing. And as I said, going 00:07:21.599 --> 00:07:23.520 back to the scenario, we're going to be 00:07:23.520 --> 00:07:26.080 focusing on how to, you know, essentially 00:07:26.080 --> 00:07:28.800 get in or how to forward 00:07:28.800 --> 00:07:33.360 the logs created--or the logs and alerts created--by 00:07:33.360 --> 00:07:36.000 Snort into Splunk for analysis. And 00:07:36.000 --> 00:07:39.280 luckily for us, Splunk has a Snort app or 00:07:39.280 --> 00:07:40.960 plug-in, if you will, that will 00:07:40.960 --> 00:07:43.680 essentially simplify this process. 00:07:44.100 --> 00:07:47.360 So, let's get an idea as to, you know, how we 00:07:47.360 --> 00:07:49.120 can use Splunk for security event 00:07:49.120 --> 00:07:51.759 monitoring. So Splunk Enterprise Security, 00:07:51.759 --> 00:07:54.800 also known as Splunk ES, is a security 00:07:54.800 --> 00:07:56.800 information and event management 00:07:56.800 --> 00:07:59.199 solution, also known as a SIEM. 00:07:59.199 --> 00:08:01.360 It is used by security 00:08:01.360 --> 00:08:03.680 teams to quickly detect and respond to 00:08:03.680 --> 00:08:06.160 internal and external attacks or threats 00:08:06.160 --> 00:08:09.680 or intrusions. So Splunk ES can be used 00:08:09.680 --> 00:08:11.759 for security event monitoring, incident 00:08:11.759 --> 00:08:15.919 response, and running a SOC or Security Operations Center. 00:08:15.919 --> 00:08:18.080 In this video, we'll be using Splunk ES 00:08:18.080 --> 00:08:20.000 to monitor and visualize the Snort 00:08:20.000 --> 00:08:22.240 intrusion alerts. This will be 00:08:22.240 --> 00:08:24.400 facilitated through the help of the Snort 00:08:24.400 --> 00:08:26.639 app for Splunk and the Splunk Universal 00:08:26.639 --> 00:08:29.280 Forwarder. Now, the Splunk Universal Forwarder 00:08:29.280 --> 00:08:31.199 is pretty much the most important 00:08:31.199 --> 00:08:33.039 element of what we'll be exploring 00:08:33.039 --> 00:08:35.200 because what it does--and this is really 00:08:35.200 --> 00:08:37.200 cool--is it automatically 00:08:37.200 --> 00:08:39.279 forwards the latest logs, 00:08:39.279 --> 00:08:42.479 even when Snort is running. It forwards those 00:08:42.479 --> 00:08:45.040 alerts and logs into Splunk, and you can 00:08:45.040 --> 00:08:46.560 see them in real time, which is 00:08:46.560 --> 00:08:49.440 absolutely fantastic. 00:08:49.440 --> 00:08:52.320 So as I said, if you're new to Splunk, 00:08:52.320 --> 00:08:54.800 then these resources are really helpful 00:08:54.800 --> 00:08:57.120 for you. Splunk offers really great 00:08:57.120 --> 00:08:59.040 tutorials and courses designed for 00:08:59.040 --> 00:09:00.720 absolute beginners. You can check that 00:09:00.720 --> 00:09:02.959 out by clicking on the link within this 00:09:02.959 --> 00:09:05.600 slide. And you can learn more about the 00:09:05.600 --> 00:09:08.160 Splunk Enterprise Security edition from 00:09:08.160 --> 00:09:09.760 that particular link. 00:09:09.760 --> 00:09:12.240 Now, as I said, we are going to be deploying 00:09:12.240 --> 00:09:15.200 Splunk on Linode, more specifically 00:09:15.200 --> 00:09:17.120 Splunk ES. And this is the lab 00:09:17.120 --> 00:09:19.200 environment. So we're going to spin up, 00:09:19.200 --> 00:09:21.519 you know, Splunk ES on Linode. Now, again, 00:09:21.519 --> 00:09:23.279 to follow through with this, you 00:09:23.279 --> 00:09:25.760 know, Linode has been absolutely fantastic 00:09:25.760 --> 00:09:28.320 with, you know, by providing all of 00:09:28.320 --> 00:09:31.189 you guys with a way to get $100 00:09:31.189 --> 00:09:33.279 in free Linode credit. All you 00:09:33.279 --> 00:09:35.120 need to do is just click the link in the 00:09:35.120 --> 00:09:37.440 description section and sign up, and 00:09:37.440 --> 00:09:39.040 $100 will be added to your 00:09:39.040 --> 00:09:40.959 account so that you can follow along 00:09:40.959 --> 00:09:43.279 with this series. So we're going to 00:09:43.279 --> 00:09:45.200 set up Splunk ES on Linode. And then 00:09:45.200 --> 00:09:47.279 within my internal network, we're just 00:09:47.279 --> 00:09:49.040 going to have a very basic infrastructure. 00:09:49.040 --> 00:09:50.399 We're going to have the Ubuntu virtual 00:09:50.399 --> 00:09:52.880 machine that is running Snort. This is the 00:09:52.880 --> 00:09:54.880 same virtual machine that we had set up 00:09:54.880 --> 00:09:57.680 and used to set up Snort and set up 00:09:57.680 --> 00:10:00.309 Suricata and the one we had used with Wazuh. 00:10:01.360 --> 00:10:03.519 And, yeah, that's essentially it. We're 00:10:03.519 --> 00:10:04.720 going to have a very basic 00:10:04.720 --> 00:10:06.399 infrastructure where we have an attacker 00:10:06.399 --> 00:10:09.519 system that I'm going to be using to perform 00:10:09.519 --> 00:10:11.600 a bit of network 00:10:11.600 --> 00:10:15.040 intrusion detection emulation, whereby 00:10:15.040 --> 00:10:17.519 I will essentially perform or run a 00:10:17.519 --> 00:10:20.880 couple of commands or scripts to 00:10:20.880 --> 00:10:23.279 essentially emulate malicious network 00:10:23.279 --> 00:10:26.160 activity so that these logs are 00:10:26.160 --> 00:10:28.320 essentially--so this traffic is 00:10:28.320 --> 00:10:29.839 essentially logged--and that'll provide 00:10:29.839 --> 00:10:32.800 us with a good idea as to how helpful 00:10:32.800 --> 00:10:35.279 Splunk is for security event monitoring, 00:10:35.279 --> 00:10:38.880 especially in the context of network intrusions. 00:10:40.320 --> 00:10:41.920 So as I said, you don't really need to 00:10:41.920 --> 00:10:44.240 have a Windows workstation. You simply 00:10:44.240 --> 00:10:46.000 need to have the Ubuntu VM, and you can 00:10:46.000 --> 00:10:48.800 pretty much run everything from it. And, 00:10:48.800 --> 00:10:50.560 of course, you can set up the Splunk 00:10:50.560 --> 00:10:54.240 Enterprise Security server on Linode 00:10:54.240 --> 00:10:56.480 without any issues. 00:10:56.480 --> 00:10:58.399 So that's the lab environment. We can now 00:10:58.399 --> 00:11:00.000 get started with the practical 00:11:00.000 --> 00:11:01.440 demonstration. So I'm going to switch 00:11:01.440 --> 00:11:05.040 over to my Ubuntu virtual machine. 00:11:05.040 --> 00:11:07.600 Alright. So I'm back on my Ubuntu 00:11:07.600 --> 00:11:09.360 virtual machine, and you can see I have 00:11:09.360 --> 00:11:11.279 Linode opened up here. 00:11:11.279 --> 00:11:13.279 I haven't set anything up yet because 00:11:13.279 --> 00:11:14.640 we're going to be walking through the 00:11:14.640 --> 00:11:16.079 process together. 00:11:16.079 --> 00:11:18.959 I then have the Splunk.com website here. 00:11:18.959 --> 00:11:21.040 So if you're new to Splunk, then you need 00:11:21.040 --> 00:11:22.640 to create a new account in order to 00:11:22.640 --> 00:11:25.740 follow along. So just head over to 00:11:25.740 --> 00:11:27.279 Splunk.com and, you know, 00:11:27.279 --> 00:11:29.519 register for an account. It's free. 00:11:29.519 --> 00:11:31.120 Once that is done, 00:11:31.120 --> 00:11:33.120 you'll need to activate your account or 00:11:33.120 --> 00:11:35.120 verify your account through 00:11:35.120 --> 00:11:36.880 the verification email 00:11:36.880 --> 00:11:39.680 they'll send you. Once that is done, 00:11:39.680 --> 00:11:41.279 we can then move forward. Because in 00:11:41.279 --> 00:11:44.320 order to access the actual 00:11:44.320 --> 00:11:46.800 Splunk Universal Forwarder, you'll need to 00:11:46.800 --> 00:11:48.720 have an account. And of course, you 00:11:48.720 --> 00:11:50.639 know, in this case, I'll be going through 00:11:50.639 --> 00:11:52.800 everything as we move along in a 00:11:52.800 --> 00:11:55.519 structured manner. And 00:11:55.519 --> 00:11:59.120 then to perform the actual NIDS tests, 00:12:00.160 --> 00:12:01.780 we are going to be using the 00:12:01.780 --> 00:12:03.839 testmyNIDS.org project, 00:12:03.839 --> 00:12:06.480 which is on GitHub. So this is 00:12:06.480 --> 00:12:08.880 essentially a bash script 00:12:08.880 --> 00:12:11.440 that allows you to--as you can see here-- 00:12:11.440 --> 00:12:13.279 it allows you to essentially emulate or 00:12:13.279 --> 00:12:16.800 simulate malicious network traffic. So, 00:12:16.800 --> 00:12:19.440 previously, we had used 00:12:19.440 --> 00:12:21.279 the website technique to essentially get 00:12:21.279 --> 00:12:23.760 a Linux UID, and that traffic would be 00:12:23.760 --> 00:12:26.240 logged as malicious, or 00:12:26.240 --> 00:12:27.760 it could be logged as a potential 00:12:27.760 --> 00:12:30.000 intrusion. And we can run a few other 00:12:30.000 --> 00:12:33.360 checks like HTTP basic authentication, 00:12:33.360 --> 00:12:35.519 bad certificate authorities, 00:12:35.519 --> 00:12:38.639 an EXE or DLL download over HTTP. So, 00:12:38.639 --> 00:12:40.720 you know, we can run tests that, 00:12:40.720 --> 00:12:42.959 you know, will just make our 00:12:42.959 --> 00:12:45.440 intrusion detection system blow up in 00:12:45.440 --> 00:12:47.600 terms of alerts. And that's what we want 00:12:47.600 --> 00:12:49.519 because we want to see how that data is 00:12:49.519 --> 00:12:52.160 presented to us as a security engineer 00:12:52.160 --> 00:12:55.040 on Splunk. With that being said, the first 00:12:55.040 --> 00:12:58.030 step, of course, is to set up Splunk ES on Linode. 00:12:58.330 --> 00:13:04.079 So just click on “Create a Linode” and click on “Marketplace.” 00:13:04.079 --> 00:13:06.399 And they already have Splunk here. So 00:13:06.399 --> 00:13:08.480 there we are. You can click on that there. 00:13:08.480 --> 00:13:10.240 And if you click on this little info 00:13:10.240 --> 00:13:12.399 button here, it'll give you an idea as to 00:13:12.399 --> 00:13:14.320 how to deploy it on 00:13:14.320 --> 00:13:16.480 Linode. And, of course, you have more 00:13:16.480 --> 00:13:18.399 information regarding Splunk. So you have 00:13:18.399 --> 00:13:20.480 the documentation link there. So I'll 00:13:20.480 --> 00:13:22.959 just click on Splunk. 00:13:22.959 --> 00:13:24.639 Once that is clicked, we can then head 00:13:24.639 --> 00:13:26.720 over here. You'll need to specify the 00:13:26.720 --> 00:13:28.959 Splunk admin user. I recommend using 00:13:28.959 --> 00:13:32.510 “admin” to begin with and then specify a password. 00:13:33.440 --> 00:13:35.519 If you're setting up, you know, Splunk on 00:13:35.519 --> 00:13:37.600 a domain, then you can specify the 00:13:37.600 --> 00:13:39.839 Linode API token to essentially create 00:13:39.839 --> 00:13:42.320 the DNS records--that's if you're using 00:13:42.320 --> 00:13:44.320 Linode's DNS service. 00:13:45.839 --> 00:13:47.519 And then, of course, you need to add 00:13:47.519 --> 00:13:49.519 the admin email for the server. So in 00:13:49.519 --> 00:13:52.000 this case, I can just say, for example, 00:13:52.000 --> 00:13:55.080 hackersploit@gmail.com. 00:13:55.519 --> 00:13:57.360 Don't spam me on this email because I 00:13:57.360 --> 00:13:59.519 don't respond anyway. So we can create 00:13:59.519 --> 00:14:01.040 another user. 00:14:01.040 --> 00:14:02.480 This is the username for the 00:14:02.480 --> 00:14:04.720 Linode admin's SSH user. Please ensure 00:14:04.720 --> 00:14:06.480 that the username does not contain any... 00:14:06.480 --> 00:14:08.880 so we can just call this “admin.” And then 00:14:08.880 --> 00:14:11.360 for the admin user, we'll just say 00:14:11.360 --> 00:14:13.199 provide that there. 00:14:13.199 --> 00:14:14.800 So the image--we're going to set it up on 00:14:14.800 --> 00:14:18.079 Ubuntu 20.04. The region--I’ll say London 00:14:18.079 --> 00:14:19.920 because that's closest to me. 00:14:19.920 --> 00:14:22.240 As for the actual Linode plan, 00:14:22.240 --> 00:14:24.720 Linode ES doesn't require that many 00:14:24.720 --> 00:14:26.480 resources, especially because, you know, 00:14:26.480 --> 00:14:28.720 the amount of data that we're processing 00:14:28.720 --> 00:14:30.959 or the logs that are being forwarded to 00:14:30.959 --> 00:14:34.320 Splunk are relatively few--so less than 00:14:34.320 --> 00:14:36.160 100--which, if you've used Splunk before 00:14:36.160 --> 00:14:37.920 for security event monitoring, you know 00:14:37.920 --> 00:14:39.040 that that is 00:14:39.040 --> 00:14:41.199 really, really small. In 00:14:41.199 --> 00:14:43.199 fact, Splunk will actually tell you, 00:14:43.199 --> 00:14:44.959 you know, that the amount of data 00:14:44.959 --> 00:14:47.519 to begin with that you have imported or 00:14:47.519 --> 00:14:50.670 forwarded is too little to make any sense of. 00:14:50.880 --> 00:14:52.480 But that's where the Snort app for 00:14:52.480 --> 00:14:54.800 Splunk comes into play. So I'll just say 00:14:54.800 --> 00:14:56.000 “Splunk,” 00:14:56.000 --> 00:14:59.360 and I'll provide my root password for the server. 00:14:59.360 --> 00:15:02.079 And we can click on “Create.” 00:15:02.079 --> 00:15:03.360 Alright. Now, 00:15:03.360 --> 00:15:06.079 once this is set up and provisioned, 00:15:06.079 --> 00:15:08.079 the actual installer is going to begin. 00:15:08.079 --> 00:15:10.079 So it's going to set up because there is 00:15:10.079 --> 00:15:13.410 an auto-installer setup that will set up Splunk. 00:15:13.410 --> 00:15:15.199 Yes. For you. So, let it 00:15:15.199 --> 00:15:16.880 provision. After that's done, you can 00:15:16.880 --> 00:15:19.199 launch the Lish console to avoid logging 00:15:19.199 --> 00:15:22.160 in via SSH. And of course, one thing that 00:15:22.160 --> 00:15:24.000 I don't need to tell you 00:15:24.000 --> 00:15:25.680 is, if you're setting this up for 00:15:25.680 --> 00:15:27.680 production, then you need to make sure 00:15:27.680 --> 00:15:29.759 you're securing your server. So do only 00:15:29.759 --> 00:15:33.420 use SSH keys for authentication with the server. 00:15:33.759 --> 00:15:35.920 If you're new to hardening and securing 00:15:35.920 --> 00:15:37.759 a Linux server, you can check out the 00:15:37.759 --> 00:15:39.360 previous series 00:15:39.360 --> 00:15:41.920 that we did with Linux--the Linux Server 00:15:41.920 --> 00:15:44.800 Security series. They'll give you, 00:15:44.800 --> 00:15:46.959 you know, all the information you need to 00:15:46.959 --> 00:15:49.759 secure a Linux server for production. 00:15:49.759 --> 00:15:50.959 With that being said, I'm just going to 00:15:50.959 --> 00:15:52.800 let it provision, after which we can 00:15:52.800 --> 00:15:54.560 launch the Lish console to see what's 00:15:54.560 --> 00:15:56.639 going on in the background. And we can 00:15:56.639 --> 00:15:59.350 then get started, you know, officially 00:15:59.350 --> 00:16:01.839 with how to set up Splunk. We then need 00:16:01.839 --> 00:16:04.720 to set up the Universal Forwarder. 00:16:04.720 --> 00:16:07.529 So, this is booting now. 00:16:08.639 --> 00:16:11.120 Alright. So the server is booted, and 00:16:11.120 --> 00:16:12.800 you can see I've just opened up the Lish 00:16:12.800 --> 00:16:14.320 console here 00:16:14.320 --> 00:16:15.920 to essentially view what's going on. As 00:16:15.920 --> 00:16:18.000 you can see, it's begun setting up 00:16:18.000 --> 00:16:20.399 Splunk ES. So just give this a couple of 00:16:20.399 --> 00:16:22.809 minutes to essentially begin. 00:16:23.279 --> 00:16:25.600 And once it's done, it'll actually 00:16:25.600 --> 00:16:27.360 tell you that, and it'll provide you with the 00:16:27.360 --> 00:16:28.800 login prompt. 00:16:28.800 --> 00:16:30.399 But it's probably logged in as the root 00:16:30.399 --> 00:16:32.000 user already. So 00:16:32.000 --> 00:16:33.759 just let this complete. I'm just going to 00:16:33.759 --> 00:16:36.880 wait for this to actually conclude. 00:16:36.880 --> 00:16:40.000 Alright. So once Splunk ES is done, 00:16:40.000 --> 00:16:42.880 or the actual Linode is done here 00:16:42.880 --> 00:16:44.320 with the setup, you can see it's going to 00:16:44.320 --> 00:16:46.240 tell you "installation complete," 00:16:46.240 --> 00:16:48.160 and you can then log in. Keep this 00:16:48.160 --> 00:16:49.519 window open because this is going to be 00:16:49.519 --> 00:16:50.880 very important, as we'll need to 00:16:50.880 --> 00:16:53.440 configure a few firewall rules. 00:16:53.440 --> 00:16:56.320 By default, this Linode comes with UFW, 00:16:56.320 --> 00:16:58.720 which is the uncomplicated firewall for 00:16:58.720 --> 00:17:00.079 Debian, or 00:17:00.079 --> 00:17:02.000 it typically comes prepackaged with 00:17:02.000 --> 00:17:04.959 Debian-based distributions like Ubuntu. 00:17:04.959 --> 00:17:06.559 In this case, it's already added the 00:17:06.559 --> 00:17:08.400 firewall rule for the port that we 00:17:08.400 --> 00:17:10.000 wanted, but just keep it open because 00:17:10.000 --> 00:17:12.559 we'll need to run a few checks. So you 00:17:12.559 --> 00:17:14.000 can log in there. So I'm just going to 00:17:14.000 --> 00:17:15.679 log in with the credentials that I 00:17:15.679 --> 00:17:18.720 specified as the root user. And I can 00:17:18.720 --> 00:17:22.160 just say sudo ufw status. 00:17:23.839 --> 00:17:25.439 And you can see these are all the 00:17:25.439 --> 00:17:28.160 allowed rules or the actual rules 00:17:28.160 --> 00:17:30.400 configured for the firewall, which is 00:17:30.400 --> 00:17:32.400 looking good so far. 00:17:32.400 --> 00:17:35.679 So we can access the Splunk ES instance 00:17:35.679 --> 00:17:37.840 that we set up by pasting in the IP of 00:17:37.840 --> 00:17:42.080 the server and opening up port 8000. 00:17:42.080 --> 00:17:44.080 That's going to open up Splunk ES for 00:17:44.080 --> 00:17:45.760 you. So just give this a couple of 00:17:45.760 --> 00:17:48.240 seconds. There we are. And the credentials 00:17:48.240 --> 00:17:50.880 that we had used were "admin" and the 00:17:50.880 --> 00:17:53.280 password that I created--that, you know, 00:17:53.280 --> 00:17:54.559 of course, you'll be able to 00:17:54.559 --> 00:17:57.200 specify yourself. So just sign in. 00:17:57.200 --> 00:17:59.919 And once that is done, you'll be 00:17:59.919 --> 00:18:04.560 brought to Splunk Enterprise Security here. 00:18:04.560 --> 00:18:05.360 So there we are--explore 00:18:05.360 --> 00:18:07.200 Splunk Enterprise. 00:18:10.000 --> 00:18:11.360 And in this case, what we're going to be 00:18:11.360 --> 00:18:14.080 doing--what we're going to start off with-- 00:18:14.080 --> 00:18:16.240 is we need to go through a few 00:18:16.240 --> 00:18:19.350 configuration changes with Splunk itself. 00:18:19.760 --> 00:18:22.880 So the idea, firstly, is to configure 00:18:22.880 --> 00:18:26.120 the actual receiving of data. 00:18:26.120 --> 00:18:27.360 So if you head over into "Settings," 00:18:27.360 --> 00:18:29.440 you can click on "Data," then just click 00:18:29.440 --> 00:18:31.840 on "Forwarding and Receiving." 00:18:31.840 --> 00:18:34.400 And once that is done--once that is 00:18:34.400 --> 00:18:35.760 loaded up-- 00:18:35.760 --> 00:18:38.080 under "Receive Data," we need to 00:18:38.080 --> 00:18:40.000 configure this instance to receive data 00:18:40.000 --> 00:18:41.600 forwarded from other instances. So we 00:18:41.600 --> 00:18:43.520 want to configure receiving, 00:18:43.520 --> 00:18:46.799 and we just want to set the default receiving port. 00:18:46.799 --> 00:18:50.400 So we can say "New Receiving Port," 00:18:50.400 --> 00:18:52.160 and the port is, of course, going to be 00:18:52.160 --> 00:18:54.799 the default, which is 9997--which is why 00:18:54.799 --> 00:18:56.640 that firewall rule was added. So I'll 00:18:56.640 --> 00:18:58.182 click on Save. 00:18:58.880 --> 00:19:01.200 Alright. So once that is done, we can 00:19:01.200 --> 00:19:04.110 now install the Snort app 00:19:04.110 --> 00:19:06.240 for Splunk. So click on "Apps" and head 00:19:06.240 --> 00:19:08.480 over into "Find More Apps." 00:19:08.480 --> 00:19:11.360 And because the Ubuntu server is running-- 00:19:11.360 --> 00:19:13.120 or the Ubuntu VM that I'm currently 00:19:13.120 --> 00:19:15.919 working on is running--Snort 2, we'll need 00:19:15.919 --> 00:19:18.160 the appropriate app here. So I'll just 00:19:18.160 --> 00:19:20.160 search for "Snort" there. And we're not 00:19:20.160 --> 00:19:22.320 looking for the Snort 3 JSON alerts, 00:19:22.320 --> 00:19:24.320 although that, you know, could be quite 00:19:24.320 --> 00:19:26.480 useful, but we want the Snort alert for 00:19:26.480 --> 00:19:28.720 Splunk. Alright. So this app provides 00:19:28.720 --> 00:19:30.880 field extraction. So that's really great 00:19:30.880 --> 00:19:32.400 because performing your own field 00:19:32.400 --> 00:19:34.960 extractions using regex 00:19:34.960 --> 00:19:36.400 can be quite difficult if you're a 00:19:36.400 --> 00:19:39.360 beginner. So fast and full, 00:19:39.360 --> 00:19:42.400 as well as dashboards, saved searches, 00:19:42.400 --> 00:19:45.600 reports, event types, tags, and event 00:19:45.600 --> 00:19:48.080 search interfaces. So we'll install that. 00:19:48.080 --> 00:19:50.240 Now you'll need to log in with 00:19:50.240 --> 00:19:52.400 your Splunk account credentials that you, 00:19:52.400 --> 00:19:55.120 you know, actually created on 00:19:55.120 --> 00:19:57.760 splunk.com. So I'll just fill in my 00:19:57.760 --> 00:20:00.400 information really quickly. 00:20:00.400 --> 00:20:02.240 Alright. So I've put in my username and 00:20:02.240 --> 00:20:04.240 password. So I'll just say I'll accept 00:20:04.240 --> 00:20:06.320 the terms and conditions there. So log in 00:20:06.320 --> 00:20:07.600 and install. 00:20:07.600 --> 00:20:09.280 That's going to install it. There we are. 00:20:09.280 --> 00:20:10.880 So we'll just hit "Done." 00:20:10.880 --> 00:20:13.360 Now that that is done, if we head back over 00:20:13.360 --> 00:20:16.400 into our dashboard--so I'll just click on 00:20:16.400 --> 00:20:18.400 Splunk Enterprise there-- 00:20:18.400 --> 00:20:20.720 you can now see we have Snort 00:20:20.720 --> 00:20:23.039 Alert for Splunk. So that already 00:20:23.039 --> 00:20:25.600 comes preconfigured with a dashboard. 00:20:25.600 --> 00:20:28.600 So we'll just let this load up here. 00:20:28.600 --> 00:20:30.000 And you can see that we don't have 00:20:30.000 --> 00:20:32.480 any data yet. So this will display 00:20:32.480 --> 00:20:34.559 your events and sources, top source 00:20:34.559 --> 00:20:36.480 countries, the events. This is very 00:20:36.480 --> 00:20:38.480 important--these sources, top 10 00:20:38.480 --> 00:20:41.039 classification. So that'll classify 00:20:41.039 --> 00:20:44.400 your alerts in terms of the 00:20:44.400 --> 00:20:46.640 type, which again will make sense in a 00:20:46.640 --> 00:20:49.280 couple of seconds. So now that that is 00:20:49.280 --> 00:20:51.600 done, we actually need to configure 00:20:51.600 --> 00:20:54.480 the actual Splunk Universal Forwarder. So 00:20:54.480 --> 00:20:56.480 I'll just open that up in a new tab. It's 00:20:56.480 --> 00:20:59.120 absolutely free to download the Debian 00:20:59.120 --> 00:21:01.840 client or the Splunk Universal 00:21:01.840 --> 00:21:04.159 Forwarder Debian package. So Universal 00:21:04.159 --> 00:21:06.960 Forwarders provide reliable, secure 00:21:06.960 --> 00:21:09.440 data collection from remote 00:21:09.440 --> 00:21:11.520 sources and forward that data into 00:21:11.520 --> 00:21:14.159 Splunk software for indexing and 00:21:14.159 --> 00:21:16.880 consolidation. They can scale to tens of 00:21:16.880 --> 00:21:18.799 thousands of remote systems, collecting 00:21:18.799 --> 00:21:20.720 terabytes of data. So 00:21:20.720 --> 00:21:23.039 again, you can actually see why Splunk is 00:21:23.039 --> 00:21:25.360 so powerful and why it's widely used 00:21:25.360 --> 00:21:27.440 and deployed--because of the fact that 00:21:27.440 --> 00:21:30.480 you can literally be... 00:21:30.480 --> 00:21:32.640 literally forward a ton of data from a 00:21:32.640 --> 00:21:35.840 ton of systems into Splunk. So because 00:21:35.840 --> 00:21:38.480 Snort is running on this 00:21:38.480 --> 00:21:40.480 Ubuntu VM, we need the Debian package. So 00:21:40.480 --> 00:21:41.919 I'll click on Linux, and we want the 00:21:41.919 --> 00:21:45.039 64-bit version. Again, you can choose one 00:21:45.039 --> 00:21:46.559 based on your requirements. So if you're 00:21:46.559 --> 00:21:49.840 running on Red Hat, Fedora, or CentOS, you 00:21:49.840 --> 00:21:51.520 can use the RPM package. So I'll just 00:21:51.520 --> 00:21:54.559 download the Debian package here. 00:21:54.559 --> 00:21:56.080 Give that a couple of seconds. It's then 00:21:56.080 --> 00:21:58.240 going to begin downloading it, and then 00:21:58.240 --> 00:22:00.000 I'll walk you through the setup process. 00:22:00.000 --> 00:22:01.840 So there we are. 00:22:01.840 --> 00:22:04.260 It's begun the setup. 00:22:07.360 --> 00:22:09.440 And once that is done, I'll open up my 00:22:09.440 --> 00:22:10.799 terminal. So that's saved in the 00:22:10.799 --> 00:22:12.960 Downloads directory. So 00:22:12.960 --> 00:22:14.320 if we check--if we head over into the 00:22:14.320 --> 00:22:15.840 Downloads directory--you can see we have 00:22:15.840 --> 00:22:18.489 the Splunk Forwarder Debian package there. 00:22:19.200 --> 00:22:21.679 So what we want to do, firstly, is we want 00:22:21.679 --> 00:22:25.680 to move this package into the actual /opt 00:22:25.680 --> 00:22:28.080 directory on Linux, which will 00:22:28.080 --> 00:22:30.880 essentially allow us to, you know, 00:22:30.880 --> 00:22:33.360 to set it up as optional software. And 00:22:33.360 --> 00:22:35.280 it's really good to have all that 00:22:35.280 --> 00:22:38.240 optional software stored in the 00:22:38.240 --> 00:22:42.240 directory. So, once that is done and 00:22:42.240 --> 00:22:44.320 once that's downloaded, we can say, 00:22:44.320 --> 00:22:45.600 move 00:22:45.600 --> 00:22:48.480 Splunk forward into opt, 00:22:48.480 --> 00:22:50.400 and we'll need sudo privileges. So I'll 00:22:50.400 --> 00:22:52.559 say sudo move. There we are. And I'll just 00:22:52.559 --> 00:22:55.120 type in my password. Fantastic. So 00:22:55.120 --> 00:22:57.360 now navigate to the opt directory. And to 00:22:57.360 --> 00:23:00.320 install this, we can say sudo apt, 00:23:00.320 --> 00:23:02.960 and then we can specify install. So we 00:23:02.960 --> 00:23:05.120 can say sudo apt install, 00:23:05.120 --> 00:23:06.960 and then we specify the package itself. 00:23:06.960 --> 00:23:09.440 So Splunk forwarder, 00:23:09.440 --> 00:23:11.440 and we're just going to hit enter. That's 00:23:11.440 --> 00:23:13.520 going to install it for you. 00:23:13.520 --> 00:23:16.880 Give that a couple of seconds. 00:23:19.440 --> 00:23:21.520 Alright. So once that is installed, if 00:23:21.520 --> 00:23:23.039 you list out the contents of this 00:23:23.039 --> 00:23:24.559 directory, you're gonna have a Splunk 00:23:24.559 --> 00:23:26.559 forwarder directory here. So I'll say cd 00:23:26.559 --> 00:23:29.200 splunkforwarder. And under the binary 00:23:29.200 --> 00:23:31.200 directory, we can navigate to that here. 00:23:31.200 --> 00:23:32.720 We'll need to start-- 00:23:32.720 --> 00:23:35.600 we'll need to start Splunk. So we will 00:23:35.600 --> 00:23:37.280 say sudo, 00:23:37.280 --> 00:23:39.039 and the binary we want to run is called 00:23:39.039 --> 00:23:41.279 splunk, and we'll accept the license. 00:23:41.279 --> 00:23:42.799 The reason we're doing this is because 00:23:42.799 --> 00:23:44.799 we need to configure it. So we need to 00:23:44.799 --> 00:23:46.799 specify the username and password, or, you 00:23:46.799 --> 00:23:49.279 know, create a username and password. 00:23:49.279 --> 00:23:52.000 And once that is done, you'll actually 00:23:52.000 --> 00:23:53.360 see what that looks like. So I'll just 00:23:53.360 --> 00:23:55.679 say accept the license. 00:23:55.679 --> 00:23:59.200 And, you can see in this case, let's see if I 00:23:59.200 --> 00:24:01.200 typed that incorrectly. That should 00:24:01.200 --> 00:24:03.600 actually start. So splunk start. I did not 00:24:03.600 --> 00:24:05.440 specify start there. 00:24:05.440 --> 00:24:06.799 There we are. So please enter an 00:24:06.799 --> 00:24:09.679 administrator name. I'll just say admin. 00:24:09.679 --> 00:24:12.000 So again, Splunk software must create an 00:24:12.000 --> 00:24:14.320 administrator account during startup. 00:24:14.320 --> 00:24:16.559 Otherwise, you cannot log in. So create 00:24:16.559 --> 00:24:18.899 credentials for the administrator account. 00:24:20.640 --> 00:24:22.320 So in this case, you can 00:24:22.320 --> 00:24:23.600 create whatever you want. I'm just going 00:24:23.600 --> 00:24:26.000 to fill in my credentials here. 00:24:26.000 --> 00:24:28.640 Alright, so I've just entered my 00:24:28.640 --> 00:24:30.320 administrator username and then, of 00:24:30.320 --> 00:24:32.400 course, my password. So 00:24:32.400 --> 00:24:33.840 that is done. 00:24:33.840 --> 00:24:36.240 So it'll go through-- 00:24:36.240 --> 00:24:37.760 it'll essentially go through and check 00:24:37.760 --> 00:24:40.400 the prerequisites. New certs have been 00:24:40.400 --> 00:24:42.960 generated in the following directory, 00:24:42.960 --> 00:24:45.200 and all the preliminary checks have 00:24:45.200 --> 00:24:47.520 passed. So starting the Splunk server 00:24:47.520 --> 00:24:49.440 daemon--so that started. You can also 00:24:49.440 --> 00:24:52.159 enable it to run on system startup. So if 00:24:52.159 --> 00:24:56.330 I say, you know, for example, sudo systemctl 00:24:56.720 --> 00:24:58.910 status splunk, 00:24:59.520 --> 00:25:01.840 let me type that correctly here. So 00:25:01.840 --> 00:25:03.360 splunk-- 00:25:03.360 --> 00:25:07.520 sorry, systemctl, 00:25:07.520 --> 00:25:10.240 and we can say splunkd. 00:25:10.240 --> 00:25:12.880 Sorry. So we can say splunk. I'm not 00:25:12.880 --> 00:25:15.039 really sure why that's not loading here. 00:25:15.039 --> 00:25:17.520 But I do know that the daemon is running, 00:25:17.520 --> 00:25:23.620 and there should be an init daemon for that. 00:25:23.620 --> 00:25:24.799 But in any case, 00:25:24.799 --> 00:25:27.360 you can always start it that way. 00:25:27.360 --> 00:25:29.840 Once that is done, we will need to add 00:25:29.840 --> 00:25:32.320 our forward server. So we need to add 00:25:32.320 --> 00:25:34.960 the address of the server--the 00:25:34.960 --> 00:25:37.039 Splunk server that we're forwarding our 00:25:37.039 --> 00:25:39.600 logs to. We'll move on to what 00:25:39.600 --> 00:25:42.480 logs we want to forward in a second. But 00:25:42.480 --> 00:25:44.159 let's do that first. So again, we're going 00:25:44.159 --> 00:25:45.799 to use the 00:25:47.520 --> 00:25:51.220 Splunk binary, and we're going to say forward-server. 00:25:51.220 --> 00:25:52.559 And we'll just copy the IP 00:25:52.559 --> 00:25:56.419 address of your Splunk server here. 00:25:56.419 --> 00:25:59.850 So there we are. And I'll paste that in there. 00:26:00.640 --> 00:26:03.320 And then you need to type in the port--so 00:26:03.320 --> 00:26:07.780 9997, that's the port to connect to. Hit enter. 00:26:08.400 --> 00:26:10.799 So splunk forward-- 00:26:11.279 --> 00:26:13.279 yeah, we need to add it. I keep forgetting 00:26:13.279 --> 00:26:16.910 the preliminary command. So add forward-server, 00:26:16.910 --> 00:26:18.260 Splunk username. 00:26:18.320 --> 00:26:21.919 So in this case, let me just put 00:26:21.919 --> 00:26:25.840 in my credentials here. 00:26:26.640 --> 00:26:29.440 Alright. And it's going to then add the 00:26:29.440 --> 00:26:31.760 forwarding to that particular address. 00:26:31.760 --> 00:26:33.760 Alright. Now that that is done, 00:26:33.760 --> 00:26:35.440 we actually need to 00:26:35.440 --> 00:26:37.919 configure a particular file, 00:26:37.919 --> 00:26:40.720 and that is going to be the outputs.conf 00:26:40.720 --> 00:26:43.039 directory. If it's already set up for us, 00:26:43.039 --> 00:26:45.039 which it should be, 00:26:45.039 --> 00:26:46.880 then we do not need to go through the 00:26:46.880 --> 00:26:49.360 initial setup. So, 00:26:49.360 --> 00:26:51.120 if we head over into the following 00:26:51.120 --> 00:26:52.640 directory--so I'll just take a step back-- 00:26:52.640 --> 00:26:55.120 we're still in the Splunk forwarder directory. 00:26:55.279 --> 00:26:59.739 We'll head over into the etc directory. 00:26:59.739 --> 00:27:01.679 And under system, 00:27:01.679 --> 00:27:05.039 we have a file under local, I think. It is 00:27:05.039 --> 00:27:06.640 called outputs here. Right? So I'm going to say 00:27:06.640 --> 00:27:09.680 sudo vim outputs.conf. 00:27:09.840 --> 00:27:11.840 And really, the only thing that is 00:27:11.840 --> 00:27:14.290 required here is, 00:27:14.290 --> 00:27:16.159 of course, just leave the default 00:27:16.159 --> 00:27:18.320 configuration as is. The default group is 00:27:18.320 --> 00:27:21.760 fine. So tcpout:default-autolb-group, 00:27:21.760 --> 00:27:23.279 that's fine. So make sure that the 00:27:23.279 --> 00:27:25.840 server option here is configured--that's 00:27:25.840 --> 00:27:29.100 the most important. And the tcpout-server 00:27:29.100 --> 00:27:30.320 address is also configured in 00:27:30.320 --> 00:27:32.000 this format. So we don't need to make any 00:27:32.000 --> 00:27:34.670 changes there. So I'll just say quit and exit. 00:27:35.120 --> 00:27:38.640 Once that is done, we also need to check 00:27:38.640 --> 00:27:41.279 the actual inputs configuration file. 00:27:41.279 --> 00:27:43.200 But before we do that, 00:27:43.200 --> 00:27:45.279 let's take a look. So if you revisit the 00:27:45.279 --> 00:27:46.880 Snort video, 00:27:46.880 --> 00:27:48.880 you know that all the logs are stored 00:27:48.880 --> 00:27:53.110 under /var/log/snort. 00:27:53.110 --> 00:27:55.760 Right? So we have the alert log, 00:27:55.760 --> 00:27:59.279 and we also have--so again, based on 00:27:59.279 --> 00:28:02.000 the type of alerts 00:28:02.000 --> 00:28:03.200 you want generated--so, you know, 00:28:03.200 --> 00:28:05.440 if I say man snort here, 00:28:05.440 --> 00:28:08.090 you can see that we have the alert mode. 00:28:08.090 --> 00:28:09.440 So you can use the fast mode or the 00:28:09.440 --> 00:28:11.360 full mode. In this case, I'll be using the 00:28:11.360 --> 00:28:12.559 fast mode, 00:28:13.760 --> 00:28:15.279 and I'll give you a description of what's 00:28:15.279 --> 00:28:17.279 going on here. Right? So 00:28:17.279 --> 00:28:19.919 full writes the alert to the alert 00:28:19.919 --> 00:28:21.919 file with the full decoded header as 00:28:21.919 --> 00:28:24.720 well as the alert message, which might be 00:28:24.720 --> 00:28:27.279 important. So we can also do that as well. 00:28:27.279 --> 00:28:29.600 So this was from the previous--from 00:28:29.600 --> 00:28:31.760 the Snort video where we 00:28:31.760 --> 00:28:33.360 had run... 00:28:33.360 --> 00:28:35.840 essentially run Snort and, you know, 00:28:35.840 --> 00:28:38.480 where we were identifying various alerts. 00:28:38.480 --> 00:28:41.919 So, what we can do is, again, we'll 00:28:41.919 --> 00:28:43.760 go through what needs to be created, but 00:28:43.760 --> 00:28:45.600 we can run a quick test command just to 00:28:45.600 --> 00:28:46.880 see whether 00:28:46.880 --> 00:28:48.799 the actual alerts are being logged 00:28:48.799 --> 00:28:50.320 within the alert file, because we have 00:28:50.320 --> 00:28:53.039 alert.1. Ideally, we would only want 00:28:53.039 --> 00:28:55.760 to forward this file into Splunk. 00:28:55.760 --> 00:28:58.080 So, in order to do this, what I'm going 00:28:58.080 --> 00:29:00.080 to do now is I'm just gonna run Snort 00:29:00.080 --> 00:29:03.590 really quickly. So I'm going to say sudo snort -q, 00:29:03.919 --> 00:29:06.000 for quiet, and then 00:29:06.000 --> 00:29:10.500 the actual directory for the logs is /var/log/snort. 00:29:11.360 --> 00:29:14.640 And then we can say the interface is enp0s3. 00:29:14.640 --> 00:29:16.240 Again, make sure to replace that with 00:29:16.240 --> 00:29:19.039 your own interface. The alert, we can 00:29:19.039 --> 00:29:20.320 say full, 00:29:20.320 --> 00:29:26.190 and the configuration is /etc/snort/snort.conf. 00:29:26.399 --> 00:29:28.320 I believe we had another configuration 00:29:28.320 --> 00:29:30.720 file. Yeah. We had used the snort.conf file. 00:29:30.720 --> 00:29:32.399 So I'll hit enter. 00:29:32.399 --> 00:29:35.560 And now let me open up my file explorer here. 00:29:35.840 --> 00:29:38.720 We take a look at the var directory 00:29:38.720 --> 00:29:42.240 under log. And under snort, 00:29:42.240 --> 00:29:44.960 we have alert. There we are. So, 00:29:44.960 --> 00:29:47.960 that has been modified. The last was 00:29:47.960 --> 00:29:50.050 modified 00:29:51.200 --> 00:29:53.919 right over there. Okay. So that's 19. Yeah. 00:29:53.919 --> 00:29:55.679 So this is the last modified. So I know 00:29:55.679 --> 00:29:58.000 this file is not human-readable. We 00:29:58.000 --> 00:30:00.979 are not going to be forwarding this .log file. 00:30:00.979 --> 00:30:02.960 So I'll just close that there. 00:30:02.960 --> 00:30:07.440 So I'm just going to try and perform a few 00:30:07.440 --> 00:30:09.679 checks on the network, like a few pings, 00:30:09.679 --> 00:30:11.760 just to see if that's detected. 00:30:11.760 --> 00:30:15.679 So I'll just, you know, perform a ping really quickly. 00:30:15.679 --> 00:30:17.520 Again, the alerts will not be logged on 00:30:17.520 --> 00:30:18.960 our terminal because they're being 00:30:18.960 --> 00:30:21.200 logged, you know, into the respective 00:30:21.200 --> 00:30:24.159 alert file or the alert log file. So I'll 00:30:24.159 --> 00:30:26.080 just perform, you know, a few pings, as 00:30:26.080 --> 00:30:27.679 I was saying, which I'm doing right now 00:30:27.679 --> 00:30:29.520 on the attacker system. 00:30:29.520 --> 00:30:31.760 Once that is done, let's see whether 00:30:31.760 --> 00:30:33.760 those changes are being highlighted in 00:30:33.760 --> 00:30:37.600 alert. Indeed, they are. Okay. So now, 00:30:40.159 --> 00:30:42.399 as you can see here, 00:30:42.399 --> 00:30:45.279 this is the full-- 00:30:45.360 --> 00:30:48.000 these are... So to begin with, we had used 00:30:48.000 --> 00:30:52.729 the fast alert output mode. 00:30:54.000 --> 00:30:56.080 And right over here, we then have the 00:30:56.080 --> 00:31:00.159 full alert mode, which I'm not really sure how 00:31:00.159 --> 00:31:01.919 we want to 00:31:01.919 --> 00:31:05.360 go about doing this. But you can see, 00:31:05.360 --> 00:31:07.360 we can actually make a few changes. 00:31:07.360 --> 00:31:11.110 What we can do is we can get rid of this traffic here. 00:31:11.440 --> 00:31:13.519 But you can see the message is actually 00:31:13.519 --> 00:31:15.279 being logged. So 00:31:15.279 --> 00:31:17.760 we can get rid of this here 00:31:17.760 --> 00:31:25.749 because we don't want to mix fast alerts 00:31:26.080 --> 00:31:31.519 with the full mode. So we can just get rid of that 00:31:31.519 --> 00:31:33.611 there and save that. 00:31:34.159 --> 00:31:37.840 Once that is done, I'll just say-- 00:31:37.840 --> 00:31:41.290 we actually need permissions to modify that file. 00:31:42.000 --> 00:31:45.600 but you know what we can do is what i am 00:31:45.600 --> 00:31:47.279 going to do actually is close without 00:31:47.279 --> 00:31:49.519 saving is i'm just going to stop snort 00:31:49.519 --> 00:31:50.399 there 00:31:50.399 --> 00:31:52.080 and i'm just going to say 00:31:52.080 --> 00:31:54.480 sudo remove var 00:31:54.480 --> 00:31:56.799 log 00:31:56.960 --> 00:31:59.120 and snort and we're going to remove 00:31:59.120 --> 00:32:01.360 alert 00:32:01.360 --> 00:32:02.720 all right and we're also going to remove 00:32:02.720 --> 00:32:04.240 alert dot one 00:32:04.240 --> 00:32:05.440 all right so i'm just going to run this 00:32:05.440 --> 00:32:07.039 again just to see if that file is 00:32:07.039 --> 00:32:08.240 generated 00:32:08.240 --> 00:32:11.120 so there we are we have alert there 00:32:11.120 --> 00:32:12.559 so now it's much cleaner so i'll just 00:32:12.559 --> 00:32:14.240 run a few pings just to make sure that 00:32:14.240 --> 00:32:16.480 the traffic is being locked all those 00:32:16.480 --> 00:32:18.480 alerts are being logged 00:32:18.480 --> 00:32:20.399 uh so there we are we have a few pings 00:32:20.399 --> 00:32:21.519 there 00:32:21.519 --> 00:32:24.640 and we can also you know just run a few 00:32:24.640 --> 00:32:26.960 checks there okay so there we are we can 00:32:26.960 --> 00:32:29.360 see that those are now being logged and 00:32:29.360 --> 00:32:31.519 of course we can change the format based 00:32:31.519 --> 00:32:32.320 on 00:32:32.320 --> 00:32:33.519 you can change it based on your 00:32:33.519 --> 00:32:35.039 requirements right 00:32:35.039 --> 00:32:37.840 so um 00:32:38.000 --> 00:32:39.919 now that that is done 00:32:39.919 --> 00:32:42.000 what we can do is we can close that up 00:32:42.000 --> 00:32:44.960 and we can actually leave snort running 00:32:44.960 --> 00:32:46.320 as is 00:32:46.320 --> 00:32:48.960 so what i'll do is i'm just going to 00:32:48.960 --> 00:32:51.120 open up another tab 00:32:51.120 --> 00:32:53.120 so i'll just you know i can say control 00:32:53.120 --> 00:32:54.880 shift d there we are 00:32:54.880 --> 00:32:56.799 and we're currently within the following 00:32:56.799 --> 00:33:00.159 directory so opt opt splunk forward etsy 00:33:00.159 --> 00:33:01.519 system local 00:33:01.519 --> 00:33:03.120 so 00:33:03.120 --> 00:33:06.000 once that is done we now need to add 00:33:06.000 --> 00:33:08.080 uh we now need to add the files that we 00:33:08.080 --> 00:33:09.919 would like to monitor or that we would 00:33:09.919 --> 00:33:12.240 like to forward right so the log files 00:33:12.240 --> 00:33:15.360 so i'll go back into the bin directory 00:33:15.360 --> 00:33:17.679 so there we are cd bin because that's 00:33:17.679 --> 00:33:19.360 where we have the splunk binary so i'll 00:33:19.360 --> 00:33:20.960 say sudo 00:33:20.960 --> 00:33:22.000 um 00:33:22.000 --> 00:33:24.399 splunk 00:33:24.399 --> 00:33:28.320 and we can say add monitor 00:33:28.320 --> 00:33:30.720 and the file that we want to forward is 00:33:30.720 --> 00:33:34.399 under var log snot and it is just alert 00:33:34.399 --> 00:33:36.559 right so that's all that's really all 00:33:36.559 --> 00:33:38.720 that we want to do right 00:33:38.720 --> 00:33:41.600 and we can also utilize the fast alerts 00:33:41.600 --> 00:33:44.399 but let's just do this for now 00:33:44.399 --> 00:33:46.399 and we only want the alerts we don't 00:33:46.399 --> 00:33:48.320 want the actual log files that contain 00:33:48.320 --> 00:33:53.840 the packets themselves so i'll hit enter 00:33:54.480 --> 00:33:56.399 all right so it's now going to forward 00:33:56.399 --> 00:33:58.960 those alerts into splunk which pretty 00:33:58.960 --> 00:34:02.159 much means that on our end we are done 00:34:02.159 --> 00:34:04.000 however we still need to check one more 00:34:04.000 --> 00:34:05.840 configuration file so i'll just take a 00:34:05.840 --> 00:34:08.000 step back here and we'll head over into 00:34:08.000 --> 00:34:10.879 the etsy directory under apps 00:34:10.879 --> 00:34:13.119 and search 00:34:13.119 --> 00:34:15.520 and then into local 00:34:15.520 --> 00:34:16.720 when you think we'll need to root 00:34:16.720 --> 00:34:18.320 permissions to access this so i'll just 00:34:18.320 --> 00:34:20.079 switch to the root user and head over 00:34:20.079 --> 00:34:21.520 into local 00:34:21.520 --> 00:34:24.399 and we're looking for the inputs dot 00:34:24.399 --> 00:34:26.560 conf file 00:34:26.560 --> 00:34:28.079 uh right so we need to actually 00:34:28.079 --> 00:34:29.760 configure this because this is very 00:34:29.760 --> 00:34:31.040 important so 00:34:31.040 --> 00:34:35.119 uh the first thing we want to do is let 00:34:35.119 --> 00:34:35.919 us 00:34:35.919 --> 00:34:38.639 add a new line here and within the 00:34:38.639 --> 00:34:41.440 square brackets i'll just say splunk 00:34:41.440 --> 00:34:44.240 uh tcp 00:34:44.240 --> 00:34:46.399 and we then want to specify the port so 00:34:46.399 --> 00:34:48.399 9997 00:34:48.399 --> 00:34:49.679 let me make sure i type that in 00:34:49.679 --> 00:34:51.520 correctly 00:34:51.520 --> 00:34:54.240 we then need to actually put in the 00:34:54.240 --> 00:34:56.960 connection 00:34:56.960 --> 00:35:01.200 um so the connection host so connection 00:35:01.200 --> 00:35:03.440 host is going to be equal to the ip 00:35:03.440 --> 00:35:05.280 address of the splunk 00:35:05.280 --> 00:35:06.560 server 00:35:06.560 --> 00:35:08.960 so i'll just copy that there paste that 00:35:08.960 --> 00:35:11.280 in there 00:35:11.280 --> 00:35:14.000 once that is done 00:35:14.000 --> 00:35:16.320 this is fine here disabled is set to 00:35:16.320 --> 00:35:19.040 false we want index is going to be equal 00:35:19.040 --> 00:35:20.320 to main 00:35:20.320 --> 00:35:23.680 and then the source type 00:35:23.680 --> 00:35:26.560 is going to be equal to snot 00:35:26.560 --> 00:35:27.520 alert 00:35:27.520 --> 00:35:28.960 full 00:35:28.960 --> 00:35:31.280 and we can then say the source is equal 00:35:31.280 --> 00:35:33.040 to snort all right so this is a very 00:35:33.040 --> 00:35:35.280 important configuration so let me just 00:35:35.280 --> 00:35:36.640 go through those options or 00:35:36.640 --> 00:35:38.640 configurations again we have the splunk 00:35:38.640 --> 00:35:40.320 tcp option 00:35:40.320 --> 00:35:42.880 uh we then have the actual connection 00:35:42.880 --> 00:35:45.520 host the monitor is set correctly to 00:35:45.520 --> 00:35:46.640 that file 00:35:46.640 --> 00:35:49.520 uh it's enabled index equals main source 00:35:49.520 --> 00:35:51.680 type equals snorter that full source is 00:35:51.680 --> 00:35:53.680 equal to snot fantastic so we'll write 00:35:53.680 --> 00:35:54.720 in quit 00:35:54.720 --> 00:35:57.040 uh once this is done 00:35:57.040 --> 00:35:58.720 we'll need to restart splunk so i'll 00:35:58.720 --> 00:36:00.800 switch back to my user lexis here and 00:36:00.800 --> 00:36:04.560 we'll navigate back to the bin directory 00:36:04.560 --> 00:36:06.400 so i'll say cd bin 00:36:06.400 --> 00:36:08.800 and we'll say sudo 00:36:08.800 --> 00:36:11.680 let me say splunk and we can then say 00:36:11.680 --> 00:36:13.440 restart 00:36:13.440 --> 00:36:15.680 all right hit enter 00:36:15.680 --> 00:36:18.320 it's going to stop the splunk daemon 00:36:18.320 --> 00:36:19.680 shutting it down 00:36:19.680 --> 00:36:22.160 restart it and it's done successfully so 00:36:22.160 --> 00:36:24.560 all the checks were completed without 00:36:24.560 --> 00:36:27.119 any issue all right so 00:36:27.119 --> 00:36:29.040 now that this is done we can actually go 00:36:29.040 --> 00:36:31.440 back into splunk here and we'll navigate 00:36:31.440 --> 00:36:33.280 to the dashboard 00:36:33.280 --> 00:36:35.839 uh this is your splunk server right 00:36:35.839 --> 00:36:37.440 and let's take a look at the messages 00:36:37.440 --> 00:36:39.920 here that's just uh a few updates we 00:36:39.920 --> 00:36:41.920 don't need to do anything there so if we 00:36:41.920 --> 00:36:43.119 click on 00:36:43.119 --> 00:36:45.599 search and reporting just to verify that 00:36:45.599 --> 00:36:47.839 that data has indeed been for that i'll 00:36:47.839 --> 00:36:49.280 just skip through this if we click on 00:36:49.280 --> 00:36:51.040 data summary 00:36:51.040 --> 00:36:52.880 under sources you should see that we 00:36:52.880 --> 00:36:55.680 have the host and in my case the name of 00:36:55.680 --> 00:36:58.640 the system is black box so that should 00:36:58.640 --> 00:37:01.119 be reflected there so there we are black 00:37:01.119 --> 00:37:03.280 box we have 42 00:37:03.280 --> 00:37:06.800 logs or alerts if you will sources 42 we 00:37:06.800 --> 00:37:08.640 can click on that there to just see the 00:37:08.640 --> 00:37:11.280 data that has been logged indeed we can 00:37:11.280 --> 00:37:13.040 see that has been done correctly so 00:37:13.040 --> 00:37:14.880 source type is alert 00:37:14.880 --> 00:37:17.280 uh we can see that it's imported you 00:37:17.280 --> 00:37:19.440 know pretty much all the data or the you 00:37:19.440 --> 00:37:21.119 know these are the this is the full log 00:37:21.119 --> 00:37:23.599 whereby we have the reference to that 00:37:23.599 --> 00:37:24.880 there 00:37:24.880 --> 00:37:26.800 uh that's weird i didn't actually run 00:37:26.800 --> 00:37:30.240 anything weird uh but uh there you go 00:37:30.240 --> 00:37:32.720 um so now that this is done uh you can 00:37:32.720 --> 00:37:34.880 use splunk to essentially visualize this 00:37:34.880 --> 00:37:36.800 data you know however you want so you 00:37:36.800 --> 00:37:39.359 know i can go into visualization 00:37:39.359 --> 00:37:42.240 uh and we can click on maybe we can 00:37:42.240 --> 00:37:44.720 create a um 00:37:44.720 --> 00:37:46.880 we can select a few fields so if i go 00:37:46.880 --> 00:37:50.240 back into the events here i can select a 00:37:50.240 --> 00:37:52.240 few fields that i want displayed here 00:37:52.240 --> 00:37:54.320 and i can you know essentially extract 00:37:54.320 --> 00:37:57.040 the fields that i want with rejects 00:37:57.040 --> 00:37:57.920 but 00:37:57.920 --> 00:37:59.680 i don't think this is necessary in this 00:37:59.680 --> 00:38:01.520 point because if we actually go back to 00:38:01.520 --> 00:38:03.599 the dashboard 00:38:03.599 --> 00:38:06.160 and we click on 00:38:06.160 --> 00:38:10.079 let's see splunk snot alert for splunk 00:38:10.079 --> 00:38:11.440 let's see if this is actually whether 00:38:11.440 --> 00:38:15.200 this automates that process for us 00:38:15.200 --> 00:38:17.280 uh there we are actually it looks like 00:38:17.280 --> 00:38:21.599 it does so um classification bad traffic 00:38:21.599 --> 00:38:24.160 so it looks like that is working 00:38:24.160 --> 00:38:26.400 so what we can do now 00:38:26.400 --> 00:38:28.720 is run a few 00:38:28.720 --> 00:38:31.280 uh we can actually utilize this script 00:38:31.280 --> 00:38:33.520 here the 00:38:33.520 --> 00:38:37.119 uh the test my nids script here so all 00:38:37.119 --> 00:38:39.440 you need to do to run it is just copy 00:38:39.440 --> 00:38:41.520 this one liner script here or this 00:38:41.520 --> 00:38:43.200 command that will download it into your 00:38:43.200 --> 00:38:46.000 tmp directory and will then execute it 00:38:46.000 --> 00:38:49.200 so you know to execute it within your 00:38:49.200 --> 00:38:51.599 temp directory you can just uh execute 00:38:51.599 --> 00:38:53.040 the actual 00:38:53.040 --> 00:38:54.400 um 00:38:54.400 --> 00:38:56.240 you know the actual binary there it is a 00:38:56.240 --> 00:38:58.800 binary not a script 00:38:58.800 --> 00:39:01.280 and uh once that is done you can then 00:39:01.280 --> 00:39:03.520 select the option here so let me just do 00:39:03.520 --> 00:39:05.920 that on my attacker system 00:39:05.920 --> 00:39:08.880 i'm just gonna run it one more time so 00:39:08.880 --> 00:39:14.359 um just going to say ls here and 00:39:16.160 --> 00:39:18.960 if i uh open up the documentation so 00:39:18.960 --> 00:39:21.839 firstly i will 00:39:21.839 --> 00:39:23.440 i will run 00:39:23.440 --> 00:39:26.640 a quick linux uid check so 00:39:26.640 --> 00:39:28.960 i'll just hit enter 00:39:28.960 --> 00:39:31.280 okay that is done i'll then perform a 00:39:31.280 --> 00:39:35.119 http basic authentication 00:39:35.119 --> 00:39:37.839 and a malware user agent so i'm doing 00:39:37.839 --> 00:39:40.640 that right now 00:39:40.839 --> 00:39:46.000 okay and we can run one more here so 00:39:46.000 --> 00:39:48.720 uh let's see let's see let's see uh we 00:39:48.720 --> 00:39:51.520 can try exe or dll download over http 00:39:51.520 --> 00:39:55.280 that is surely going to be um 00:39:55.280 --> 00:39:57.040 logged 00:39:57.040 --> 00:39:59.839 or that's going to trigger an alert 00:39:59.839 --> 00:40:00.640 so 00:40:00.640 --> 00:40:03.040 uh do we have uh that is running all 00:40:03.040 --> 00:40:05.280 right so snot is running that's great 00:40:05.280 --> 00:40:08.079 uh so we know that the log is being uh 00:40:08.079 --> 00:40:10.240 the actual alerts are being forwarded 00:40:10.240 --> 00:40:12.960 absolutely fantastic so let's go back in 00:40:12.960 --> 00:40:15.040 here i've already run those 00:40:15.040 --> 00:40:18.400 uh those particular checks 00:40:18.400 --> 00:40:20.160 so let me just refresh this i know it 00:40:20.160 --> 00:40:22.160 usually takes a couple of seconds to a 00:40:22.160 --> 00:40:24.400 couple of minutes but that data should 00:40:24.400 --> 00:40:26.240 start should actually be reflected there 00:40:26.240 --> 00:40:28.160 we are fantastic so 00:40:28.160 --> 00:40:31.119 uh we can see that uh you know firstly 00:40:31.119 --> 00:40:32.880 i'll just explain the dashboard here 00:40:32.880 --> 00:40:33.760 because 00:40:33.760 --> 00:40:36.160 uh this dashboard is automatically you 00:40:36.160 --> 00:40:38.000 know set up for you by the snort app 00:40:38.000 --> 00:40:39.920 which is really awesome as i said you 00:40:39.920 --> 00:40:41.440 don't need to go through that process 00:40:41.440 --> 00:40:42.560 yourself 00:40:42.560 --> 00:40:44.560 so the first graph here essentially 00:40:44.560 --> 00:40:46.400 tells you your events 00:40:46.400 --> 00:40:48.560 uh and and it also displays uh you know 00:40:48.560 --> 00:40:50.400 the total number of sources so you can 00:40:50.400 --> 00:40:52.560 see that there you also have the time 00:40:52.560 --> 00:40:54.480 uh and you saw you have your events and 00:40:54.480 --> 00:40:56.079 then the timeline here and you can 00:40:56.079 --> 00:40:58.880 essentially you know view a trend or the 00:40:58.880 --> 00:41:01.680 trend of uh of events there you then 00:41:01.680 --> 00:41:04.880 have the top uh the top source countries 00:41:04.880 --> 00:41:07.040 right over here and if i just run 00:41:07.040 --> 00:41:08.720 another check really quickly here 00:41:08.720 --> 00:41:11.119 through the nids website 00:41:11.119 --> 00:41:14.720 so uh let me just run the curl command 00:41:14.720 --> 00:41:16.640 uh you should actually see that because 00:41:16.640 --> 00:41:19.280 we are reaching out to uh you know a 00:41:19.280 --> 00:41:21.280 connection made to an external server 00:41:21.280 --> 00:41:23.680 that it should reflect that info under 00:41:23.680 --> 00:41:25.760 the top countries the top source 00:41:25.760 --> 00:41:26.800 countries 00:41:26.800 --> 00:41:28.800 so uh we then have the events here which 00:41:28.800 --> 00:41:31.280 uh you know you can click on um and then 00:41:31.280 --> 00:41:33.119 of course you have the sources 00:41:33.119 --> 00:41:36.079 so these are the uh snort event types 00:41:36.079 --> 00:41:37.760 and these are actually the 00:41:37.760 --> 00:41:39.680 classification so we can see potentially 00:41:39.680 --> 00:41:42.640 bad traffic attempted information leak 00:41:42.640 --> 00:41:44.720 and you know you can just refresh your 00:41:44.720 --> 00:41:47.440 dashboard to get the latest 00:41:47.440 --> 00:41:49.359 so we'll give that a couple of seconds 00:41:49.359 --> 00:41:52.000 and you can also specify the actual uh 00:41:52.000 --> 00:41:53.599 interval period 00:41:53.599 --> 00:41:56.400 so uh i'll just wait for this uh let's 00:41:56.400 --> 00:41:58.880 see if it's actually being logged or 00:41:58.880 --> 00:42:00.319 whether we can see all of that so i'll 00:42:00.319 --> 00:42:04.000 just go back into the dashboard here 00:42:04.000 --> 00:42:04.800 and 00:42:04.800 --> 00:42:07.359 we'll go into search and reporting and 00:42:07.359 --> 00:42:09.920 if we click on the actual 00:42:09.920 --> 00:42:13.040 data summary and the sources uh we can 00:42:13.040 --> 00:42:15.359 see we have snort there and then vast 00:42:15.359 --> 00:42:19.520 not alert so we click on snot there 00:42:19.520 --> 00:42:22.000 okay so this is bad traffic that's 00:42:22.000 --> 00:42:25.440 really weird because 00:42:26.079 --> 00:42:27.920 the source is not we had added two 00:42:27.920 --> 00:42:29.520 sources there 00:42:29.520 --> 00:42:32.720 so data summary 00:42:32.720 --> 00:42:34.800 let me just click on that there and if 00:42:34.800 --> 00:42:36.960 we click on these sources there this is 00:42:36.960 --> 00:42:40.800 the one that we want ideally 00:42:43.200 --> 00:42:46.079 yeah so that looks like uh the correct 00:42:46.079 --> 00:42:48.720 one there 00:42:49.599 --> 00:42:51.680 yeah that's the correct traffic um uh i 00:42:51.680 --> 00:42:55.119 think that's why uh the actual uh let me 00:42:55.119 --> 00:42:56.960 see if i can find so snot alert for 00:42:56.960 --> 00:43:00.640 splunk let me click on the app there 00:43:02.480 --> 00:43:04.160 show filters it should be displaying 00:43:04.160 --> 00:43:06.400 much more than that because i know yeah 00:43:06.400 --> 00:43:08.319 they're not just four 00:43:08.319 --> 00:43:09.920 so 00:43:09.920 --> 00:43:12.640 uh if we actually head over into the 00:43:12.640 --> 00:43:16.560 uh snot event search here 00:43:18.480 --> 00:43:20.800 we can actually search for uh you know 00:43:20.800 --> 00:43:25.359 we can utilize uh yeah so these are only 00:43:25.359 --> 00:43:28.400 this is only monitoring the pings so 00:43:28.400 --> 00:43:30.240 that's weird i'm not really sure why we 00:43:30.240 --> 00:43:32.319 have two data sources i think it's to do 00:43:32.319 --> 00:43:33.839 with the fact 00:43:33.839 --> 00:43:37.040 uh that uh you know we had so let me 00:43:37.040 --> 00:43:39.520 just go back here 00:43:39.520 --> 00:43:42.640 apps search and sudo root 00:43:42.640 --> 00:43:46.720 let me just check that here so cd local 00:43:46.720 --> 00:43:47.839 vim 00:43:47.839 --> 00:43:50.640 inputs dot look so there we are so the 00:43:50.640 --> 00:43:53.280 source is snort 00:43:53.280 --> 00:43:56.079 we already specified the source as not 00:43:56.079 --> 00:43:57.599 there 00:43:57.599 --> 00:43:59.520 but it's all it's adding 00:43:59.520 --> 00:44:02.319 this particular you know the alert as uh 00:44:02.319 --> 00:44:04.160 as a source as well 00:44:04.160 --> 00:44:06.400 and then this the source type is not 00:44:06.400 --> 00:44:09.040 alert full index main yeah that that 00:44:09.040 --> 00:44:10.560 should be working that should be working 00:44:10.560 --> 00:44:12.319 without any issues i'm not really sure 00:44:12.319 --> 00:44:14.079 why that is the case but 00:44:14.079 --> 00:44:16.480 we can actually customize what data set 00:44:16.480 --> 00:44:18.000 we want to use 00:44:18.000 --> 00:44:19.359 so uh 00:44:19.359 --> 00:44:21.520 i think let me actually showcase how to 00:44:21.520 --> 00:44:23.359 do that right now 00:44:23.359 --> 00:44:25.839 um so apologies about that i actually 00:44:25.839 --> 00:44:27.599 figured out what the issue was it was 00:44:27.599 --> 00:44:30.319 because the system i was running 00:44:30.319 --> 00:44:32.079 uh this particular 00:44:32.079 --> 00:44:34.560 attacks from wasn't even connected to 00:44:34.560 --> 00:44:36.800 the local network 00:44:36.800 --> 00:44:38.880 and even though i was running these 00:44:38.880 --> 00:44:41.040 these attacks i did realize that of 00:44:41.040 --> 00:44:42.640 course they weren't working so i'm just 00:44:42.640 --> 00:44:44.880 gonna i've just reconnected it 00:44:44.880 --> 00:44:47.359 and what i'm gonna do is i'm just gonna 00:44:47.359 --> 00:44:49.599 run this one more time 00:44:49.599 --> 00:44:53.359 so just give me a second here and i'll 00:44:53.359 --> 00:44:56.319 be able to do that one more time so 00:44:56.319 --> 00:44:58.560 let me just navigate to that particular 00:44:58.560 --> 00:45:00.079 directory 00:45:00.079 --> 00:45:01.040 and 00:45:01.040 --> 00:45:02.480 we'll actually see whether this will 00:45:02.480 --> 00:45:04.400 work so 00:45:04.400 --> 00:45:06.000 you can actually see there's much more 00:45:06.000 --> 00:45:07.920 uh that's been captured in regards to 00:45:07.920 --> 00:45:10.160 events and i'll be explaining this 00:45:10.160 --> 00:45:12.480 dashboard in a couple of seconds 00:45:12.480 --> 00:45:13.359 so 00:45:13.359 --> 00:45:14.960 let me just uh 00:45:14.960 --> 00:45:17.359 launch that first attack there so that 00:45:17.359 --> 00:45:19.440 you know let me just launch that first 00:45:19.440 --> 00:45:22.240 uh type of check and of course i'm using 00:45:22.240 --> 00:45:26.400 test my nids here so uh unfortunately 00:45:26.400 --> 00:45:28.000 that wasn't even being logged which is 00:45:28.000 --> 00:45:30.000 why i was a bit confused as to why those 00:45:30.000 --> 00:45:32.800 logs are not being displayed here 00:45:32.800 --> 00:45:35.520 so i'll give that a couple of seconds 00:45:35.520 --> 00:45:36.800 and 00:45:36.800 --> 00:45:38.880 we'll be able to see this happen 00:45:38.880 --> 00:45:41.920 in real time as well 00:45:41.920 --> 00:45:44.560 all right so that is done so i've 00:45:44.560 --> 00:45:46.319 essentially launched a couple of those 00:45:46.319 --> 00:45:48.319 tests and uh 00:45:48.319 --> 00:45:50.640 this as i said this is your default uh 00:45:50.640 --> 00:45:52.560 dashboard that you're provided with here 00:45:52.560 --> 00:45:53.520 so 00:45:53.520 --> 00:45:55.760 um you know you can actually refresh uh 00:45:55.760 --> 00:45:58.720 all of these um all of these panels here 00:45:58.720 --> 00:46:00.800 if you will so that'll display the 00:46:00.800 --> 00:46:03.920 latest and as i said here because i'd 00:46:03.920 --> 00:46:05.839 had performed the actual 00:46:05.839 --> 00:46:07.680 uh you know i'd perform the actual check 00:46:07.680 --> 00:46:09.520 and then connected to an external server 00:46:09.520 --> 00:46:11.680 you can see that you know the top source 00:46:11.680 --> 00:46:13.680 countries are highlighted there 00:46:13.680 --> 00:46:15.839 you can also refresh the number of 00:46:15.839 --> 00:46:18.160 events as you can see here 00:46:18.160 --> 00:46:20.319 and the number of sources so 00:46:20.319 --> 00:46:22.319 uh you can also do that for the rest of 00:46:22.319 --> 00:46:24.480 the panel so these are the top 10 00:46:24.480 --> 00:46:26.800 classifications 00:46:26.800 --> 00:46:28.960 in terms of events if you will and then 00:46:28.960 --> 00:46:31.359 the snort event types as you can see 00:46:31.359 --> 00:46:32.319 here 00:46:32.319 --> 00:46:33.839 so for example in this case we have the 00:46:33.839 --> 00:46:36.160 attack response id check which if we 00:46:36.160 --> 00:46:37.520 click on 00:46:37.520 --> 00:46:40.319 right over here 00:46:41.119 --> 00:46:42.640 you can see that it actually displays 00:46:42.640 --> 00:46:44.400 that and you can then uh you can then 00:46:44.400 --> 00:46:46.400 click on the signature itself and this 00:46:46.400 --> 00:46:48.880 is for statistics now if you click on 00:46:48.880 --> 00:46:52.000 the snort event search tab right over 00:46:52.000 --> 00:46:53.040 here 00:46:53.040 --> 00:46:54.880 you can see that this allows you to 00:46:54.880 --> 00:46:57.119 search based on the source ip the source 00:46:57.119 --> 00:46:59.680 port the destination ip destination port 00:46:59.680 --> 00:47:02.240 and the event type so i can check for 00:47:02.240 --> 00:47:04.400 attack responses based on the rule set 00:47:04.400 --> 00:47:06.480 that we had used previously 00:47:06.480 --> 00:47:09.359 and i can also specify the timing right 00:47:09.359 --> 00:47:12.079 so that's really fantastic there 00:47:12.079 --> 00:47:14.640 so you can see that right over here we 00:47:14.640 --> 00:47:16.240 have that logged 00:47:16.240 --> 00:47:19.040 which is fantastic and 00:47:19.040 --> 00:47:21.920 if we click on the snort world map 00:47:21.920 --> 00:47:24.000 that'll essentially as you'll see in a 00:47:24.000 --> 00:47:26.160 couple of seconds this will essentially 00:47:26.160 --> 00:47:28.559 display the countries by the source ips 00:47:28.559 --> 00:47:29.839 in this case it should display the 00:47:29.839 --> 00:47:32.079 united states which makes sense 00:47:32.079 --> 00:47:34.800 uh and there we are so again this is 00:47:34.800 --> 00:47:37.119 extremely helpful especially if you work 00:47:37.119 --> 00:47:39.839 in a sock and as i said there's multiple 00:47:39.839 --> 00:47:41.920 uh you know security tools you can 00:47:41.920 --> 00:47:45.040 integrate with uh with splunk 00:47:45.040 --> 00:47:46.880 now one thing that i wanted to highlight 00:47:46.880 --> 00:47:49.440 is you can if you click on edit i'll 00:47:49.440 --> 00:47:51.200 just go back to the 00:47:51.200 --> 00:47:53.200 event summary here because this is very 00:47:53.200 --> 00:47:55.119 important 00:47:55.119 --> 00:47:57.280 you can set this as your main dashboard 00:47:57.280 --> 00:47:58.960 so if you right click here you can set 00:47:58.960 --> 00:48:01.520 this as your home dashboard 00:48:01.520 --> 00:48:03.599 so i'll just click on that there 00:48:03.599 --> 00:48:05.440 and now you'll see on your dashboard 00:48:05.440 --> 00:48:08.240 here if i just close that top menu 00:48:08.240 --> 00:48:10.240 that will actually be displayed there so 00:48:10.240 --> 00:48:12.319 give it a couple of seconds 00:48:12.319 --> 00:48:14.079 and of course you can click on the cog 00:48:14.079 --> 00:48:16.240 wheel here 00:48:16.240 --> 00:48:19.280 and essentially display whatever 00:48:19.280 --> 00:48:21.520 you know you can specify your default 00:48:21.520 --> 00:48:23.200 dashboard now there are a couple of 00:48:23.200 --> 00:48:25.599 other ones that are created by default 00:48:25.599 --> 00:48:27.119 uh but yeah you can have that on your 00:48:27.119 --> 00:48:28.400 dashboard 00:48:28.400 --> 00:48:31.040 uh and uh you know if you actually click 00:48:31.040 --> 00:48:33.839 on snot the snot alert for splunk here 00:48:33.839 --> 00:48:36.240 and we'll just go back into that snot 00:48:36.240 --> 00:48:38.240 event summary tab 00:48:38.240 --> 00:48:40.880 uh you can actually edit the way these 00:48:40.880 --> 00:48:44.240 um these particular panels are tiled so 00:48:44.240 --> 00:48:46.079 uh you know you can convert it to a 00:48:46.079 --> 00:48:48.880 pre-built panel or you know 00:48:48.880 --> 00:48:50.400 you can you can actually convert it to a 00:48:50.400 --> 00:48:52.960 pre-built panel you can get rid of it 00:48:52.960 --> 00:48:54.720 uh you can also move them around based 00:48:54.720 --> 00:48:57.440 on your own requirements and uh in this 00:48:57.440 --> 00:48:59.680 case you can actually let's see if i can 00:48:59.680 --> 00:49:00.880 show you can actually select the 00:49:00.880 --> 00:49:02.480 visualization 00:49:02.480 --> 00:49:04.240 uh so in this case i think the default 00:49:04.240 --> 00:49:06.079 one is fine and you can then view the 00:49:06.079 --> 00:49:07.920 report here so 00:49:07.920 --> 00:49:08.960 um 00:49:08.960 --> 00:49:11.359 if we click on this one here for example 00:49:11.359 --> 00:49:13.280 we could actually use the bar graph to 00:49:13.280 --> 00:49:15.280 display the you know the number of the 00:49:15.280 --> 00:49:17.200 actual um 00:49:17.200 --> 00:49:19.440 the top source countries uh and have 00:49:19.440 --> 00:49:21.599 them displayed in a bar graph style but 00:49:21.599 --> 00:49:23.280 we can just take it back into the pie 00:49:23.280 --> 00:49:25.599 chart there and you can also change this 00:49:25.599 --> 00:49:27.440 for the events as well 00:49:27.440 --> 00:49:29.359 so uh you know if we wanted to view a 00:49:29.359 --> 00:49:31.440 trend we can click on the bar graph 00:49:31.440 --> 00:49:32.240 there 00:49:32.240 --> 00:49:34.000 uh in this case i don't think that's 00:49:34.000 --> 00:49:37.040 formatted correctly so uh if we just use 00:49:37.040 --> 00:49:39.440 the the default one 00:49:39.440 --> 00:49:42.880 uh which i believe was i think it was no 00:49:42.880 --> 00:49:46.160 that wasn't the one i believe it was uh 00:49:46.160 --> 00:49:47.920 let's see if i can identify it here it 00:49:47.920 --> 00:49:50.800 was the number there we are so 26 uh so 00:49:50.800 --> 00:49:52.640 as i said you can customize this based 00:49:52.640 --> 00:49:53.839 on your own 00:49:53.839 --> 00:49:55.440 uh you know 00:49:55.440 --> 00:49:57.440 your own requirements so for example 00:49:57.440 --> 00:49:59.839 this one might do well if it was in the 00:49:59.839 --> 00:50:02.240 form of a bar graph so you know 00:50:02.240 --> 00:50:04.240 you can utilize that if you feel that 00:50:04.240 --> 00:50:06.319 that is appropriate 00:50:06.319 --> 00:50:08.319 uh in this case uh you know we can also 00:50:08.319 --> 00:50:11.920 specify uh the actual um you know we can 00:50:11.920 --> 00:50:14.559 actually list the events themselves 00:50:14.559 --> 00:50:16.079 uh let's see which other ones look 00:50:16.079 --> 00:50:17.920 really good here 00:50:17.920 --> 00:50:19.760 uh and uh yeah once you're done with the 00:50:19.760 --> 00:50:22.079 customization you can then cancel or 00:50:22.079 --> 00:50:24.559 save based on your requirements and you 00:50:24.559 --> 00:50:27.200 can also filter on this particular tab 00:50:27.200 --> 00:50:28.960 here you know through the source ip 00:50:28.960 --> 00:50:31.280 destination ip etc 00:50:31.280 --> 00:50:33.839 um let's see what else did i wanted to 00:50:33.839 --> 00:50:35.599 did i want to highlight let me just 00:50:35.599 --> 00:50:38.000 refresh this once more 00:50:38.000 --> 00:50:39.760 and you know to essentially get the 00:50:39.760 --> 00:50:42.480 latest data 00:50:42.480 --> 00:50:44.480 and uh you can see uh in terms of the 00:50:44.480 --> 00:50:46.480 fan the in terms of the panels this will 00:50:46.480 --> 00:50:49.520 display the last 100 attempts 00:50:49.520 --> 00:50:51.760 uh and uh you know you can go through 00:50:51.760 --> 00:50:53.599 them like so 00:50:53.599 --> 00:50:55.839 uh you can also view i think we've gone 00:50:55.839 --> 00:50:57.119 through all of them but you have the 00:50:57.119 --> 00:50:59.440 persistent sources so two or more days 00:50:59.440 --> 00:51:01.359 of activity in the last 30 days so you 00:51:01.359 --> 00:51:03.040 actually need a lot of data for that to 00:51:03.040 --> 00:51:05.200 be displayed or to give you anything 00:51:05.200 --> 00:51:06.400 useful 00:51:06.400 --> 00:51:07.520 um 00:51:07.520 --> 00:51:09.760 yeah so that is 00:51:09.760 --> 00:51:11.680 what i wanted to highlight in regards to 00:51:11.680 --> 00:51:14.079 the snot alert for splunk app and the 00:51:14.079 --> 00:51:15.839 actual dashboards which i said it 00:51:15.839 --> 00:51:17.359 already does for you 00:51:17.359 --> 00:51:19.119 now you can create your own dashboard as 00:51:19.119 --> 00:51:21.200 i said if i go back into apps and search 00:51:21.200 --> 00:51:22.720 and reporting 00:51:22.720 --> 00:51:25.200 based on your own sources so i'll just 00:51:25.200 --> 00:51:27.280 click on data summary there and if i 00:51:27.280 --> 00:51:29.280 click on sources 00:51:29.280 --> 00:51:30.960 you can click on the 00:51:30.960 --> 00:51:33.839 this source here for example and 00:51:33.839 --> 00:51:36.640 you know in this case we can actually uh 00:51:36.640 --> 00:51:39.680 just click on that there and i can click 00:51:39.680 --> 00:51:41.920 on extract fields 00:51:41.920 --> 00:51:43.359 and you can extract the fields with 00:51:43.359 --> 00:51:46.319 rejects so i'll click on next there 00:51:46.319 --> 00:51:47.760 and you can then select the fields that 00:51:47.760 --> 00:51:50.400 you want so for example in this case we 00:51:50.400 --> 00:51:52.720 would want the date and time 00:51:52.720 --> 00:51:55.280 so i can just highlight that there so i 00:51:55.280 --> 00:51:56.319 can say 00:51:56.319 --> 00:51:59.520 time for example add the extraction 00:51:59.520 --> 00:52:02.000 and then of course we have the source ip 00:52:02.000 --> 00:52:03.839 and the port but i'll just highlight 00:52:03.839 --> 00:52:05.680 them together but i think it's actually 00:52:05.680 --> 00:52:07.440 recommended just to highlight the source 00:52:07.440 --> 00:52:08.880 ip there 00:52:08.880 --> 00:52:13.200 so source we can say crc src 00:52:13.200 --> 00:52:14.559 underscore 00:52:14.559 --> 00:52:15.520 ip 00:52:15.520 --> 00:52:18.480 add that extraction and we then have the 00:52:18.480 --> 00:52:20.800 destination ip which in this case uh 00:52:20.800 --> 00:52:22.559 because this is uh 00:52:22.559 --> 00:52:25.520 an sm snmp broadcast 00:52:25.520 --> 00:52:27.520 request we can we know that that's the 00:52:27.520 --> 00:52:30.880 destination ip so i'll say dst 00:52:30.880 --> 00:52:33.040 underscore ip 00:52:33.040 --> 00:52:36.720 add the extraction let's see what else 00:52:36.720 --> 00:52:40.079 we can do um 00:52:40.079 --> 00:52:41.440 in this case it's saying the extraction 00:52:41.440 --> 00:52:42.960 field you're extracting if you're 00:52:42.960 --> 00:52:45.040 extracting multiple fields try removing 00:52:45.040 --> 00:52:47.040 one or more fields start with the 00:52:47.040 --> 00:52:48.720 extractions that are embedded within 00:52:48.720 --> 00:52:51.680 longer strings okay so let's try and use 00:52:51.680 --> 00:52:54.400 another alert here 00:52:54.400 --> 00:52:57.599 that was kind of interesting um let's 00:52:57.599 --> 00:52:58.319 see 00:52:58.319 --> 00:53:00.480 it's not displaying all of them here but 00:53:00.480 --> 00:53:02.800 you get the idea once you're done 00:53:02.800 --> 00:53:04.480 uh you know for example i can remove 00:53:04.480 --> 00:53:06.079 that field here i'm just giving you an 00:53:06.079 --> 00:53:08.720 example of that so remove that field 00:53:08.720 --> 00:53:12.000 uh there we are i can then say next and 00:53:12.000 --> 00:53:15.440 i can click on validate and save based 00:53:15.440 --> 00:53:18.240 on those fields there hit finish 00:53:18.240 --> 00:53:20.800 and then you know i can go back to 00:53:20.800 --> 00:53:23.359 uh you know search and reporting 00:53:23.359 --> 00:53:25.280 and if i wanted to create a very simple 00:53:25.280 --> 00:53:27.040 visualization which i'll show you right 00:53:27.040 --> 00:53:27.839 now 00:53:27.839 --> 00:53:30.000 even though i don't really need those 00:53:30.000 --> 00:53:31.920 extracted fields although they might be 00:53:31.920 --> 00:53:33.280 useful so 00:53:33.280 --> 00:53:36.079 i can click on those extracted fields 00:53:36.079 --> 00:53:38.559 now i believe they should have been 00:53:38.559 --> 00:53:39.760 added 00:53:39.760 --> 00:53:41.200 i'm not really sure why they aren't 00:53:41.200 --> 00:53:43.440 being highlighted here there we are so 00:53:43.440 --> 00:53:45.200 source ip 00:53:45.200 --> 00:53:47.760 uh we can also specify the source port 00:53:47.760 --> 00:53:50.240 uh we all there there they are so i had 00:53:50.240 --> 00:53:51.760 actually they took a while to be 00:53:51.760 --> 00:53:53.599 displayed there so 00:53:53.599 --> 00:53:56.559 uh so support that why why not we can 00:53:56.559 --> 00:53:59.920 yeah i think that's pretty much it so 00:53:59.920 --> 00:54:02.079 uh based on those we can actually build 00:54:02.079 --> 00:54:04.480 an event type however if we go to 00:54:04.480 --> 00:54:07.520 visualization and click on pivot here 00:54:07.520 --> 00:54:10.640 selected fields is five hit ok 00:54:10.640 --> 00:54:12.559 we can actually you know visualize this 00:54:12.559 --> 00:54:14.319 however we want so for example if i 00:54:14.319 --> 00:54:17.119 wanted a column chart here 00:54:17.119 --> 00:54:19.680 number one will display the count 00:54:19.680 --> 00:54:22.079 i can just add the 00:54:22.079 --> 00:54:24.079 events 00:54:24.079 --> 00:54:26.319 because that's the count and we should 00:54:26.319 --> 00:54:28.720 have at the bottom the time which i did 00:54:28.720 --> 00:54:32.559 specify uh we believe within that range 00:54:32.559 --> 00:54:34.000 there 00:54:34.000 --> 00:54:36.720 but that's not being highlighted here so 00:54:36.720 --> 00:54:39.280 the number of events and you know you 00:54:39.280 --> 00:54:41.839 can go ahead and click as you can 00:54:41.839 --> 00:54:43.440 essentially save it 00:54:43.440 --> 00:54:45.280 so you get the idea you don't really 00:54:45.280 --> 00:54:46.880 need to do this because we have the 00:54:46.880 --> 00:54:48.480 snort app here 00:54:48.480 --> 00:54:50.079 which pretty much gives you the 00:54:50.079 --> 00:54:52.880 summaries that are useful to you or for 00:54:52.880 --> 00:54:53.839 you 00:54:53.839 --> 00:54:56.559 and there we are so fantastic so that's 00:54:56.559 --> 00:54:57.920 going to conclude the practical 00:54:57.920 --> 00:55:01.119 demonstration side of this video 00:55:01.119 --> 00:55:02.799 so uh thank you very much for watching 00:55:02.799 --> 00:55:04.559 this video if you have any questions or 00:55:04.559 --> 00:55:06.240 suggestions leave them in the comments 00:55:06.240 --> 00:55:07.200 section 00:55:07.200 --> 00:55:08.559 if you want to reach out to me you can 00:55:08.559 --> 00:55:10.160 do so via 00:55:10.160 --> 00:55:12.319 twitter or the discord server the links 00:55:12.319 --> 00:55:14.240 to both of those are in the description 00:55:14.240 --> 00:55:16.720 section furthermore we are now moving on 00:55:16.720 --> 00:55:18.720 to part two so this will conclude part 00:55:18.720 --> 00:55:21.040 one so part two will be available on the 00:55:21.040 --> 00:55:24.559 lynnodes on 24 platform so uh the videos 00:55:24.559 --> 00:55:26.559 are available uh on demand so all you 00:55:26.559 --> 00:55:28.559 need to do just click uh click the link 00:55:28.559 --> 00:55:31.599 in the description register for part two 00:55:31.599 --> 00:55:33.520 after which an email will be sent to you 00:55:33.520 --> 00:55:34.720 and you'll be given uh you know 00:55:34.720 --> 00:55:37.200 immediate access to to the videos uh 00:55:37.200 --> 00:55:40.000 within part two so uh thank you very 00:55:40.000 --> 00:55:42.799 much uh for watching part one uh in the 00:55:42.799 --> 00:55:45.040 next video in part two we'll get started 00:55:45.040 --> 00:55:46.640 or we'll take a look at host intrusion 00:55:46.640 --> 00:55:49.520 detection with os sec so i'll be seeing 00:55:49.520 --> 00:55:53.640 you in the next video 00:55:59.130 --> 00:56:12.240 [Music] 00:56:12.240 --> 00:56:14.319 you