Hello, everyone. Welcome back to the Blue
Team training series brought to you by
Linode and Hackersploit. In this video,
we're going to be taking a look at how
to set up or how to perform security
event monitoring with Splunk, more
specifically, Splunk Enterprise
Security. Right? So the objective here
will be to monitor intrusions and
threats with Splunk. And you might be
asking yourself, well, how are we going to
do this? What setup are we using? Well, the
scenario that I've set up for this video
is we are essentially going to
take all the knowledge that we've
learned during the Snort video, and we
are going to essentially forward all of
the Snort logs into Splunk or have
that done automatically through the
Splunk Universal Forwarder so that we get
the latest logs when Snort is running on
our Ubuntu virtual machine.
And the objective here is to use Splunk
in conjunction with the Splunk's Snort app
to essentially visualize and identify or
monitor network intrusions and any
malicious network traffic, you know, within the
network that I'm monitoring.
[Music].
At a very high level, what will we be
covering? Well, firstly, we'll get an
introduction to Splunk. Now before we
move any further or we actually carry on,
I do want to note that this video is not
going to be focused on Splunk
fundamentals. I'm going
to assume that you already know what
Splunk is and how it can be used, you know,
and how it's used generally speaking.
Because Splunk is not really a tool
that is specific to security, for example.
That's why they have the Splunk
Enterprise Security version or edition.
And I'm just going to assume that you
know how to use Splunk at a very basic
level. So once we get an introduction to
Splunk, we'll go over Splunk Enterprise
Security--the Enterprise Security edition--and how it
can be used for security event
monitoring, especially in our case
because we want to essentially monitor
the intrusion detection logs
generated by Snort.
So we'll then move on to deploying
Splunk Enterprise Security on Linode,
which is absolutely fantastic because
they have a cloud image
available for it that allows you to spin
it up without going through the process
of installing it and configuring it. So
that'll set it up for us.
We'll then take a look at how to
configure Splunk, and how to set up the
Splunk Universal Forwarder on the Ubuntu
virtual machine that is running Snort so
that we can forward those logs into
Splunk. And then, of course, we'll take
a look at the Splunk Snort event
dashboard that will be provided to us by
the Splunk Snort app. So if this sounds like
gibberish to you, don't worry. It will make
sense in a couple of minutes.
With that being said, given the fact
that we're going to be using, you know,
we're going to be using Snort to
generate alerts and monitor those alerts,
if you have not gone through
the actual Snort video, please do that as
it'll help you set up Snort, and you can
then run through this demo. With that
being said, this is not a holistic video
that will cover everything you can do
with Splunk Enterprise Security. We are
just focused on the intrusion
detection logs produced
by Snort and how they can be
imported or forwarded to Splunk for,
you know, analysis and monitoring.
So the prerequisites are the same as
the previous videos. The only difference
is, you know, that you need to have a
basic familiarity with Splunk and how to
navigate around the various menu
elements and, yeah,
essentially just how to use it at a very
basic level. If you're not familiar with
Splunk, I'll give you a few resources at
the end of these slides
that'll help you out or help
you get started. Alright.
So let's get an introduction
to Splunk. So what is Splunk? That's the
main question. If you've never heard of
Splunk, Splunk is an extremely powerful
platform that is used to analyze data
and logs produced by systems or machines,
as Splunk likes to call them. So
what problem is Splunk trying to solve
here? Well, let's look at this from the
perspective of Web 2.0 or, you know, the
interconnected world we live in
today. And we're going to be looking at
it from the context of or from the
perspective of security.
So if we take a simple system--let's say
we have a Windows operating system or a
system running Windows--well, that Windows
system produces a lot of data or logs
that, you know, contain
information that, you know, at first
glance might not seem that important. But
once you start getting into specific
sectors like security, those logs start,
you know, those logs have, you know,
very important value to organizations.
Now multiply that by a thousand systems.
So let's say we have an organization.
They have a thousand computers within
their network or, you know, distributed
worldwide. And all of these systems,
you know, need to be secured. Their
security needs to be monitored. So how do
we monitor all of this? Well, this is
where Splunk comes into play. So Splunk
allows you to essentially funnel all of
this data produced by systems or
machines into Splunk. And then Splunk allows you
to monitor, search, and analyze this
machine-generated data and the logs
through a web interface. So in order to
use Splunk, you'll need to import your
own data or logs. Alternatively, you can
utilize the Splunk Universal Forwarder to
forward logs and data to Splunk for
analysis and, of course, visualization, etc.
Now, Splunk does so much more that I
really can't go over all of the features
here. But as I said, we're looking at this
from the lens of a security engineer.
Alright. So Splunk collates all the
data and logs from various sources and
provides you with a central index that
you can search through. Splunk also
provides you with robust visualization
and reporting tools that allow you to
identify the data that interests you,
transform the data into results, and
visualize the answers in the form of a
report, chart, graph, etc. Alright. So what
I'm saying here is that Splunk allows
you to take all of this security-related
logs and data and make sense of them and
essentially get the answers that you're
looking for. So, for example, from the
perspective of a security engineer, what
do you want from all of this data? Well,
at a very high level, you want to know
whether something is going wrong and
what could go wrong. In the context of
security, a network could be compromised.
There could be some malicious network
traffic or activity going on. A system
could be compromised, etc., etc. You get the
idea. So we need that data to be
displayed to us as a security engineer.
And Splunk is really one of the best
tools, you know, when it comes down to,
you know, taking a lot of data
and then identifying the data that
interests you, transforming that data
into results, and then visualizing that
data in the form of a report, chart, or
graph. Right. So that's really what we're
going to be doing. And as I said, going
back to the scenario, we're going to be
focusing on how to, you know, essentially
get in or how to forward
the logs created--or the logs and alerts created--by
Snort into Splunk for analysis. And
luckily for us, Splunk has a Snort app or
plug-in, if you will, that will
essentially simplify this process.
So, let's get an idea as to, you know, how we
can use Splunk for security event
monitoring. So Splunk Enterprise Security,
also known as Splunk ES, is a security
information and event management
solution, also known as a SIEM.
It is used by security
teams to quickly detect and respond to
internal and external attacks or threats
or intrusions. So Splunk ES can be used
for security event monitoring, incident
response, and running a SOC or Security Operations Center.
In this video, we'll be using Splunk ES
to monitor and visualize the Snort
intrusion alerts. This will be
facilitated through the help of the Snort
app for Splunk and the Splunk Universal
Forwarder. Now, the Splunk Universal Forwarder
is pretty much the most important
element of what we'll be exploring
because what it does--and this is really
cool--is it automatically
forwards the latest logs,
even when Snort is running. It forwards those
alerts and logs into Splunk, and you can
see them in real time, which is
absolutely fantastic.
So as I said, if you're new to Splunk,
then these resources are really helpful
for you. Splunk offers really great
tutorials and courses designed for
absolute beginners. You can check that
out by clicking on the link within this
slide. And you can learn more about the
Splunk Enterprise Security edition from
that particular link.
Now, as I said, we are going to be deploying
Splunk on Linode, more specifically
Splunk ES. And this is the lab
environment. So we're going to spin up,
you know, Splunk ES on Linode. Now, again,
to follow through with this, you
know, Linode has been absolutely fantastic
with, you know, by providing all of
you guys with a way to get $100
in free Linode credit. All you
need to do is just click the link in the
description section and sign up, and
$100 will be added to your
account so that you can follow along
with this series. So we're going to
set up Splunk ES on Linode. And then
within my internal network, we're just
going to have a very basic infrastructure.
We're going to have the Ubuntu virtual
machine that is running Snort. This is the
same virtual machine that we had set up
and used to set up Snort and set up
Suricata and the one we had used with Wazuh.
And, yeah, that's essentially it. We're
going to have a very basic
infrastructure where we have an attacker
system that I'm going to be using to perform
a bit of network
intrusion detection emulation, whereby
I will essentially perform or run a
couple of commands or scripts to
essentially emulate malicious network
activity so that these logs are
essentially--so this traffic is
essentially logged--and that'll provide
us with a good idea as to how helpful
Splunk is for security event monitoring,
especially in the context of network intrusions.
So as I said, you don't really need to
have a Windows workstation. You simply
need to have the Ubuntu VM, and you can
pretty much run everything from it. And,
of course, you can set up the Splunk
Enterprise Security server on Linode
without any issues.
So that's the lab environment. We can now
get started with the practical
demonstration. So I'm going to switch
over to my Ubuntu virtual machine.
Alright. So I'm back on my Ubuntu
virtual machine, and you can see I have
Linode opened up here.
I haven't set anything up yet because
we're going to be walking through the
process together.
I then have the Splunk.com website here.
So if you're new to Splunk, then you need
to create a new account in order to
follow along. So just head over to
Splunk.com and, you know,
register for an account. It's free.
Once that is done,
you'll need to activate your account or
verify your account through
the verification email
they'll send you. Once that is done,
we can then move forward. Because in
order to access the actual
Splunk Universal Forwarder, you'll need to
have an account. And of course, you
know, in this case, I'll be going through
everything as we move along in a
structured manner. And
then to perform the actual NIDS tests,
we are going to be using the
testmyNIDS.org project,
which is on GitHub. So this is
essentially a bash script
that allows you to--as you can see here--
it allows you to essentially emulate or
simulate malicious network traffic. So,
previously, we had used
the website technique to essentially get
a Linux UID, and that traffic would be
logged as malicious, or
it could be logged as a potential
intrusion. And we can run a few other
checks like HTTP basic authentication,
bad certificate authorities,
an EXE or DLL download over HTTP. So,
you know, we can run tests that,
you know, will just make our
intrusion detection system blow up in
terms of alerts. And that's what we want
because we want to see how that data is
presented to us as a security engineer
on Splunk. With that being said, the first
step, of course, is to set up Splunk ES on Linode.
So just click on “Create a Linode” and click on “Marketplace.”
And they already have Splunk here. So
there we are. You can click on that there.
And if you click on this little info
button here, it'll give you an idea as to
how to deploy it on
Linode. And, of course, you have more
information regarding Splunk. So you have
the documentation link there. So I'll
just click on Splunk.
Once that is clicked, we can then head
over here. You'll need to specify the
Splunk admin user. I recommend using
“admin” to begin with and then specify a password.
If you're setting up, you know, Splunk on
a domain, then you can specify the
Linode API token to essentially create
the DNS records--that's if you're using
Linode's DNS service.
And then, of course, you need to add
the admin email for the server. So in
this case, I can just say, for example,
hackersploit@gmail.com.
Don't spam me on this email because I
don't respond anyway. So we can create
another user.
This is the username for the
Linode admin's SSH user. Please ensure
that the username does not contain any...
so we can just call this “admin.” And then
for the admin user, we'll just say
provide that there.
So the image--we're going to set it up on
Ubuntu 20.04. The region--I’ll say London
because that's closest to me.
As for the actual Linode plan,
Linode ES doesn't require that many
resources, especially because, you know,
the amount of data that we're processing
or the logs that are being forwarded to
Splunk are relatively few--so less than
100--which, if you've used Splunk before
for security event monitoring, you know
that that is
really, really small. In
fact, Splunk will actually tell you,
you know, that the amount of data
to begin with that you have imported or
forwarded is too little to make any sense of.
But that's where the Snort app for
Splunk comes into play. So I'll just say
“Splunk,”
and I'll provide my root password for the server.
And we can click on “Create.”
Alright. Now,
once this is set up and provisioned,
the actual installer is going to begin.
So it's going to set up because there is
an auto-installer setup that will set up Splunk.
Yes. For you. So, let it
provision. After that's done, you can
launch the Lish console to avoid logging
in via SSH. And of course, one thing that
I don't need to tell you
is, if you're setting this up for
production, then you need to make sure
you're securing your server. So do only
use SSH keys for authentication with the server.
If you're new to hardening and securing
a Linux server, you can check out the
previous series
that we did with Linux--the Linux Server
Security series. They'll give you,
you know, all the information you need to
secure a Linux server for production.
With that being said, I'm just going to
let it provision, after which we can
launch the Lish console to see what's
going on in the background. And we can
then get started, you know, officially
with how to set up Splunk. We then need
to set up the Universal Forwarder.
So, this is booting now.
Alright. So the server is booted, and
you can see I've just opened up the Lish
console here
to essentially view what's going on. As
you can see, it's begun setting up
Splunk ES. So just give this a couple of
minutes to essentially begin.
And once it's done, it'll actually
tell you that, and it'll provide you with the
login prompt.
But it's probably logged in as the root
user already. So
just let this complete. I'm just going to
wait for this to actually conclude.
Alright. So once Splunk ES is done,
or the actual Linode is done here
with the setup, you can see it's going to
tell you "installation complete,"
and you can then log in. Keep this
window open because this is going to be
very important, as we'll need to
configure a few firewall rules.
By default, this Linode comes with UFW,
which is the uncomplicated firewall for
Debian, or
it typically comes prepackaged with
Debian-based distributions like Ubuntu.
In this case, it's already added the
firewall rule for the port that we
wanted, but just keep it open because
we'll need to run a few checks. So you
can log in there. So I'm just going to
log in with the credentials that I
specified as the root user. And I can
just say sudo ufw status.
And you can see these are all the
allowed rules or the actual rules
configured for the firewall, which is
looking good so far.
So we can access the Splunk ES instance
that we set up by pasting in the IP of
the server and opening up port 8000.
That's going to open up Splunk ES for
you. So just give this a couple of
seconds. There we are. And the credentials
that we had used were "admin" and the
password that I created--that, you know,
of course, you'll be able to
specify yourself. So just sign in.
And once that is done, you'll be
brought to Splunk Enterprise Security here.
So there we are--explore
Splunk Enterprise.
And in this case, what we're going to be
doing--what we're going to start off with--
is we need to go through a few
configuration changes with Splunk itself.
So the idea, firstly, is to configure
the actual receiving of data.
So if you head over into "Settings,"
you can click on "Data," then just click
on "Forwarding and Receiving."
And once that is done--once that is
loaded up--
under "Receive Data," we need to
configure this instance to receive data
forwarded from other instances. So we
want to configure receiving,
and we just want to set the default receiving port.
So we can say "New Receiving Port,"
and the port is, of course, going to be
the default, which is 9997--which is why
that firewall rule was added. So I'll
click on Save.
Alright. So once that is done, we can
now install the Snort app
for Splunk. So click on "Apps" and head
over into "Find More Apps."
And because the Ubuntu server is running--
or the Ubuntu VM that I'm currently
working on is running--Snort 2, we'll need
the appropriate app here. So I'll just
search for "Snort" there. And we're not
looking for the Snort 3 JSON alerts,
although that, you know, could be quite
useful, but we want the Snort alert for
Splunk. Alright. So this app provides
field extraction. So that's really great
because performing your own field
extractions using regex
can be quite difficult if you're a
beginner. So fast and full,
as well as dashboards, saved searches,
reports, event types, tags, and event
search interfaces. So we'll install that.
Now you'll need to log in with
your Splunk account credentials that you,
you know, actually created on
splunk.com. So I'll just fill in my
information really quickly.
Alright. So I've put in my username and
password. So I'll just say I'll accept
the terms and conditions there. So log in
and install.
That's going to install it. There we are.
So we'll just hit "Done."
Now that that is done, if we head back over
into our dashboard--so I'll just click on
Splunk Enterprise there--
you can now see we have Snort
Alert for Splunk. So that already
comes preconfigured with a dashboard.
So we'll just let this load up here.
And you can see that we don't have
any data yet. So this will display
your events and sources, top source
countries, the events. This is very
important--these sources, top 10
classification. So that'll classify
your alerts in terms of the
type, which again will make sense in a
couple of seconds. So now that that is
done, we actually need to configure
the actual Splunk Universal Forwarder. So
I'll just open that up in a new tab. It's
absolutely free to download the Debian
client or the Splunk Universal
Forwarder Debian package. So Universal
Forwarders provide reliable, secure
data collection from remote
sources and forward that data into
Splunk software for indexing and
consolidation. They can scale to tens of
thousands of remote systems, collecting
terabytes of data. So
again, you can actually see why Splunk is
so powerful and why it's widely used
and deployed--because of the fact that
you can literally be...
literally forward a ton of data from a
ton of systems into Splunk. So because
Snort is running on this
Ubuntu VM, we need the Debian package. So
I'll click on Linux, and we want the
64-bit version. Again, you can choose one
based on your requirements. So if you're
running on Red Hat, Fedora, or CentOS, you
can use the RPM package. So I'll just
download the Debian package here.
Give that a couple of seconds. It's then
going to begin downloading it, and then
I'll walk you through the setup process.
So there we are.
It's begun the setup.
And once that is done, I'll open up my
terminal. So that's saved in the
Downloads directory. So
if we check--if we head over into the
Downloads directory--you can see we have
the Splunk Forwarder Debian package there.
So what we want to do, firstly, is we want
to move this package into the actual /opt
directory on Linux, which will
essentially allow us to, you know,
to set it up as optional software. And
it's really good to have all that
optional software stored in the
directory. So, once that is done and
once that's downloaded, we can say,
move
Splunk forward into opt,
and we'll need sudo privileges. So I'll
say sudo move. There we are. And I'll just
type in my password. Fantastic. So
now navigate to the opt directory. And to
install this, we can say sudo apt,
and then we can specify install. So we
can say sudo apt install,
and then we specify the package itself.
So Splunk forwarder,
and we're just going to hit enter. That's
going to install it for you.
Give that a couple of seconds.
Alright. So once that is installed, if
you list out the contents of this
directory, you're gonna have a Splunk
forwarder directory here. So I'll say cd
splunkforwarder. And under the binary
directory, we can navigate to that here.
We'll need to start--
we'll need to start Splunk. So we will
say sudo,
and the binary we want to run is called
splunk, and we'll accept the license.
The reason we're doing this is because
we need to configure it. So we need to
specify the username and password, or, you
know, create a username and password.
And once that is done, you'll actually
see what that looks like. So I'll just
say accept the license.
And, you can see in this case, let's see if I
typed that incorrectly. That should
actually start. So splunk start. I did not
specify start there.
There we are. So please enter an
administrator name. I'll just say admin.
So again, Splunk software must create an
administrator account during startup.
Otherwise, you cannot log in. So create
credentials for the administrator account.
So in this case, you can
create whatever you want. I'm just going
to fill in my credentials here.
Alright, so I've just entered my
administrator username and then, of
course, my password. So
that is done.
So it'll go through--
it'll essentially go through and check
the prerequisites. New certs have been
generated in the following directory,
and all the preliminary checks have
passed. So starting the Splunk server
daemon--so that started. You can also
enable it to run on system startup. So if
I say, you know, for example, sudo systemctl
status splunk,
let me type that correctly here. So
splunk--
sorry, systemctl,
and we can say splunkd.
Sorry. So we can say splunk. I'm not
really sure why that's not loading here.
But I do know that the daemon is running,
and there should be an init daemon for that.
But in any case,
you can always start it that way.
Once that is done, we will need to add
our forward server. So we need to add
the address of the server--the
Splunk server that we're forwarding our
logs to. We'll move on to what
logs we want to forward in a second. But
let's do that first. So again, we're going
to use the
Splunk binary, and we're going to say forward-server.
And we'll just copy the IP
address of your Splunk server here.
So there we are. And I'll paste that in there.
And then you need to type in the port--so
9997, that's the port to connect to. Hit enter.
So splunk forward--
yeah, we need to add it. I keep forgetting
the preliminary command. So add forward-server,
Splunk username.
So in this case, let me just put
in my credentials here.
Alright. And it's going to then add the
forwarding to that particular address.
Alright. Now that that is done,
we actually need to
configure a particular file,
and that is going to be the outputs.conf
directory. If it's already set up for us,
which it should be,
then we do not need to go through the
initial setup. So,
if we head over into the following
directory--so I'll just take a step back--
we're still in the Splunk forwarder directory.
We'll head over into the etc directory.
And under system,
we have a file under local, I think. It is
called outputs here. Right? So I'm going to say
sudo vim outputs.conf.
And really, the only thing that is
required here is,
of course, just leave the default
configuration as is. The default group is
fine. So tcpout:default-autolb-group,
that's fine. So make sure that the
server option here is configured--that's
the most important. And the tcpout-server
address is also configured in
this format. So we don't need to make any
changes there. So I'll just say quit and exit.
Once that is done, we also need to check
the actual inputs configuration file.
But before we do that,
let's take a look. So if you revisit the
Snort video,
you know that all the logs are stored
under /var/log/snort.
Right? So we have the alert log,
and we also have--so again, based on
the type of alerts
you want generated--so, you know,
if I say man snort here,
you can see that we have the alert mode.
So you can use the fast mode or the
full mode. In this case, I'll be using the
fast mode,
and I'll give you a description of what's
going on here. Right? So
full writes the alert to the alert
file with the full decoded header as
well as the alert message, which might be
important. So we can also do that as well.
So this was from the previous--from
the Snort video where we
had run...
essentially run Snort and, you know,
where we were identifying various alerts.
So, what we can do is, again, we'll
go through what needs to be created, but
we can run a quick test command just to
see whether
the actual alerts are being logged
within the alert file, because we have
alert.1. Ideally, we would only want
to forward this file into Splunk.
So, in order to do this, what I'm going
to do now is I'm just gonna run Snort
really quickly. So I'm going to say sudo snort -q,
for quiet, and then
the actual directory for the logs is /var/log/snort.
And then we can say the interface is enp0s3.
Again, make sure to replace that with
your own interface. The alert, we can
say full,
and the configuration is /etc/snort/snort.conf.
I believe we had another configuration
file. Yeah. We had used the snort.conf file.
So I'll hit enter.
And now let me open up my file explorer here.
We take a look at the var directory
under log. And under snort,
we have alert. There we are. So,
that has been modified. The last was
modified
right over there. Okay. So that's 19. Yeah.
So this is the last modified. So I know
this file is not human-readable. We
are not going to be forwarding this .log file.
So I'll just close that there.
So I'm just going to try and perform a few
checks on the network, like a few pings,
just to see if that's detected.
So I'll just, you know, perform a ping really quickly.
Again, the alerts will not be logged on
our terminal because they're being
logged, you know, into the respective
alert file or the alert log file. So I'll
just perform, you know, a few pings, as
I was saying, which I'm doing right now
on the attacker system.
Once that is done, let's see whether
those changes are being highlighted in
alert. Indeed, they are. Okay. So now,
as you can see here,
this is the full--
these are... So to begin with, we had used
the fast alert output mode.
And right over here, we then have the
full alert mode, which I'm not really sure how
we want to
go about doing this. But you can see,
we can actually make a few changes.
What we can do is we can get rid of this traffic here.
But you can see the message is actually
being logged. So
we can get rid of this here
because we don't want to mix fast alerts
with the full mode. So we can just get rid of that
there and save that.
Once that is done, I'll just say--
we actually need permissions to modify that file.
But, you know, what we can do is--what I am
going to do actually is close without
saving. I'm just going to stop Snort there.
And I'm just going to say
sudo rm /var/log/snort.
And we're going to remove alert.
Alright. And we're also going to remove alert.1.
Alright. So I'm just going to run this
again, just to see that the file is generated.
So there we are. We have alert there.
So now it's much cleaner. I'll just
run a few pings, just to make sure that
the traffic is being logged--all those
alerts are being logged.
So there we are. We have a few pings there.
And we can also, you know, just run a few
checks there. Okay. So there we are. We can
see that those are now being logged. And
of course, we can change the format based on--
well, you can change it based on your
requirements. Right?
So
now that that is done,
what we can do is we can close that up,
and we can actually leave Snort running as is.
So what I'll do is I'm just going to
open up another tab.
So just, you know--I can say Ctrl+Shift+T.
There we are. And we're currently within the following
directory: /opt/splunkforwarder/etc/system/local.
So,
once that is done, we now need to add
the files that we would like to monitor
or that we would like to forward. Right?
So, the log files. I'll go back into the bin directory.
So there we are--cd bin--because that's
where we have the Splunk binary. So I'll
say sudo splunk.
And we can say add monitor.
And the file that we want to forward is
under /var/log/snort, and it is just alert.
Right? So that's all. That's really all
that we want to do. Right?
And we can also utilize the fast alerts,
but let's just do this for now.
We only want the alerts--we don't
want the actual log files that contain
the packets themselves. So I'll hit Enter.
Alright. So it's now going to forward
those alerts into Splunk, which pretty
much means that on our end, we are done.
However, we still need to check one more
configuration file. So I'll just take a
step back here, and we'll head over into
the /etc directory under apps/search,
and then into local.
I think we'll need root
permissions to access this. So I'll just
switch to the root user and head over
into local.
And we're looking for the inputs.conf file. Right?
We need to actually
configure this because this is very
important.
The first thing we want to do is--let us
add a new line here. And within the
square brackets, I'll just say [splunk-tcp].
And we then want to specify the port--so
9997.
Let me make sure I type that in correctly.
We then need to actually put in the connection.
So the connection_host
is going to be equal to the IP
address of the Splunk server.
So I'll just copy that there and paste that in there.
Once that is done,
this is fine here--disabled is set to false.
We want index to be equal to main.
And then the sourcetype
is going to be equal to snort_alert_full.
And we can then say the source is equal
to snort. Alright? So this is a very
important configuration. Let me just
go through those options or
configurations again. We have the splunk-tcp option.
We then have the actual connection_host.
The monitor is set correctly to that file.
It's enabled, index=main, sourcetype=snort_alert_full, source=snort.
Fantastic.
So we'll write and quit.
Once this is done,
we'll need to restart Splunk. So I'll
switch back to my user, Lexus, here, and
we'll navigate back to the bin directory.
So I'll say cd bin,
and we'll say sudo splunk restart. Alright, hit Enter.
It's going to stop the Splunk daemon,
shut it down,
restart it--and it's done successfully. So
all the checks were completed without
any issue. Alright, so
now that this is done, we can actually go
back into Splunk here, and we'll navigate
to the dashboard.
This is your Splunk server. Right?
And let's take a look at the messages
here. That's just a few updates--we
don't need to do anything there. So if we
click on
Search & Reporting, just to verify that
data has indeed been forwarded, I'll
just skip through this. If we click on
Data Summary,
under Sources, you should see that we
have the host. And in my case, the name of
the system is blackbox, so that should
be reflected there. So there we are--blackbox.
We have 42
logs or alerts, if you will. Sources: 42. We
can click on that there to just see the
data that has been logged. Indeed, we can
see that has been done correctly. So
sourcetype is alert.
We can see that it's imported, you
know, pretty much all the data--or, you
know, these are the... this is the full log
whereby we have the reference to that there.
That's weird--I didn’t actually run
anything weird, but there you go.
So now that this is done, you can
use Splunk to essentially visualize this
data however you want. So, you
know, I can go into Visualization,
and we can click on--maybe we can
create a...
we can select a few fields. So if I go
back into the Events here, I can select a
few fields that I want displayed here,
and I can, you know, essentially extract
the fields that I want with regex.
But I don't think this is necessary at this
point, because if we actually go back to
the dashboard
and we click on--
let's see--Snort Alerts for Splunk,
let's see if this is actually whether
this automates that process for us.
There we are. Actually, it looks like
it does. So, classification: bad-traffic.
So it looks like that is working.
What we can do now
is run a few--
we can actually utilize this script here,
the TestMyNIDS script here. So all
you need to do to run it is just copy
this one-liner script here--or this
command--that will download it into your
/tmp directory and will then execute it.
So, you know, to execute it within your
temp directory, you can just execute
the actual,
you know, the actual binary there. It is a
binary, not a script.
And once that is done, you can then
select the option here. So let me just do
that on my attacker system.
I'm just going to run it one more time. So
I'm just going to say ls here. And
if I open up the documentation--so
firstly, I will run
a quick Linux UID check. So
I'll just hit Enter.
Okay. That is done. I'll then perform an
HTTP basic authentication
and a malware user-agent. So I'm doing
that right now.
Okay. And we can run one more here. So,
let's see. Let's see. Let's see. We
can try EXE or DLL download over HTTP.
That is surely going to be logged,
or that's going to trigger an alert.
So,
do we have--that is running.
Alright. So Snort is running. That's great.
So we know that the log is being--
the actual alerts are being forwarded.
Absolutely fantastic. So let's go back in
here. I've already run those
particular checks.
So let me just refresh this. I know it
usually takes a couple of seconds to a
couple of minutes, but that data should
start--should actually be reflected. There
we are. Fantastic. So
we can see that--firstly,
I'll just explain the dashboard here
because
this dashboard is automatically, you
know, set up for you by the Snort app,
which is really awesome. As I said, you
don't need to go through that process yourself.
So the first graph here essentially
tells you your events,
and it also displays the, you know,
the total number of sources. So you can
see that there. You also have the time.
So you have your events and
then the timeline here. And you can
essentially, you know, view a trend--or the
trend--of events there. You then
have the top source countries
right over here. And if I just run
another check really quickly here
through the NIDS website--
so let me just run the curl command--
you should actually see that because
we are reaching out to, you know, there's a
connection made to an external server,
that it should reflect that info under
the top countries--the top source countries.
So we then have the events here, which,
you know, you can click on. And then,
of course, you have the sources.
So these are the Snort event types,
and these are actually the
classifications. So we can see potentially
bad traffic, attempted information leak,
and, you know, you can just refresh your
dashboard to get the latest.
So we'll give that a couple of seconds.
And you can also specify the actual interval period.
So I'll just wait for this. Let's
see if it's actually being logged or
whether we can see all of that. So I'll
just go back into the dashboard here,
and we'll go into Search and Reporting.
And we click on the actual
Data Summary and the Sources. We can
see we have Snort there, and then /var/snort/alert.
So we click on Snort there. Okay.
So this is bad traffic. That's
really weird because
the source is Snort. We had added two
sources there.
So Data Summary--
let me just click on that there. And if
we click on the sources there, this is
the one that we want, ideally.
Yeah. So that looks like the correct one there.
Yeah. That's the correct traffic. I
think that's why the actual--let me
see if I can find it. So Snort Alerts for
Splunk--let me click on the app there.
Show Filters. It should be displaying
much more than that because I know--yeah,
there are not just four.
So
if we actually head over into the
Snort Event Search here,
we can actually search for--you know,
we can utilize--yeah. So these are only--
this is only monitoring the pings. So
that's weird. I'm not really sure why we
have two data sources. I think it's to do
with the fact
that, you know, we had--so let me
just go back here.
Apps > Search, and sudo root.
Let me just check that here. So cd local,
vim
inputs.conf. So there we are. So the
source is Snort.
We already specified the source as Snort
there,
but it's also adding
this particular, you know, the alert,
as a source as well.
And then the source type is snort_alert_full, index main.
Yeah. That
should be working. That should be working
without any issues. I'm not really sure
why that is the case, but
we can actually customize what dataset
we want to use.
So
I think--let me actually showcase how to
do that right now.
So apologies about that. I actually
figured out what the issue was. It was
because the system I was running
these particular
attacks from wasn't even connected to
the local network.
And even though I was running
these attacks, I did realize that, of
course, they weren't working. So I've just reconnected it.
And what I'm going to do is I'm just going to
run this one more time.
So just give me a second here, and I'll
be able to do that one more time. So
let me just navigate to that particular
directory,
and we'll actually see whether this will work.
So
you can actually see there's much more
that has been captured in regards to
events, and I'll be explaining this
dashboard in a couple of seconds.
So let me just
launch that first attack there--so that
you know--let me just launch that first
type of check. And of course, I'm using
TestMyNIDS here. So, unfortunately,
that wasn't even being logged, which is
why I was a bit confused as to why those
logs are not being displayed here.
So I'll give that a couple of seconds,
and we'll be able to see this happen
in real time as well.
Alright. So that is done. So I've
essentially launched a couple of those
tests. And, as I said,
this is your default
dashboard that you're provided with here.
So,
you know, you can actually refresh
all of these panels here, if you will.
So that'll display the
latest. And, as I said here, because I'd
performed the actual check
and it connected to an external server,
you can see that the top source
countries are highlighted there.
You can also refresh the number of
events, as you can see here,
and the number of sources. So
you can also do that for the rest of
the panels. These are the top 10
classifications
in terms of events, if you will, and then
these Snort event types, as you can see here.
So, for example, in this case, we have the
Attack-Response ID Check, which, if we
click on
right over here,
you can see that it actually displays
that, and you can then
click on the signature itself. And this
is for statistics. Now, if you click on
the Snort Event Search tab right over here,
you can see that this allows you to
search based on the source IP, the source
port, the destination IP, destination port,
and the event type. So I can check for
attack responses based on the rule set
that we had used previously.
And I can also specify the timing. Right?
So that's really fantastic there.
So you can see that right over here, we
have that logged,
which is fantastic. And
if we click on the Snort World Map,
that'll essentially--as you'll see in a
couple of seconds--this will essentially
display the countries by the source IPs.
In this case, it should display the
United States, which makes sense.
And there we are. So, again, this is
extremely helpful, especially if you work
in a SOC. And as I said, there's multiple,
you know, security tools you can
integrate with Splunk.
Now, one thing that I wanted to highlight
is--you can, if you click on Edit--and I'll
just go back to the
Event Summary here because this is very
important--
you can set this as your main dashboard.
So if you right-click here, you can set
this as your home dashboard.
So I'll just click on that there.
And now you'll see on your dashboard
here, if I just close that top menu,
that'll actually be displayed there. So
give it a couple of seconds.
And, of course, you can click on the cogwheel here
and essentially display--whatever--
you know, you can specify your default
dashboard. Now, there are a couple of
other ones that are created by default.
But yeah, you can have that on your dashboard.
And, you know, if you actually click
on the SNORT--the SNORT alert for Splunk here--
and we'll just go back into that SNORT
event summary tab,
you can actually edit the way these
particular panels are tiled. So,
you know, you can convert it to a
prebuilt panel or, you know,
you can--you can actually convert it to a
prebuilt panel. You can get rid of it.
You can also move them around based
on your own requirements. And, in this
case, you can actually--let's see if I can
show you. You can actually select the visualization.
So, in this case, I think the default
one is fine, and you can then view the
report here. So
if we click on this one here, for example,
we could actually use the bar graph to
display the--you know--the number of--the actual--
the top source countries, and have
them displayed in a bar graph style. But
we can just take it back into the pie
chart there. And you can also change this
for the events as well.
So, you know, if we wanted to view a
trend, we can click on the bar graph there.
In this case, I don't think that's
formatted correctly. So if we just use
the default one,
which I believe was--I think it was--no,
that wasn't the one. I believe it was--
let's see if I can identify it here. It
was the number. There we are. So,
as I said, you can customize this based on your own--
you know--your own requirements. So, for example,
this one might do well if it was in the
form of a bar graph. So, you know,
you can utilize that if you feel that
that is appropriate.
In this case, you know, we can also
specify the actual--you know--we can
actually list the events themselves.
Let's see which other ones look
really good here.
And yeah, once you're done with the
customization, you can then cancel or
save based on your requirements. And you
can also filter on this particular tab
here, you know, through the source IP, destination IP, etc.
Let's see, what else did I want to highlight?
Let me just refresh this once more
and, you know, to essentially get the latest data.
And you can see, in terms of the panels,
this will display the last 100 attempts.
And you can go through them like so.
You can also view--I think we've gone
through all of them--but you have the
persistent sources. So, two or more days
of activity in the last 30 days. So you
actually need a lot of data for that to
be displayed or to give you anything useful.
Yep. So that is
what I wanted to highlight in regards to
the SNORT alert for Splunk app and the
actual dashboards, which, as I said, it
already does for you.
Now, you can create your own dashboard, as
I said, if I go back into Apps > Search and Reporting,
based on your own sources. So I'll just
click on Data Summary there. And if I
click on Sources,
you can click on
this source here, for example. And,
you know, in this case, we can actually
just click on that there. And I can click
on Extract Fields,
and you can extract the fields with
regex. So I'll click on Next there.
And you can then select the fields that
you want. So, for example, in this case, we
would want the date and time.
So I can just highlight that there. So I
can say
time, for example, add the extraction.
And then, of course, we have the source IP
and the port. But I'll just highlight
them together. But I think it's actually
recommended just to highlight the source IP there.
So source—we can say src underscore port, IP.
Add that extraction, and we then have the
destination IP, which, in this case,
because this is
an SNMP broadcast
request, we can--we know that that's the
destination IP. So I'll say dst underscore IP, add the extraction.
Let's see what else we can do.
In this case, it's saying the extraction
field you're extracting--if you're
extracting multiple fields, try removing
one or more fields. Start with the
extractions that are embedded within
longer strings. Okay. So let's try and use
another alert here
that was kind of interesting. Let's see.
It's not displaying all of them here, but
you get the idea. Once you're done--
you know, for example, I can remove
that field here. I'm just giving you an
example of that. So remove that field.
There we are. I can then say Next, and
I can click on Validate and Save based
on those fields there. Hit Finish.
And then, you know, I can go back,
you know, to Search and Reporting.
And if I wanted to create a very simple
visualization, which I'll show you right now--
even though I don't really need those
extracted fields, although they might be
useful--so
I can click on those extracted fields
now. I believe they should have been added.
I'm not really sure why they aren't
being highlighted here. There we are.
So source IP.
We can also, say, specify the source port.
We--oh, there they are. So
actually, they took a while to be
displayed there. So,
source port--that--why not? We can--
yeah, I think that's pretty much it. So
based on those, we can actually build
an event type. However, if we go to
Visualization and click on Pivot here--
selected fields is five--hit OK.
We can actually, you know, visualize this
however we want. So, for example, if I
wanted a column chart here--
so number one will display the count--
I can just add the events
because that's the count. And we should
have, at the bottom, the time, which I did
specify--I believe within that range there--
but that's not being highlighted here. So
the number of events--and, you know, you
can go ahead and click as--you can
essentially save it.
So you get the idea. You don't really
need to do this because we have the
SNORT app here,
which pretty much gives you the
summaries that are useful to you or for you.
And there we are. So fantastic. So that's
going to conclude the practical
demonstration side of this video.
So, thank you very much for watching
this video. If you have any questions or
suggestions, leave them in the comment section.
If you want to reach out to me, you can
do so via
Twitter or the Discord server. The links
to both of those are in the description
section. Furthermore, we are now moving on
to part two. So this will conclude part
one. Part two will be available on the
Linode’s ON24 platform. So, the videos
are available on-demand. So all you
need to do is just click the link
in the description, register for part two,
after which an email will be sent to you,
and you'll be given--you know--
immediate access to the videos
within part two. So, thank you very
much for watching part one. In the
next video, in part two, we'll get started--
or we'll take a look--at host intrusion
detection with OSSEC. So I'll be seeing
you in the next video.
[Music].