0:00:01.120,0:00:03.520
Hello, everyone. Welcome back to the Blue

0:00:03.520,0:00:05.440
Team training series brought to you by

0:00:05.440,0:00:08.160
Linode and Hackersploit. In this video,

0:00:08.160,0:00:10.160
we're going to be taking a look at how

0:00:10.160,0:00:12.160
to set up or how to perform security

0:00:12.160,0:00:14.400
event monitoring with Splunk, more

0:00:14.400,0:00:16.800
specifically, Splunk Enterprise

0:00:16.800,0:00:18.640
Security. Right? So the objective here

0:00:18.640,0:00:21.439
will be to monitor intrusions and

0:00:21.439,0:00:23.519
threats with Splunk. And you might be

0:00:23.519,0:00:25.119
asking yourself, well, how are we going to

0:00:25.119,0:00:28.400
do this? What setup are we using? Well, the

0:00:28.400,0:00:30.480
scenario that I've set up for this video

0:00:30.480,0:00:32.559
is we are essentially going to

0:00:32.559,0:00:34.320
take all the knowledge that we've

0:00:34.320,0:00:37.680
learned during the Snort video, and we

0:00:37.680,0:00:39.360
are going to essentially forward all of

0:00:39.360,0:00:42.719
the Snort logs into Splunk or have

0:00:42.719,0:00:44.480
that done automatically through the

0:00:44.480,0:00:47.680
Splunk Universal Forwarder so that we get

0:00:47.680,0:00:50.320
the latest logs when Snort is running on

0:00:50.320,0:00:52.399
our Ubuntu virtual machine.

0:00:52.399,0:00:55.039
And the objective here is to use Splunk

0:00:55.039,0:00:58.000
in conjunction with the Splunk's Snort app

0:00:58.000,0:01:01.039
to essentially visualize and identify or

0:01:01.039,0:01:03.359
monitor network intrusions and any

0:01:03.359,0:01:06.720
malicious network traffic, you know, within the

0:01:06.720,0:01:08.980
network that I'm monitoring.

0:01:08.980,0:01:18.782
[Music].

0:01:19.360,0:01:21.680
At a very high level, what will we be

0:01:21.680,0:01:23.280
covering? Well, firstly, we'll get an

0:01:23.280,0:01:25.439
introduction to Splunk. Now before we

0:01:25.439,0:01:28.400
move any further or we actually carry on,

0:01:28.400,0:01:30.720
I do want to note that this video is not

0:01:30.720,0:01:32.400
going to be focused on Splunk

0:01:32.400,0:01:34.640
fundamentals. I'm going

0:01:34.640,0:01:36.400
to assume that you already know what

0:01:36.400,0:01:40.400
Splunk is and how it can be used, you know,

0:01:40.400,0:01:42.079
and how it's used generally speaking.

0:01:42.079,0:01:44.720
Because Splunk is not really a tool

0:01:44.720,0:01:48.320
that is specific to security, for example.

0:01:48.320,0:01:49.759
That's why they have the Splunk

0:01:49.759,0:01:52.720
Enterprise Security version or edition.

0:01:52.720,0:01:54.320
And I'm just going to assume that you

0:01:54.320,0:01:56.079
know how to use Splunk at a very basic

0:01:56.079,0:01:58.320
level. So once we get an introduction to

0:01:58.320,0:02:00.960
Splunk, we'll go over Splunk Enterprise

0:02:00.960,0:02:05.119
Security--the Enterprise Security edition--and how it

0:02:05.119,0:02:06.640
can be used for security event

0:02:06.640,0:02:08.399
monitoring, especially in our case

0:02:08.399,0:02:10.879
because we want to essentially monitor

0:02:10.879,0:02:13.280
the intrusion detection logs

0:02:13.280,0:02:15.360
generated by Snort.

0:02:15.360,0:02:16.800
So we'll then move on to deploying

0:02:16.800,0:02:18.720
Splunk Enterprise Security on Linode,

0:02:18.720,0:02:20.640
which is absolutely fantastic because

0:02:20.640,0:02:22.560
they have a cloud image

0:02:22.560,0:02:24.560
available for it that allows you to spin

0:02:24.560,0:02:26.400
it up without going through the process

0:02:26.400,0:02:28.720
of installing it and configuring it. So

0:02:28.720,0:02:30.720
that'll set it up for us.

0:02:30.720,0:02:32.800
We'll then take a look at how to

0:02:32.800,0:02:35.280
configure Splunk, and how to set up the

0:02:35.280,0:02:38.239
Splunk Universal Forwarder on the Ubuntu

0:02:38.239,0:02:40.480
virtual machine that is running Snort so

0:02:40.480,0:02:42.319
that we can forward those logs into

0:02:42.319,0:02:44.560
Splunk. And then, of course, we'll take

0:02:44.560,0:02:46.720
a look at the Splunk Snort event

0:02:46.720,0:02:49.519
dashboard that will be provided to us by

0:02:49.519,0:02:52.879
the Splunk Snort app. So if this sounds like

0:02:52.879,0:02:55.360
gibberish to you, don't worry. It will make

0:02:55.360,0:02:58.139
sense in a couple of minutes.

0:02:58.879,0:03:00.959
With that being said, given the fact

0:03:00.959,0:03:02.800
that we're going to be using, you know,

0:03:02.800,0:03:04.400
we're going to be using Snort to

0:03:04.400,0:03:06.959
generate alerts and monitor those alerts,

0:03:06.959,0:03:09.040
if you have not gone through

0:03:09.040,0:03:11.519
the actual Snort video, please do that as

0:03:11.519,0:03:14.239
it'll help you set up Snort, and you can

0:03:14.239,0:03:16.400
then run through this demo. With that

0:03:16.400,0:03:19.280
being said, this is not a holistic video

0:03:19.280,0:03:20.800
that will cover everything you can do

0:03:20.800,0:03:23.440
with Splunk Enterprise Security. We are

0:03:23.440,0:03:26.010
just focused on the intrusion

0:03:26.010,0:03:27.760
detection logs produced

0:03:27.760,0:03:30.000
by Snort and how they can be

0:03:30.000,0:03:32.879
imported or forwarded to Splunk for,

0:03:32.879,0:03:35.680
you know, analysis and monitoring.

0:03:35.680,0:03:38.159
So the prerequisites are the same as

0:03:38.159,0:03:39.760
the previous videos. The only difference

0:03:39.760,0:03:41.680
is, you know, that you need to have a

0:03:41.680,0:03:43.840
basic familiarity with Splunk and how to

0:03:43.840,0:03:46.080
navigate around the various menu

0:03:46.080,0:03:47.760
elements and, yeah,

0:03:47.760,0:03:49.680
essentially just how to use it at a very

0:03:49.680,0:03:51.360
basic level. If you're not familiar with

0:03:51.360,0:03:54.239
Splunk, I'll give you a few resources at

0:03:54.239,0:03:56.780
the end of these slides

0:03:56.780,0:03:58.159
that'll help you out or help

0:03:58.159,0:04:00.769
you get started. Alright.

0:04:00.769,0:04:01.760
So let's get an introduction

0:04:01.760,0:04:04.239
to Splunk. So what is Splunk? That's the

0:04:04.239,0:04:05.680
main question. If you've never heard of

0:04:05.680,0:04:08.480
Splunk, Splunk is an extremely powerful

0:04:08.480,0:04:10.400
platform that is used to analyze data

0:04:10.400,0:04:13.360
and logs produced by systems or machines,

0:04:13.360,0:04:15.920
as Splunk likes to call them. So

0:04:15.920,0:04:18.639
what problem is Splunk trying to solve

0:04:18.639,0:04:20.880
here? Well, let's look at this from the

0:04:20.880,0:04:24.880
perspective of Web 2.0 or, you know, the

0:04:24.880,0:04:26.720
interconnected world we live in

0:04:26.720,0:04:29.199
today. And we're going to be looking at

0:04:29.199,0:04:31.199
it from the context of or from the

0:04:31.199,0:04:33.360
perspective of security.

0:04:33.360,0:04:35.759
So if we take a simple system--let's say

0:04:35.759,0:04:38.720
we have a Windows operating system or a

0:04:38.720,0:04:41.360
system running Windows--well, that Windows

0:04:41.360,0:04:44.880
system produces a lot of data or logs

0:04:44.880,0:04:47.040
that, you know, contain

0:04:47.040,0:04:48.800
information that, you know, at first

0:04:48.800,0:04:51.600
glance might not seem that important. But

0:04:51.600,0:04:53.919
once you start getting into specific

0:04:53.919,0:04:57.360
sectors like security, those logs start,

0:04:57.360,0:04:59.680
you know, those logs have, you know,

0:04:59.680,0:05:02.080
very important value to organizations.

0:05:02.080,0:05:04.880
Now multiply that by a thousand systems.

0:05:04.880,0:05:06.800
So let's say we have an organization.

0:05:06.800,0:05:08.560
They have a thousand computers within

0:05:08.560,0:05:10.479
their network or, you know, distributed

0:05:10.479,0:05:13.520
worldwide. And all of these systems,

0:05:13.520,0:05:14.960
you know, need to be secured. Their

0:05:14.960,0:05:17.919
security needs to be monitored. So how do

0:05:17.919,0:05:20.560
we monitor all of this? Well, this is

0:05:20.560,0:05:22.639
where Splunk comes into play. So Splunk

0:05:22.639,0:05:25.280
allows you to essentially funnel all of

0:05:25.280,0:05:27.800
this data produced by systems or

0:05:27.800,0:05:30.720
machines into Splunk. And then Splunk allows you

0:05:30.720,0:05:32.560
to monitor, search, and analyze this

0:05:32.560,0:05:35.280
machine-generated data and the logs

0:05:35.280,0:05:37.840
through a web interface. So in order to

0:05:37.840,0:05:39.680
use Splunk, you'll need to import your

0:05:39.680,0:05:42.479
own data or logs. Alternatively, you can

0:05:42.479,0:05:45.280
utilize the Splunk Universal Forwarder to

0:05:45.280,0:05:47.759
forward logs and data to Splunk for

0:05:47.759,0:05:51.360
analysis and, of course, visualization, etc.

0:05:51.360,0:05:53.280
Now, Splunk does so much more that I

0:05:53.280,0:05:55.199
really can't go over all of the features

0:05:55.199,0:05:56.880
here. But as I said, we're looking at this

0:05:56.880,0:06:00.400
from the lens of a security engineer.

0:06:00.400,0:06:02.240
Alright. So Splunk collates all the

0:06:02.240,0:06:04.800
data and logs from various sources and

0:06:04.800,0:06:06.720
provides you with a central index that

0:06:06.720,0:06:08.800
you can search through. Splunk also

0:06:08.800,0:06:11.039
provides you with robust visualization

0:06:11.039,0:06:12.720
and reporting tools that allow you to

0:06:12.720,0:06:15.360
identify the data that interests you,

0:06:15.360,0:06:17.440
transform the data into results, and

0:06:17.440,0:06:19.840
visualize the answers in the form of a

0:06:19.840,0:06:23.280
report, chart, graph, etc. Alright. So what

0:06:23.280,0:06:25.360
I'm saying here is that Splunk allows

0:06:25.360,0:06:28.080
you to take all of this security-related

0:06:28.080,0:06:31.600
logs and data and make sense of them and

0:06:31.600,0:06:33.520
essentially get the answers that you're

0:06:33.520,0:06:35.520
looking for. So, for example, from the

0:06:35.520,0:06:37.680
perspective of a security engineer, what

0:06:37.680,0:06:40.240
do you want from all of this data? Well,

0:06:40.240,0:06:42.160
at a very high level, you want to know

0:06:42.160,0:06:44.080
whether something is going wrong and

0:06:44.080,0:06:46.400
what could go wrong. In the context of

0:06:46.400,0:06:48.800
security, a network could be compromised.

0:06:48.800,0:06:50.560
There could be some malicious network

0:06:50.560,0:06:53.120
traffic or activity going on. A system

0:06:53.120,0:06:55.919
could be compromised, etc., etc. You get the

0:06:55.919,0:06:58.160
idea. So we need that data to be

0:06:58.160,0:07:00.560
displayed to us as a security engineer.

0:07:00.560,0:07:02.560
And Splunk is really one of the best

0:07:02.560,0:07:04.960
tools, you know, when it comes down to,

0:07:04.960,0:07:08.000
you know, taking a lot of data

0:07:08.000,0:07:09.840
and then identifying the data that

0:07:09.840,0:07:11.840
interests you, transforming that data

0:07:11.840,0:07:14.960
into results, and then visualizing that

0:07:14.960,0:07:17.360
data in the form of a report, chart, or

0:07:17.360,0:07:19.759
graph. Right. So that's really what we're

0:07:19.759,0:07:21.599
going to be doing. And as I said, going

0:07:21.599,0:07:23.520
back to the scenario, we're going to be

0:07:23.520,0:07:26.080
focusing on how to, you know, essentially

0:07:26.080,0:07:28.800
get in or how to forward

0:07:28.800,0:07:33.360
the logs created--or the logs and alerts created--by

0:07:33.360,0:07:36.000
Snort into Splunk for analysis. And

0:07:36.000,0:07:39.280
luckily for us, Splunk has a Snort app or

0:07:39.280,0:07:40.960
plug-in, if you will, that will

0:07:40.960,0:07:43.680
essentially simplify this process.

0:07:44.100,0:07:47.360
So, let's get an idea as to, you know, how we

0:07:47.360,0:07:49.120
can use Splunk for security event

0:07:49.120,0:07:51.759
monitoring. So Splunk Enterprise Security,

0:07:51.759,0:07:54.800
also known as Splunk ES, is a security

0:07:54.800,0:07:56.800
information and event management

0:07:56.800,0:07:59.199
solution, also known as a SIEM.

0:07:59.199,0:08:01.360
It is used by security

0:08:01.360,0:08:03.680
teams to quickly detect and respond to

0:08:03.680,0:08:06.160
internal and external attacks or threats

0:08:06.160,0:08:09.680
or intrusions. So Splunk ES can be used

0:08:09.680,0:08:11.759
for security event monitoring, incident

0:08:11.759,0:08:15.919
response, and running a SOC or Security Operations Center.

0:08:15.919,0:08:18.080
In this video, we'll be using Splunk ES

0:08:18.080,0:08:20.000
to monitor and visualize the Snort

0:08:20.000,0:08:22.240
intrusion alerts. This will be

0:08:22.240,0:08:24.400
facilitated through the help of the Snort

0:08:24.400,0:08:26.639
app for Splunk and the Splunk Universal

0:08:26.639,0:08:29.280
Forwarder. Now, the Splunk Universal Forwarder

0:08:29.280,0:08:31.199
is pretty much the most important

0:08:31.199,0:08:33.039
element of what we'll be exploring

0:08:33.039,0:08:35.200
because what it does--and this is really

0:08:35.200,0:08:37.200
cool--is it automatically

0:08:37.200,0:08:39.279
forwards the latest logs,

0:08:39.279,0:08:42.479
even when Snort is running. It forwards those

0:08:42.479,0:08:45.040
alerts and logs into Splunk, and you can

0:08:45.040,0:08:46.560
see them in real time, which is

0:08:46.560,0:08:49.440
absolutely fantastic.

0:08:49.440,0:08:52.320
So as I said, if you're new to Splunk,

0:08:52.320,0:08:54.800
then these resources are really helpful

0:08:54.800,0:08:57.120
for you. Splunk offers really great

0:08:57.120,0:08:59.040
tutorials and courses designed for

0:08:59.040,0:09:00.720
absolute beginners. You can check that

0:09:00.720,0:09:02.959
out by clicking on the link within this

0:09:02.959,0:09:05.600
slide. And you can learn more about the

0:09:05.600,0:09:08.160
Splunk Enterprise Security edition from

0:09:08.160,0:09:09.760
that particular link.

0:09:09.760,0:09:12.240
Now, as I said, we are going to be deploying

0:09:12.240,0:09:15.200
Splunk on Linode, more specifically

0:09:15.200,0:09:17.120
Splunk ES. And this is the lab

0:09:17.120,0:09:19.200
environment. So we're going to spin up,

0:09:19.200,0:09:21.519
you know, Splunk ES on Linode. Now, again,

0:09:21.519,0:09:23.279
to follow through with this, you

0:09:23.279,0:09:25.760
know, Linode has been absolutely fantastic

0:09:25.760,0:09:28.320
with, you know, by providing all of

0:09:28.320,0:09:31.189
you guys with a way to get $100

0:09:31.189,0:09:33.279
in free Linode credit. All you

0:09:33.279,0:09:35.120
need to do is just click the link in the

0:09:35.120,0:09:37.440
description section and sign up, and

0:09:37.440,0:09:39.040
$100 will be added to your

0:09:39.040,0:09:40.959
account so that you can follow along

0:09:40.959,0:09:43.279
with this series. So we're going to

0:09:43.279,0:09:45.200
set up Splunk ES on Linode. And then

0:09:45.200,0:09:47.279
within my internal network, we're just

0:09:47.279,0:09:49.040
going to have a very basic infrastructure.

0:09:49.040,0:09:50.399
We're going to have the Ubuntu virtual

0:09:50.399,0:09:52.880
machine that is running Snort. This is the

0:09:52.880,0:09:54.880
same virtual machine that we had set up

0:09:54.880,0:09:57.680
and used to set up Snort and set up

0:09:57.680,0:10:00.309
Suricata and the one we had used with Wazuh.

0:10:01.360,0:10:03.519
And, yeah, that's essentially it. We're

0:10:03.519,0:10:04.720
going to have a very basic

0:10:04.720,0:10:06.399
infrastructure where we have an attacker

0:10:06.399,0:10:09.519
system that I'm going to be using to perform

0:10:09.519,0:10:11.600
a bit of network

0:10:11.600,0:10:15.040
intrusion detection emulation, whereby

0:10:15.040,0:10:17.519
I will essentially perform or run a

0:10:17.519,0:10:20.880
couple of commands or scripts to

0:10:20.880,0:10:23.279
essentially emulate malicious network

0:10:23.279,0:10:26.160
activity so that these logs are

0:10:26.160,0:10:28.320
essentially--so this traffic is

0:10:28.320,0:10:29.839
essentially logged--and that'll provide

0:10:29.839,0:10:32.800
us with a good idea as to how helpful

0:10:32.800,0:10:35.279
Splunk is for security event monitoring,

0:10:35.279,0:10:38.880
especially in the context of network intrusions.

0:10:40.320,0:10:41.920
So as I said, you don't really need to

0:10:41.920,0:10:44.240
have a Windows workstation. You simply

0:10:44.240,0:10:46.000
need to have the Ubuntu VM, and you can

0:10:46.000,0:10:48.800
pretty much run everything from it. And,

0:10:48.800,0:10:50.560
of course, you can set up the Splunk

0:10:50.560,0:10:54.240
Enterprise Security server on Linode

0:10:54.240,0:10:56.480
without any issues.

0:10:56.480,0:10:58.399
So that's the lab environment. We can now

0:10:58.399,0:11:00.000
get started with the practical

0:11:00.000,0:11:01.440
demonstration. So I'm going to switch

0:11:01.440,0:11:05.040
over to my Ubuntu virtual machine.

0:11:05.040,0:11:07.600
Alright. So I'm back on my Ubuntu

0:11:07.600,0:11:09.360
virtual machine, and you can see I have

0:11:09.360,0:11:11.279
Linode opened up here.

0:11:11.279,0:11:13.279
I haven't set anything up yet because

0:11:13.279,0:11:14.640
we're going to be walking through the

0:11:14.640,0:11:16.079
process together.

0:11:16.079,0:11:18.959
I then have the Splunk.com website here.

0:11:18.959,0:11:21.040
So if you're new to Splunk, then you need

0:11:21.040,0:11:22.640
to create a new account in order to

0:11:22.640,0:11:25.740
follow along. So just head over to

0:11:25.740,0:11:27.279
Splunk.com and, you know,

0:11:27.279,0:11:29.519
register for an account. It's free.

0:11:29.519,0:11:31.120
Once that is done,

0:11:31.120,0:11:33.120
you'll need to activate your account or

0:11:33.120,0:11:35.120
verify your account through

0:11:35.120,0:11:36.880
the verification email

0:11:36.880,0:11:39.680
they'll send you. Once that is done,

0:11:39.680,0:11:41.279
we can then move forward. Because in

0:11:41.279,0:11:44.320
order to access the actual

0:11:44.320,0:11:46.800
Splunk Universal Forwarder, you'll need to

0:11:46.800,0:11:48.720
have an account. And of course, you

0:11:48.720,0:11:50.639
know, in this case, I'll be going through

0:11:50.639,0:11:52.800
everything as we move along in a

0:11:52.800,0:11:55.519
structured manner. And

0:11:55.519,0:11:59.120
then to perform the actual NIDS tests,

0:12:00.160,0:12:01.780
we are going to be using the

0:12:01.780,0:12:03.839
testmyNIDS.org project,

0:12:03.839,0:12:06.480
which is on GitHub. So this is

0:12:06.480,0:12:08.880
essentially a bash script

0:12:08.880,0:12:11.440
that allows you to--as you can see here--

0:12:11.440,0:12:13.279
it allows you to essentially emulate or

0:12:13.279,0:12:16.800
simulate malicious network traffic. So,

0:12:16.800,0:12:19.440
previously, we had used

0:12:19.440,0:12:21.279
the website technique to essentially get

0:12:21.279,0:12:23.760
a Linux UID, and that traffic would be

0:12:23.760,0:12:26.240
logged as malicious, or

0:12:26.240,0:12:27.760
it could be logged as a potential

0:12:27.760,0:12:30.000
intrusion. And we can run a few other

0:12:30.000,0:12:33.360
checks like HTTP basic authentication,

0:12:33.360,0:12:35.519
bad certificate authorities,

0:12:35.519,0:12:38.639
an EXE or DLL download over HTTP. So,

0:12:38.639,0:12:40.720
you know, we can run tests that,

0:12:40.720,0:12:42.959
you know, will just make our

0:12:42.959,0:12:45.440
intrusion detection system blow up in

0:12:45.440,0:12:47.600
terms of alerts. And that's what we want

0:12:47.600,0:12:49.519
because we want to see how that data is

0:12:49.519,0:12:52.160
presented to us as a security engineer

0:12:52.160,0:12:55.040
on Splunk. With that being said, the first

0:12:55.040,0:12:58.030
step, of course, is to set up Splunk ES on Linode.

0:12:58.330,0:13:04.079
So just click on “Create a Linode” and click on “Marketplace.”

0:13:04.079,0:13:06.399
And they already have Splunk here. So

0:13:06.399,0:13:08.480
there we are. You can click on that there.

0:13:08.480,0:13:10.240
And if you click on this little info

0:13:10.240,0:13:12.399
button here, it'll give you an idea as to

0:13:12.399,0:13:14.320
how to deploy it on

0:13:14.320,0:13:16.480
Linode. And, of course, you have more

0:13:16.480,0:13:18.399
information regarding Splunk. So you have

0:13:18.399,0:13:20.480
the documentation link there. So I'll

0:13:20.480,0:13:22.959
just click on Splunk.

0:13:22.959,0:13:24.639
Once that is clicked, we can then head

0:13:24.639,0:13:26.720
over here. You'll need to specify the

0:13:26.720,0:13:28.959
Splunk admin user. I recommend using

0:13:28.959,0:13:32.510
“admin” to begin with and then specify a password.

0:13:33.440,0:13:35.519
If you're setting up, you know, Splunk on

0:13:35.519,0:13:37.600
a domain, then you can specify the

0:13:37.600,0:13:39.839
Linode API token to essentially create

0:13:39.839,0:13:42.320
the DNS records--that's if you're using

0:13:42.320,0:13:44.320
Linode's DNS service.

0:13:45.839,0:13:47.519
And then, of course, you need to add

0:13:47.519,0:13:49.519
the admin email for the server. So in

0:13:49.519,0:13:52.000
this case, I can just say, for example,

0:13:52.000,0:13:55.080
hackersploit@gmail.com.

0:13:55.519,0:13:57.360
Don't spam me on this email because I

0:13:57.360,0:13:59.519
don't respond anyway. So we can create

0:13:59.519,0:14:01.040
another user.

0:14:01.040,0:14:02.480
This is the username for the

0:14:02.480,0:14:04.720
Linode admin's SSH user. Please ensure

0:14:04.720,0:14:06.480
that the username does not contain any...

0:14:06.480,0:14:08.880
so we can just call this “admin.” And then

0:14:08.880,0:14:11.360
for the admin user, we'll just say

0:14:11.360,0:14:13.199
provide that there.

0:14:13.199,0:14:14.800
So the image--we're going to set it up on

0:14:14.800,0:14:18.079
Ubuntu 20.04. The region--I’ll say London

0:14:18.079,0:14:19.920
because that's closest to me.

0:14:19.920,0:14:22.240
As for the actual Linode plan,

0:14:22.240,0:14:24.720
Linode ES doesn't require that many

0:14:24.720,0:14:26.480
resources, especially because, you know,

0:14:26.480,0:14:28.720
the amount of data that we're processing

0:14:28.720,0:14:30.959
or the logs that are being forwarded to

0:14:30.959,0:14:34.320
Splunk are relatively few--so less than

0:14:34.320,0:14:36.160
100--which, if you've used Splunk before

0:14:36.160,0:14:37.920
for security event monitoring, you know

0:14:37.920,0:14:39.040
that that is

0:14:39.040,0:14:41.199
really, really small. In

0:14:41.199,0:14:43.199
fact, Splunk will actually tell you,

0:14:43.199,0:14:44.959
you know, that the amount of data

0:14:44.959,0:14:47.519
to begin with that you have imported or

0:14:47.519,0:14:50.670
forwarded is too little to make any sense of.

0:14:50.880,0:14:52.480
But that's where the Snort app for

0:14:52.480,0:14:54.800
Splunk comes into play. So I'll just say

0:14:54.800,0:14:56.000
“Splunk,”

0:14:56.000,0:14:59.360
and I'll provide my root password for the server.

0:14:59.360,0:15:02.079
And we can click on “Create.”

0:15:02.079,0:15:03.360
Alright. Now,

0:15:03.360,0:15:06.079
once this is set up and provisioned,

0:15:06.079,0:15:08.079
the actual installer is going to begin.

0:15:08.079,0:15:10.079
So it's going to set up because there is

0:15:10.079,0:15:13.410
an auto-installer setup that will set up Splunk.

0:15:13.410,0:15:15.199
Yes. For you. So, let it

0:15:15.199,0:15:16.880
provision. After that's done, you can

0:15:16.880,0:15:19.199
launch the Lish console to avoid logging

0:15:19.199,0:15:22.160
in via SSH. And of course, one thing that

0:15:22.160,0:15:24.000
I don't need to tell you

0:15:24.000,0:15:25.680
is, if you're setting this up for

0:15:25.680,0:15:27.680
production, then you need to make sure

0:15:27.680,0:15:29.759
you're securing your server. So do only

0:15:29.759,0:15:33.420
use SSH keys for authentication with the server.

0:15:33.759,0:15:35.920
If you're new to hardening and securing

0:15:35.920,0:15:37.759
a Linux server, you can check out the

0:15:37.759,0:15:39.360
previous series

0:15:39.360,0:15:41.920
that we did with Linux--the Linux Server

0:15:41.920,0:15:44.800
Security series. They'll give you,

0:15:44.800,0:15:46.959
you know, all the information you need to

0:15:46.959,0:15:49.759
secure a Linux server for production.

0:15:49.759,0:15:50.959
With that being said, I'm just going to

0:15:50.959,0:15:52.800
let it provision, after which we can

0:15:52.800,0:15:54.560
launch the Lish console to see what's

0:15:54.560,0:15:56.639
going on in the background. And we can

0:15:56.639,0:15:59.350
then get started, you know, officially

0:15:59.350,0:16:01.839
with how to set up Splunk. We then need

0:16:01.839,0:16:04.720
to set up the Universal Forwarder.

0:16:04.720,0:16:07.529
So, this is booting now.

0:16:08.639,0:16:11.120
Alright. So the server is booted, and

0:16:11.120,0:16:12.800
you can see I've just opened up the Lish

0:16:12.800,0:16:14.320
console here

0:16:14.320,0:16:15.920
to essentially view what's going on. As

0:16:15.920,0:16:18.000
you can see, it's begun setting up

0:16:18.000,0:16:20.399
Splunk ES. So just give this a couple of

0:16:20.399,0:16:22.809
minutes to essentially begin.

0:16:23.279,0:16:25.600
And once it's done, it'll actually

0:16:25.600,0:16:27.360
tell you that, and it'll provide you with the

0:16:27.360,0:16:28.800
login prompt.

0:16:28.800,0:16:30.399
But it's probably logged in as the root

0:16:30.399,0:16:32.000
user already. So

0:16:32.000,0:16:33.759
just let this complete. I'm just going to

0:16:33.759,0:16:36.880
wait for this to actually conclude.

0:16:36.880,0:16:40.000
Alright. So once Splunk ES is done,

0:16:40.000,0:16:42.880
or the actual Linode is done here

0:16:42.880,0:16:44.320
with the setup, you can see it's going to

0:16:44.320,0:16:46.240
tell you "installation complete,"

0:16:46.240,0:16:48.160
and you can then log in. Keep this

0:16:48.160,0:16:49.519
window open because this is going to be

0:16:49.519,0:16:50.880
very important, as we'll need to

0:16:50.880,0:16:53.440
configure a few firewall rules.

0:16:53.440,0:16:56.320
By default, this Linode comes with UFW,

0:16:56.320,0:16:58.720
which is the uncomplicated firewall for

0:16:58.720,0:17:00.079
Debian, or

0:17:00.079,0:17:02.000
it typically comes prepackaged with

0:17:02.000,0:17:04.959
Debian-based distributions like Ubuntu.

0:17:04.959,0:17:06.559
In this case, it's already added the

0:17:06.559,0:17:08.400
firewall rule for the port that we

0:17:08.400,0:17:10.000
wanted, but just keep it open because

0:17:10.000,0:17:12.559
we'll need to run a few checks. So you

0:17:12.559,0:17:14.000
can log in there. So I'm just going to

0:17:14.000,0:17:15.679
log in with the credentials that I

0:17:15.679,0:17:18.720
specified as the root user. And I can

0:17:18.720,0:17:22.160
just say sudo ufw status.

0:17:23.839,0:17:25.439
And you can see these are all the

0:17:25.439,0:17:28.160
allowed rules or the actual rules

0:17:28.160,0:17:30.400
configured for the firewall, which is

0:17:30.400,0:17:32.400
looking good so far.

0:17:32.400,0:17:35.679
So we can access the Splunk ES instance

0:17:35.679,0:17:37.840
that we set up by pasting in the IP of

0:17:37.840,0:17:42.080
the server and opening up port 8000.

0:17:42.080,0:17:44.080
That's going to open up Splunk ES for

0:17:44.080,0:17:45.760
you. So just give this a couple of

0:17:45.760,0:17:48.240
seconds. There we are. And the credentials

0:17:48.240,0:17:50.880
that we had used were "admin" and the

0:17:50.880,0:17:53.280
password that I created--that, you know,

0:17:53.280,0:17:54.559
of course, you'll be able to

0:17:54.559,0:17:57.200
specify yourself. So just sign in.

0:17:57.200,0:17:59.919
And once that is done, you'll be

0:17:59.919,0:18:04.560
brought to Splunk Enterprise Security here.

0:18:04.560,0:18:05.360
So there we are--explore

0:18:05.360,0:18:07.200
Splunk Enterprise.

0:18:10.000,0:18:11.360
And in this case, what we're going to be

0:18:11.360,0:18:14.080
doing--what we're going to start off with--

0:18:14.080,0:18:16.240
is we need to go through a few

0:18:16.240,0:18:19.350
configuration changes with Splunk itself.

0:18:19.760,0:18:22.880
So the idea, firstly, is to configure

0:18:22.880,0:18:26.120
the actual receiving of data.

0:18:26.120,0:18:27.360
So if you head over into "Settings,"

0:18:27.360,0:18:29.440
you can click on "Data," then just click

0:18:29.440,0:18:31.840
on "Forwarding and Receiving."

0:18:31.840,0:18:34.400
And once that is done--once that is

0:18:34.400,0:18:35.760
loaded up--

0:18:35.760,0:18:38.080
under "Receive Data," we need to

0:18:38.080,0:18:40.000
configure this instance to receive data

0:18:40.000,0:18:41.600
forwarded from other instances. So we

0:18:41.600,0:18:43.520
want to configure receiving,

0:18:43.520,0:18:46.799
and we just want to set the default receiving port.

0:18:46.799,0:18:50.400
So we can say "New Receiving Port,"

0:18:50.400,0:18:52.160
and the port is, of course, going to be

0:18:52.160,0:18:54.799
the default, which is 9997--which is why

0:18:54.799,0:18:56.640
that firewall rule was added. So I'll

0:18:56.640,0:18:58.182
click on Save.

0:18:58.880,0:19:01.200
Alright. So once that is done, we can

0:19:01.200,0:19:04.110
now install the Snort app

0:19:04.110,0:19:06.240
for Splunk. So click on "Apps" and head

0:19:06.240,0:19:08.480
over into "Find More Apps."

0:19:08.480,0:19:11.360
And because the Ubuntu server is running--

0:19:11.360,0:19:13.120
or the Ubuntu VM that I'm currently

0:19:13.120,0:19:15.919
working on is running--Snort 2, we'll need

0:19:15.919,0:19:18.160
the appropriate app here. So I'll just

0:19:18.160,0:19:20.160
search for "Snort" there. And we're not

0:19:20.160,0:19:22.320
looking for the Snort 3 JSON alerts,

0:19:22.320,0:19:24.320
although that, you know, could be quite

0:19:24.320,0:19:26.480
useful, but we want the Snort alert for

0:19:26.480,0:19:28.720
Splunk. Alright. So this app provides

0:19:28.720,0:19:30.880
field extraction. So that's really great

0:19:30.880,0:19:32.400
because performing your own field

0:19:32.400,0:19:34.960
extractions using regex

0:19:34.960,0:19:36.400
can be quite difficult if you're a

0:19:36.400,0:19:39.360
beginner. So fast and full,

0:19:39.360,0:19:42.400
as well as dashboards, saved searches,

0:19:42.400,0:19:45.600
reports, event types, tags, and event

0:19:45.600,0:19:48.080
search interfaces. So we'll install that.

0:19:48.080,0:19:50.240
Now you'll need to log in with

0:19:50.240,0:19:52.400
your Splunk account credentials that you,

0:19:52.400,0:19:55.120
you know, actually created on

0:19:55.120,0:19:57.760
splunk.com. So I'll just fill in my

0:19:57.760,0:20:00.400
information really quickly.

0:20:00.400,0:20:02.240
Alright. So I've put in my username and

0:20:02.240,0:20:04.240
password. So I'll just say I'll accept

0:20:04.240,0:20:06.320
the terms and conditions there. So log in

0:20:06.320,0:20:07.600
and install.

0:20:07.600,0:20:09.280
That's going to install it. There we are.

0:20:09.280,0:20:10.880
So we'll just hit "Done."

0:20:10.880,0:20:13.360
Now that that is done, if we head back over

0:20:13.360,0:20:16.400
into our dashboard--so I'll just click on

0:20:16.400,0:20:18.400
Splunk Enterprise there--

0:20:18.400,0:20:20.720
you can now see we have Snort

0:20:20.720,0:20:23.039
Alert for Splunk. So that already

0:20:23.039,0:20:25.600
comes preconfigured with a dashboard.

0:20:25.600,0:20:28.600
So we'll just let this load up here.

0:20:28.600,0:20:30.000
And you can see that we don't have

0:20:30.000,0:20:32.480
any data yet. So this will display

0:20:32.480,0:20:34.559
your events and sources, top source

0:20:34.559,0:20:36.480
countries, the events. This is very

0:20:36.480,0:20:38.480
important--these sources, top 10

0:20:38.480,0:20:41.039
classification. So that'll classify

0:20:41.039,0:20:44.400
your alerts in terms of the

0:20:44.400,0:20:46.640
type, which again will make sense in a

0:20:46.640,0:20:49.280
couple of seconds. So now that that is

0:20:49.280,0:20:51.600
done, we actually need to configure

0:20:51.600,0:20:54.480
the actual Splunk Universal Forwarder. So

0:20:54.480,0:20:56.480
I'll just open that up in a new tab. It's

0:20:56.480,0:20:59.120
absolutely free to download the Debian

0:20:59.120,0:21:01.840
client or the Splunk Universal

0:21:01.840,0:21:04.159
Forwarder Debian package. So Universal

0:21:04.159,0:21:06.960
Forwarders provide reliable, secure

0:21:06.960,0:21:09.440
data collection from remote

0:21:09.440,0:21:11.520
sources and forward that data into

0:21:11.520,0:21:14.159
Splunk software for indexing and

0:21:14.159,0:21:16.880
consolidation. They can scale to tens of

0:21:16.880,0:21:18.799
thousands of remote systems, collecting

0:21:18.799,0:21:20.720
terabytes of data. So

0:21:20.720,0:21:23.039
again, you can actually see why Splunk is

0:21:23.039,0:21:25.360
so powerful and why it's widely used

0:21:25.360,0:21:27.440
and deployed--because of the fact that

0:21:27.440,0:21:30.480
you can literally be...

0:21:30.480,0:21:32.640
literally forward a ton of data from a

0:21:32.640,0:21:35.840
ton of systems into Splunk. So because

0:21:35.840,0:21:38.480
Snort is running on this

0:21:38.480,0:21:40.480
Ubuntu VM, we need the Debian package. So

0:21:40.480,0:21:41.919
I'll click on Linux, and we want the

0:21:41.919,0:21:45.039
64-bit version. Again, you can choose one

0:21:45.039,0:21:46.559
based on your requirements. So if you're

0:21:46.559,0:21:49.840
running on Red Hat, Fedora, or CentOS, you

0:21:49.840,0:21:51.520
can use the RPM package. So I'll just

0:21:51.520,0:21:54.559
download the Debian package here.

0:21:54.559,0:21:56.080
Give that a couple of seconds. It's then

0:21:56.080,0:21:58.240
going to begin downloading it, and then

0:21:58.240,0:22:00.000
I'll walk you through the setup process.

0:22:00.000,0:22:01.840
So there we are.

0:22:01.840,0:22:04.260
It's begun the setup.

0:22:07.360,0:22:09.440
And once that is done, I'll open up my

0:22:09.440,0:22:10.799
terminal. So that's saved in the

0:22:10.799,0:22:12.960
Downloads directory. So

0:22:12.960,0:22:14.320
if we check--if we head over into the

0:22:14.320,0:22:15.840
Downloads directory--you can see we have

0:22:15.840,0:22:18.489
the Splunk Forwarder Debian package there.

0:22:19.200,0:22:21.679
So what we want to do, firstly, is we want

0:22:21.679,0:22:25.680
to move this package into the actual /opt

0:22:25.680,0:22:28.080
directory on Linux, which will

0:22:28.080,0:22:30.880
essentially allow us to, you know,

0:22:30.880,0:22:33.360
to set it up as optional software. And

0:22:33.360,0:22:35.280
it's really good to have all that

0:22:35.280,0:22:38.240
optional software stored in the

0:22:38.240,0:22:42.240
directory. So, once that is done and

0:22:42.240,0:22:44.320
once that's downloaded, we can say,

0:22:44.320,0:22:45.600
move

0:22:45.600,0:22:48.480
Splunk forward into opt,

0:22:48.480,0:22:50.400
and we'll need sudo privileges. So I'll

0:22:50.400,0:22:52.559
say sudo move. There we are. And I'll just

0:22:52.559,0:22:55.120
type in my password. Fantastic. So

0:22:55.120,0:22:57.360
now navigate to the opt directory. And to

0:22:57.360,0:23:00.320
install this, we can say sudo apt,

0:23:00.320,0:23:02.960
and then we can specify install. So we

0:23:02.960,0:23:05.120
can say sudo apt install,

0:23:05.120,0:23:06.960
and then we specify the package itself.

0:23:06.960,0:23:09.440
So Splunk forwarder,

0:23:09.440,0:23:11.440
and we're just going to hit enter. That's

0:23:11.440,0:23:13.520
going to install it for you.

0:23:13.520,0:23:16.880
Give that a couple of seconds.

0:23:19.440,0:23:21.520
Alright. So once that is installed, if

0:23:21.520,0:23:23.039
you list out the contents of this

0:23:23.039,0:23:24.559
directory, you're gonna have a Splunk

0:23:24.559,0:23:26.559
forwarder directory here. So I'll say cd

0:23:26.559,0:23:29.200
splunkforwarder. And under the binary

0:23:29.200,0:23:31.200
directory, we can navigate to that here.

0:23:31.200,0:23:32.720
We'll need to start--

0:23:32.720,0:23:35.600
we'll need to start Splunk. So we will

0:23:35.600,0:23:37.280
say sudo,

0:23:37.280,0:23:39.039
and the binary we want to run is called

0:23:39.039,0:23:41.279
splunk, and we'll accept the license.

0:23:41.279,0:23:42.799
The reason we're doing this is because

0:23:42.799,0:23:44.799
we need to configure it. So we need to

0:23:44.799,0:23:46.799
specify the username and password, or, you

0:23:46.799,0:23:49.279
know, create a username and password.

0:23:49.279,0:23:52.000
And once that is done, you'll actually

0:23:52.000,0:23:53.360
see what that looks like. So I'll just

0:23:53.360,0:23:55.679
say accept the license.

0:23:55.679,0:23:59.200
And, you can see in this case, let's see if I

0:23:59.200,0:24:01.200
typed that incorrectly. That should

0:24:01.200,0:24:03.600
actually start. So splunk start. I did not

0:24:03.600,0:24:05.440
specify start there.

0:24:05.440,0:24:06.799
There we are. So please enter an

0:24:06.799,0:24:09.679
administrator name. I'll just say admin.

0:24:09.679,0:24:12.000
So again, Splunk software must create an

0:24:12.000,0:24:14.320
administrator account during startup.

0:24:14.320,0:24:16.559
Otherwise, you cannot log in. So create

0:24:16.559,0:24:18.899
credentials for the administrator account.

0:24:20.640,0:24:22.320
So in this case, you can

0:24:22.320,0:24:23.600
create whatever you want. I'm just going

0:24:23.600,0:24:26.000
to fill in my credentials here.

0:24:26.000,0:24:28.640
Alright, so I've just entered my

0:24:28.640,0:24:30.320
administrator username and then, of

0:24:30.320,0:24:32.400
course, my password. So

0:24:32.400,0:24:33.840
that is done.

0:24:33.840,0:24:36.240
So it'll go through--

0:24:36.240,0:24:37.760
it'll essentially go through and check

0:24:37.760,0:24:40.400
the prerequisites. New certs have been

0:24:40.400,0:24:42.960
generated in the following directory,

0:24:42.960,0:24:45.200
and all the preliminary checks have

0:24:45.200,0:24:47.520
passed. So starting the Splunk server

0:24:47.520,0:24:49.440
daemon--so that started. You can also

0:24:49.440,0:24:52.159
enable it to run on system startup. So if

0:24:52.159,0:24:56.330
I say, you know, for example, sudo systemctl

0:24:56.720,0:24:58.910
status splunk,

0:24:59.520,0:25:01.840
let me type that correctly here. So

0:25:01.840,0:25:03.360
splunk--

0:25:03.360,0:25:07.520
sorry, systemctl,

0:25:07.520,0:25:10.240
and we can say splunkd.

0:25:10.240,0:25:12.880
Sorry. So we can say splunk. I'm not

0:25:12.880,0:25:15.039
really sure why that's not loading here.

0:25:15.039,0:25:17.520
But I do know that the daemon is running,

0:25:17.520,0:25:23.620
and there should be an init daemon for that.

0:25:23.620,0:25:24.799
But in any case,

0:25:24.799,0:25:27.360
you can always start it that way.

0:25:27.360,0:25:29.840
Once that is done, we will need to add

0:25:29.840,0:25:32.320
our forward server. So we need to add

0:25:32.320,0:25:34.960
the address of the server--the

0:25:34.960,0:25:37.039
Splunk server that we're forwarding our

0:25:37.039,0:25:39.600
logs to. We'll move on to what

0:25:39.600,0:25:42.480
logs we want to forward in a second. But

0:25:42.480,0:25:44.159
let's do that first. So again, we're going

0:25:44.159,0:25:45.799
to use the

0:25:47.520,0:25:51.220
Splunk binary, and we're going to say forward-server.

0:25:51.220,0:25:52.559
And we'll just copy the IP

0:25:52.559,0:25:56.419
address of your Splunk server here.

0:25:56.419,0:25:59.850
So there we are. And I'll paste that in there.

0:26:00.640,0:26:03.320
And then you need to type in the port--so

0:26:03.320,0:26:07.780
9997, that's the port to connect to. Hit enter.

0:26:08.400,0:26:10.799
So splunk forward--

0:26:11.279,0:26:13.279
yeah, we need to add it. I keep forgetting

0:26:13.279,0:26:16.910
the preliminary command. So add forward-server,

0:26:16.910,0:26:18.260
Splunk username.

0:26:18.320,0:26:21.919
So in this case, let me just put

0:26:21.919,0:26:25.840
in my credentials here.

0:26:26.640,0:26:29.440
Alright. And it's going to then add the

0:26:29.440,0:26:31.760
forwarding to that particular address.

0:26:31.760,0:26:33.760
Alright. Now that that is done,

0:26:33.760,0:26:35.440
we actually need to

0:26:35.440,0:26:37.919
configure a particular file,

0:26:37.919,0:26:40.720
and that is going to be the outputs.conf

0:26:40.720,0:26:43.039
directory. If it's already set up for us,

0:26:43.039,0:26:45.039
which it should be,

0:26:45.039,0:26:46.880
then we do not need to go through the

0:26:46.880,0:26:49.360
initial setup. So,

0:26:49.360,0:26:51.120
if we head over into the following

0:26:51.120,0:26:52.640
directory--so I'll just take a step back--

0:26:52.640,0:26:55.120
we're still in the Splunk forwarder directory.

0:26:55.279,0:26:59.739
We'll head over into the etc directory.

0:26:59.739,0:27:01.679
And under system,

0:27:01.679,0:27:05.039
we have a file under local, I think. It is

0:27:05.039,0:27:06.640
called outputs here. Right? So I'm going to say

0:27:06.640,0:27:09.680
sudo vim outputs.conf.

0:27:09.840,0:27:11.840
And really, the only thing that is

0:27:11.840,0:27:14.290
required here is,

0:27:14.290,0:27:16.159
of course, just leave the default

0:27:16.159,0:27:18.320
configuration as is. The default group is

0:27:18.320,0:27:21.760
fine. So tcpout:default-autolb-group,

0:27:21.760,0:27:23.279
that's fine. So make sure that the

0:27:23.279,0:27:25.840
server option here is configured--that's

0:27:25.840,0:27:29.100
the most important. And the tcpout-server

0:27:29.100,0:27:30.320
address is also configured in

0:27:30.320,0:27:32.000
this format. So we don't need to make any

0:27:32.000,0:27:34.670
changes there. So I'll just say quit and exit.

0:27:35.120,0:27:38.640
Once that is done, we also need to check

0:27:38.640,0:27:41.279
the actual inputs configuration file.

0:27:41.279,0:27:43.200
But before we do that,

0:27:43.200,0:27:45.279
let's take a look. So if you revisit the

0:27:45.279,0:27:46.880
Snort video,

0:27:46.880,0:27:48.880
you know that all the logs are stored

0:27:48.880,0:27:53.110
under /var/log/snort.

0:27:53.110,0:27:55.760
Right? So we have the alert log,

0:27:55.760,0:27:59.279
and we also have--so again, based on

0:27:59.279,0:28:02.000
the type of alerts

0:28:02.000,0:28:03.200
you want generated--so, you know,

0:28:03.200,0:28:05.440
if I say man snort here,

0:28:05.440,0:28:08.090
you can see that we have the alert mode.

0:28:08.090,0:28:09.440
So you can use the fast mode or the

0:28:09.440,0:28:11.360
full mode. In this case, I'll be using the

0:28:11.360,0:28:12.559
fast mode,

0:28:13.760,0:28:15.279
and I'll give you a description of what's

0:28:15.279,0:28:17.279
going on here. Right? So

0:28:17.279,0:28:19.919
full writes the alert to the alert

0:28:19.919,0:28:21.919
file with the full decoded header as

0:28:21.919,0:28:24.720
well as the alert message, which might be

0:28:24.720,0:28:27.279
important. So we can also do that as well.

0:28:27.279,0:28:29.600
So this was from the previous--from

0:28:29.600,0:28:31.760
the Snort video where we

0:28:31.760,0:28:33.360
had run...

0:28:33.360,0:28:35.840
essentially run Snort and, you know,

0:28:35.840,0:28:38.480
where we were identifying various alerts.

0:28:38.480,0:28:41.919
So, what we can do is, again, we'll

0:28:41.919,0:28:43.760
go through what needs to be created, but

0:28:43.760,0:28:45.600
we can run a quick test command just to

0:28:45.600,0:28:46.880
see whether

0:28:46.880,0:28:48.799
the actual alerts are being logged

0:28:48.799,0:28:50.320
within the alert file, because we have

0:28:50.320,0:28:53.039
alert.1. Ideally, we would only want

0:28:53.039,0:28:55.760
to forward this file into Splunk.

0:28:55.760,0:28:58.080
So, in order to do this, what I'm going

0:28:58.080,0:29:00.080
to do now is I'm just gonna run Snort

0:29:00.080,0:29:03.590
really quickly. So I'm going to say sudo snort -q,

0:29:03.919,0:29:06.000
for quiet, and then

0:29:06.000,0:29:10.500
the actual directory for the logs is /var/log/snort.

0:29:11.360,0:29:14.640
And then we can say the interface is enp0s3.

0:29:14.640,0:29:16.240
Again, make sure to replace that with

0:29:16.240,0:29:19.039
your own interface. The alert, we can

0:29:19.039,0:29:20.320
say full,

0:29:20.320,0:29:26.190
and the configuration is /etc/snort/snort.conf.

0:29:26.399,0:29:28.320
I believe we had another configuration

0:29:28.320,0:29:30.720
file. Yeah. We had used the snort.conf file.

0:29:30.720,0:29:32.399
So I'll hit enter.

0:29:32.399,0:29:35.560
And now let me open up my file explorer here.

0:29:35.840,0:29:38.720
We take a look at the var directory

0:29:38.720,0:29:42.240
under log. And under snort,

0:29:42.240,0:29:44.960
we have alert. There we are. So,

0:29:44.960,0:29:47.960
that has been modified. The last was

0:29:47.960,0:29:50.050
modified

0:29:51.200,0:29:53.919
right over there. Okay. So that's 19. Yeah.

0:29:53.919,0:29:55.679
So this is the last modified. So I know

0:29:55.679,0:29:58.000
this file is not human-readable. We

0:29:58.000,0:30:00.979
are not going to be forwarding this .log file.

0:30:00.979,0:30:02.960
So I'll just close that there.

0:30:02.960,0:30:07.440
So I'm just going to try and perform a few

0:30:07.440,0:30:09.679
checks on the network, like a few pings,

0:30:09.679,0:30:11.760
just to see if that's detected.

0:30:11.760,0:30:15.679
So I'll just, you know, perform a ping really quickly.

0:30:15.679,0:30:17.520
Again, the alerts will not be logged on

0:30:17.520,0:30:18.960
our terminal because they're being

0:30:18.960,0:30:21.200
logged, you know, into the respective

0:30:21.200,0:30:24.159
alert file or the alert log file. So I'll

0:30:24.159,0:30:26.080
just perform, you know, a few pings, as

0:30:26.080,0:30:27.679
I was saying, which I'm doing right now

0:30:27.679,0:30:29.520
on the attacker system.

0:30:29.520,0:30:31.760
Once that is done, let's see whether

0:30:31.760,0:30:33.760
those changes are being highlighted in

0:30:33.760,0:30:37.600
alert. Indeed, they are. Okay. So now,

0:30:40.159,0:30:42.399
as you can see here,

0:30:42.399,0:30:45.279
this is the full--

0:30:45.360,0:30:48.000
these are... So to begin with, we had used

0:30:48.000,0:30:52.729
the fast alert output mode.

0:30:54.000,0:30:56.080
And right over here, we then have the

0:30:56.080,0:31:00.159
full alert mode, which I'm not really sure how

0:31:00.159,0:31:01.919
we want to

0:31:01.919,0:31:05.360
go about doing this. But you can see,

0:31:05.360,0:31:07.360
we can actually make a few changes.

0:31:07.360,0:31:11.110
What we can do is we can get rid of this traffic here.

0:31:11.440,0:31:13.519
But you can see the message is actually

0:31:13.519,0:31:15.279
being logged. So

0:31:15.279,0:31:17.760
we can get rid of this here

0:31:17.760,0:31:25.749
because we don't want to mix fast alerts

0:31:26.080,0:31:31.519
with the full mode. So we can just get rid of that

0:31:31.519,0:31:33.611
there and save that.

0:31:34.159,0:31:37.840
Once that is done, I'll just say--

0:31:37.840,0:31:41.290
we actually need permissions to modify that file.

0:31:42.000,0:31:45.600
But, you know, what we can do is--what I am

0:31:45.600,0:31:47.279
going to do actually is close without

0:31:47.279,0:31:50.159
saving. I'm just going to stop Snort there.

0:31:50.399,0:31:52.080
And I'm just going to say

0:31:52.080,0:31:58.150
sudo rm /var/log/snort.

0:31:58.150,0:32:00.520
And we're going to remove alert.

0:32:01.360,0:32:04.240
Alright. And we're also going to remove alert.1.

0:32:04.240,0:32:05.440
Alright. So I'm just going to run this

0:32:05.440,0:32:08.240
again, just to see that the file is generated.

0:32:08.240,0:32:11.120
So there we are. We have alert there.

0:32:11.120,0:32:12.559
So now it's much cleaner. I'll just

0:32:12.559,0:32:14.240
run a few pings, just to make sure that

0:32:14.240,0:32:16.480
the traffic is being logged--all those

0:32:16.480,0:32:18.480
alerts are being logged.

0:32:18.480,0:32:21.519
So there we are. We have a few pings there.

0:32:21.519,0:32:24.640
And we can also, you know, just run a few

0:32:24.640,0:32:26.960
checks there. Okay. So there we are. We can

0:32:26.960,0:32:29.360
see that those are now being logged. And

0:32:29.360,0:32:32.029
of course, we can change the format based on--

0:32:32.320,0:32:33.519
well, you can change it based on your

0:32:33.519,0:32:35.039
requirements. Right?

0:32:35.039,0:32:35.941
So

0:32:38.000,0:32:39.919
now that that is done,

0:32:39.919,0:32:42.000
what we can do is we can close that up,

0:32:42.000,0:32:45.880
and we can actually leave Snort running as is.

0:32:46.320,0:32:48.960
So what I'll do is I'm just going to

0:32:48.960,0:32:51.120
open up another tab.

0:32:51.120,0:32:54.200
So just, you know--I can say Ctrl+Shift+T.

0:32:54.200,0:32:56.799
There we are. And we're currently within the following

0:32:56.799,0:33:01.519
directory: /opt/splunkforwarder/etc/system/local.

0:33:01.519,0:33:03.120
So,

0:33:03.120,0:33:06.000
once that is done, we now need to add

0:33:06.000,0:33:09.388
the files that we would like to monitor

0:33:09.388,0:33:12.240
or that we would like to forward. Right?

0:33:12.240,0:33:15.360
So, the log files. I'll go back into the bin directory.

0:33:15.360,0:33:17.679
So there we are--cd bin--because that's

0:33:17.679,0:33:19.360
where we have the Splunk binary. So I'll

0:33:19.360,0:33:23.040
say sudo splunk.

0:33:24.399,0:33:26.981
And we can say add monitor.

0:33:28.320,0:33:30.720
And the file that we want to forward is

0:33:30.720,0:33:34.399
under /var/log/snort, and it is just alert.

0:33:34.399,0:33:36.559
Right? So that's all. That's really all

0:33:36.559,0:33:38.720
that we want to do. Right?

0:33:38.720,0:33:41.600
And we can also utilize the fast alerts,

0:33:41.600,0:33:44.399
but let's just do this for now.

0:33:44.399,0:33:46.399
We only want the alerts--we don't

0:33:46.399,0:33:48.320
want the actual log files that contain

0:33:48.320,0:33:53.840
the packets themselves. So I'll hit Enter.

0:33:54.480,0:33:56.399
Alright. So it's now going to forward

0:33:56.399,0:33:58.960
those alerts into Splunk, which pretty

0:33:58.960,0:34:02.159
much means that on our end, we are done.

0:34:02.159,0:34:04.000
However, we still need to check one more

0:34:04.000,0:34:05.840
configuration file. So I'll just take a

0:34:05.840,0:34:08.000
step back here, and we'll head over into

0:34:08.000,0:34:12.169
the /etc directory under apps/search,

0:34:13.119,0:34:15.520
and then into local.

0:34:15.520,0:34:16.720
I think we'll need root

0:34:16.720,0:34:18.320
permissions to access this. So I'll just

0:34:18.320,0:34:20.079
switch to the root user and head over

0:34:20.079,0:34:21.520
into local.

0:34:21.520,0:34:27.341
And we're looking for the inputs.conf file. Right?

0:34:27.341,0:34:28.079
We need to actually

0:34:28.079,0:34:29.760
configure this because this is very

0:34:29.760,0:34:31.040
important.

0:34:31.040,0:34:35.919
The first thing we want to do is--let us

0:34:35.919,0:34:38.639
add a new line here. And within the

0:34:38.639,0:34:43.530
square brackets, I'll just say [splunk-tcp].

0:34:44.240,0:34:46.399
And we then want to specify the port--so

0:34:46.399,0:34:47.653
9997.

0:34:48.399,0:34:51.520
Let me make sure I type that in correctly.

0:34:51.520,0:34:55.250
We then need to actually put in the connection.

0:34:56.960,0:35:01.770
So the connection_host

0:35:01.770,0:35:03.440
is going to be equal to the IP

0:35:03.440,0:35:06.100
address of the Splunk server.

0:35:06.560,0:35:10.080
So I'll just copy that there and paste that in there.

0:35:11.280,0:35:14.000
Once that is done,

0:35:14.000,0:35:16.950
this is fine here--disabled is set to false.

0:35:16.950,0:35:20.320
We want index to be equal to main.

0:35:20.320,0:35:23.680
And then the sourcetype

0:35:23.680,0:35:28.330
is going to be equal to snort_alert_full.

0:35:28.960,0:35:31.280
And we can then say the source is equal

0:35:31.280,0:35:33.040
to snort. Alright? So this is a very

0:35:33.040,0:35:35.280
important configuration. Let me just

0:35:35.280,0:35:36.640
go through those options or

0:35:36.640,0:35:40.080
configurations again. We have the splunk-tcp option.

0:35:40.320,0:35:43.530
We then have the actual connection_host.

0:35:43.530,0:35:46.640
The monitor is set correctly to that file.

0:35:46.640,0:35:52.500
It's enabled, index=main, sourcetype=snort_alert_full, source=snort.

0:35:52.500,0:35:53.485
Fantastic.

0:35:53.485,0:35:54.720
So we'll write and quit.

0:35:54.720,0:35:57.040
Once this is done,

0:35:57.040,0:35:58.720
we'll need to restart Splunk. So I'll

0:35:58.720,0:36:00.800
switch back to my user, Lexus, here, and

0:36:00.800,0:36:04.560
we'll navigate back to the bin directory.

0:36:04.560,0:36:06.400
So I'll say cd bin,

0:36:06.400,0:36:15.680
and we'll say sudo splunk restart. Alright, hit Enter.

0:36:15.680,0:36:18.320
It's going to stop the Splunk daemon,

0:36:18.320,0:36:19.680
shut it down,

0:36:19.680,0:36:22.160
restart it--and it's done successfully. So

0:36:22.160,0:36:24.560
all the checks were completed without

0:36:24.560,0:36:27.119
any issue. Alright, so

0:36:27.119,0:36:29.040
now that this is done, we can actually go

0:36:29.040,0:36:31.440
back into Splunk here, and we'll navigate

0:36:31.440,0:36:33.280
to the dashboard.

0:36:33.280,0:36:35.839
This is your Splunk server. Right?

0:36:35.839,0:36:37.440
And let's take a look at the messages

0:36:37.440,0:36:39.920
here. That's just a few updates--we

0:36:39.920,0:36:41.920
don't need to do anything there. So if we

0:36:41.920,0:36:43.119
click on

0:36:43.119,0:36:45.599
Search & Reporting, just to verify that

0:36:45.599,0:36:47.839
data has indeed been forwarded, I'll

0:36:47.839,0:36:49.280
just skip through this. If we click on

0:36:49.280,0:36:51.040
Data Summary,

0:36:51.040,0:36:52.880
under Sources, you should see that we

0:36:52.880,0:36:55.680
have the host. And in my case, the name of

0:36:55.680,0:36:58.640
the system is blackbox, so that should

0:36:58.640,0:37:01.625
be reflected there. So there we are--blackbox.

0:37:01.625,0:37:03.280
We have 42

0:37:03.280,0:37:06.800
logs or alerts, if you will. Sources: 42. We

0:37:06.800,0:37:08.640
can click on that there to just see the

0:37:08.640,0:37:11.280
data that has been logged. Indeed, we can

0:37:11.280,0:37:13.040
see that has been done correctly. So

0:37:13.040,0:37:14.880
sourcetype is alert.

0:37:14.880,0:37:17.280
We can see that it's imported, you

0:37:17.280,0:37:19.440
know, pretty much all the data--or, you

0:37:19.440,0:37:21.119
know, these are the... this is the full log

0:37:21.119,0:37:24.349
whereby we have the reference to that there.

0:37:24.880,0:37:26.800
That's weird--I didn’t actually run

0:37:26.800,0:37:30.240
anything weird, but there you go.

0:37:30.240,0:37:32.720
So now that this is done, you can

0:37:32.720,0:37:34.880
use Splunk to essentially visualize this

0:37:34.880,0:37:36.800
data however you want. So, you

0:37:36.800,0:37:39.359
know, I can go into Visualization,

0:37:39.359,0:37:42.240
and we can click on--maybe we can

0:37:42.240,0:37:44.720
create a...

0:37:44.720,0:37:46.880
we can select a few fields. So if I go

0:37:46.880,0:37:50.240
back into the Events here, I can select a

0:37:50.240,0:37:52.240
few fields that I want displayed here,

0:37:52.240,0:37:54.320
and I can, you know, essentially extract

0:37:54.320,0:37:57.040
the fields that I want with regex.

0:37:57.040,0:37:59.680
But I don't think this is necessary at this

0:37:59.680,0:38:01.520
point, because if we actually go back to

0:38:01.520,0:38:03.599
the dashboard

0:38:03.599,0:38:06.160
and we click on--

0:38:06.160,0:38:10.079
let's see--Snort Alerts for Splunk,

0:38:10.079,0:38:11.440
let's see if this is actually whether

0:38:11.440,0:38:15.200
this automates that process for us.

0:38:15.200,0:38:17.280
There we are. Actually, it looks like

0:38:17.280,0:38:21.599
it does. So, classification: bad-traffic.

0:38:21.599,0:38:24.160
So it looks like that is working.

0:38:24.160,0:38:26.400
What we can do now

0:38:26.400,0:38:28.720
is run a few--

0:38:28.720,0:38:32.080
we can actually utilize this script here,

0:38:33.520,0:38:37.119
the TestMyNIDS script here. So all

0:38:37.119,0:38:39.440
you need to do to run it is just copy

0:38:39.440,0:38:41.520
this one-liner script here--or this

0:38:41.520,0:38:43.200
command--that will download it into your

0:38:43.200,0:38:46.000
/tmp directory and will then execute it.

0:38:46.000,0:38:49.200
So, you know, to execute it within your

0:38:49.200,0:38:51.599
temp directory, you can just execute

0:38:51.599,0:38:53.040
the actual,

0:38:54.400,0:38:56.240
you know, the actual binary there. It is a

0:38:56.240,0:38:58.800
binary, not a script.

0:38:58.800,0:39:01.280
And once that is done, you can then

0:39:01.280,0:39:03.520
select the option here. So let me just do

0:39:03.520,0:39:05.920
that on my attacker system.

0:39:05.920,0:39:08.880
I'm just going to run it one more time. So

0:39:08.880,0:39:14.359
I'm just going to say ls here. And

0:39:16.160,0:39:18.960
if I open up the documentation--so

0:39:18.960,0:39:22.809
firstly, I will run

0:39:23.440,0:39:26.640
a quick Linux UID check. So

0:39:26.640,0:39:28.461
I'll just hit Enter.

0:39:28.960,0:39:31.280
Okay. That is done. I'll then perform an

0:39:31.280,0:39:35.119
HTTP basic authentication

0:39:35.119,0:39:37.839
and a malware user-agent. So I'm doing

0:39:37.839,0:39:40.640
that right now.

0:39:40.839,0:39:46.000
Okay. And we can run one more here. So,

0:39:46.000,0:39:48.720
let's see. Let's see. Let's see. We

0:39:48.720,0:39:51.520
can try EXE or DLL download over HTTP.

0:39:51.520,0:39:55.940
That is surely going to be logged,

0:39:57.040,0:39:59.839
or that's going to trigger an alert.

0:39:59.839,0:40:00.640
So,

0:40:00.640,0:40:03.040
do we have--that is running.

0:40:03.040,0:40:05.280
Alright. So Snort is running. That's great.

0:40:05.280,0:40:08.079
So we know that the log is being--

0:40:08.079,0:40:10.240
the actual alerts are being forwarded.

0:40:10.240,0:40:12.960
Absolutely fantastic. So let's go back in

0:40:12.960,0:40:15.040
here. I've already run those

0:40:15.040,0:40:16.995
particular checks.

0:40:18.400,0:40:20.160
So let me just refresh this. I know it

0:40:20.160,0:40:22.160
usually takes a couple of seconds to a

0:40:22.160,0:40:24.400
couple of minutes, but that data should

0:40:24.400,0:40:26.240
start--should actually be reflected. There

0:40:26.240,0:40:28.160
we are. Fantastic. So

0:40:28.160,0:40:31.119
we can see that--firstly,

0:40:31.119,0:40:32.880
I'll just explain the dashboard here

0:40:32.880,0:40:33.760
because

0:40:33.760,0:40:36.160
this dashboard is automatically, you

0:40:36.160,0:40:38.000
know, set up for you by the Snort app,

0:40:38.000,0:40:39.920
which is really awesome. As I said, you

0:40:39.920,0:40:42.340
don't need to go through that process yourself.

0:40:42.560,0:40:44.560
So the first graph here essentially

0:40:44.560,0:40:46.400
tells you your events,

0:40:46.400,0:40:48.560
and it also displays the, you know,

0:40:48.560,0:40:50.400
the total number of sources. So you can

0:40:50.400,0:40:52.560
see that there. You also have the time.

0:40:52.560,0:40:54.480
So you have your events and

0:40:54.480,0:40:56.079
then the timeline here. And you can

0:40:56.079,0:40:58.880
essentially, you know, view a trend--or the

0:40:58.880,0:41:01.680
trend--of events there. You then

0:41:01.680,0:41:04.880
have the top source countries

0:41:04.880,0:41:07.040
right over here. And if I just run

0:41:07.040,0:41:08.720
another check really quickly here

0:41:08.720,0:41:11.119
through the NIDS website--

0:41:11.119,0:41:14.720
so let me just run the curl command--

0:41:14.720,0:41:16.640
you should actually see that because

0:41:16.640,0:41:19.280
we are reaching out to, you know, there's a

0:41:19.280,0:41:21.280
connection made to an external server,

0:41:21.280,0:41:23.680
that it should reflect that info under

0:41:23.680,0:41:26.740
the top countries--the top source countries.

0:41:26.800,0:41:28.800
So we then have the events here, which,

0:41:28.800,0:41:31.280
you know, you can click on. And then,

0:41:31.280,0:41:33.119
of course, you have the sources.

0:41:33.119,0:41:36.079
So these are the Snort event types,

0:41:36.079,0:41:37.760
and these are actually the

0:41:37.760,0:41:39.680
classifications. So we can see potentially

0:41:39.680,0:41:42.640
bad traffic, attempted information leak,

0:41:42.640,0:41:44.720
and, you know, you can just refresh your

0:41:44.720,0:41:47.440
dashboard to get the latest.

0:41:47.440,0:41:49.359
So we'll give that a couple of seconds.

0:41:49.359,0:41:53.110
And you can also specify the actual interval period.

0:41:53.599,0:41:56.400
So I'll just wait for this. Let's

0:41:56.400,0:41:58.880
see if it's actually being logged or

0:41:58.880,0:42:00.319
whether we can see all of that. So I'll

0:42:00.319,0:42:04.000
just go back into the dashboard here,

0:42:04.000,0:42:07.359
and we'll go into Search and Reporting.

0:42:07.359,0:42:09.920
And we click on the actual

0:42:09.920,0:42:13.040
Data Summary and the Sources. We can

0:42:13.040,0:42:16.399
see we have Snort there, and then /var/snort/alert.

0:42:16.399,0:42:20.060
So we click on Snort there. Okay.

0:42:20.060,0:42:22.000
So this is bad traffic. That's

0:42:22.000,0:42:25.440
really weird because

0:42:26.079,0:42:27.920
the source is Snort. We had added two

0:42:27.920,0:42:29.520
sources there.

0:42:29.520,0:42:32.720
So Data Summary--

0:42:32.720,0:42:34.800
let me just click on that there. And if

0:42:34.800,0:42:36.960
we click on the sources there, this is

0:42:36.960,0:42:40.800
the one that we want, ideally.

0:42:43.200,0:42:47.049
Yeah. So that looks like the correct one there.

0:42:49.599,0:42:51.680
Yeah. That's the correct traffic. I

0:42:51.680,0:42:55.119
think that's why the actual--let me

0:42:55.119,0:42:56.960
see if I can find it. So Snort Alerts for

0:42:56.960,0:43:00.640
Splunk--let me click on the app there.

0:43:02.480,0:43:04.160
Show Filters. It should be displaying

0:43:04.160,0:43:06.400
much more than that because I know--yeah,

0:43:06.400,0:43:08.319
there are not just four.

0:43:08.319,0:43:09.920
So

0:43:09.920,0:43:12.640
if we actually head over into the

0:43:12.640,0:43:16.560
Snort Event Search here,

0:43:18.480,0:43:20.800
we can actually search for--you know,

0:43:20.800,0:43:25.359
we can utilize--yeah. So these are only--

0:43:25.359,0:43:28.400
this is only monitoring the pings. So

0:43:28.400,0:43:30.240
that's weird. I'm not really sure why we

0:43:30.240,0:43:32.319
have two data sources. I think it's to do

0:43:32.319,0:43:33.839
with the fact

0:43:33.839,0:43:37.040
that, you know, we had--so let me

0:43:37.040,0:43:39.520
just go back here.

0:43:39.520,0:43:42.640
Apps > Search, and sudo root.

0:43:42.640,0:43:46.720
Let me just check that here. So cd local,

0:43:46.720,0:43:47.839
vim

0:43:47.839,0:43:50.640
inputs.conf. So there we are. So the

0:43:50.640,0:43:52.285
source is Snort.

0:43:53.280,0:43:56.079
We already specified the source as Snort

0:43:56.079,0:43:57.599
there,

0:43:57.599,0:43:59.520
but it's also adding

0:43:59.520,0:44:02.319
this particular, you know, the alert,

0:44:02.319,0:44:04.160
as a source as well.

0:44:04.160,0:44:08.150
And then the source type is snort_alert_full, index main.

0:44:08.150,0:44:09.040
Yeah. That

0:44:09.040,0:44:10.560
should be working. That should be working

0:44:10.560,0:44:12.319
without any issues. I'm not really sure

0:44:12.319,0:44:14.079
why that is the case, but

0:44:14.079,0:44:16.480
we can actually customize what dataset

0:44:16.480,0:44:18.000
we want to use.

0:44:18.000,0:44:19.359
So

0:44:19.359,0:44:21.520
I think--let me actually showcase how to

0:44:21.520,0:44:23.359
do that right now.

0:44:23.359,0:44:25.839
So apologies about that. I actually

0:44:25.839,0:44:27.599
figured out what the issue was. It was

0:44:27.599,0:44:30.319
because the system I was running

0:44:30.319,0:44:32.079
these particular

0:44:32.079,0:44:34.560
attacks from wasn't even connected to

0:44:34.560,0:44:36.800
the local network.

0:44:36.800,0:44:38.880
And even though I was running

0:44:38.880,0:44:41.040
these attacks, I did realize that, of

0:44:41.040,0:44:44.530
course, they weren't working. So I've just reconnected it.

0:44:44.530,0:44:47.359
And what I'm going to do is I'm just going to

0:44:47.359,0:44:49.599
run this one more time.

0:44:49.599,0:44:53.359
So just give me a second here, and I'll

0:44:53.359,0:44:56.319
be able to do that one more time. So

0:44:56.319,0:44:58.560
let me just navigate to that particular

0:44:58.560,0:45:00.079
directory,

0:45:00.079,0:45:03.120
and we'll actually see whether this will work.

0:45:03.120,0:45:04.400
So

0:45:04.400,0:45:06.000
you can actually see there's much more

0:45:06.000,0:45:07.920
that has been captured in regards to

0:45:07.920,0:45:10.160
events, and I'll be explaining this

0:45:10.160,0:45:12.480
dashboard in a couple of seconds.

0:45:12.480,0:45:14.960
So let me just

0:45:14.960,0:45:17.359
launch that first attack there--so that

0:45:17.359,0:45:19.440
you know--let me just launch that first

0:45:19.440,0:45:22.240
type of check. And of course, I'm using

0:45:22.240,0:45:26.400
TestMyNIDS here. So, unfortunately,

0:45:26.400,0:45:28.000
that wasn't even being logged, which is

0:45:28.000,0:45:30.000
why I was a bit confused as to why those

0:45:30.000,0:45:32.800
logs are not being displayed here.

0:45:32.800,0:45:35.520
So I'll give that a couple of seconds,

0:45:35.520,0:45:38.880
and we'll be able to see this happen

0:45:38.880,0:45:41.260
in real time as well.

0:45:41.920,0:45:44.560
Alright. So that is done. So I've

0:45:44.560,0:45:46.319
essentially launched a couple of those

0:45:46.319,0:45:48.319
tests. And, as I said,

0:45:48.319,0:45:50.640
this is your default

0:45:50.640,0:45:52.560
dashboard that you're provided with here.

0:45:52.560,0:45:53.520
So,

0:45:53.520,0:45:55.760
you know, you can actually refresh

0:45:55.760,0:45:59.550
all of these panels here, if you will.

0:45:59.550,0:46:00.800
So that'll display the

0:46:00.800,0:46:03.920
latest. And, as I said here, because I'd

0:46:03.920,0:46:07.680
performed the actual check

0:46:07.680,0:46:09.520
and it connected to an external server,

0:46:09.520,0:46:11.680
you can see that the top source

0:46:11.680,0:46:13.680
countries are highlighted there.

0:46:13.680,0:46:15.839
You can also refresh the number of

0:46:15.839,0:46:18.160
events, as you can see here,

0:46:18.160,0:46:20.319
and the number of sources. So

0:46:20.319,0:46:22.319
you can also do that for the rest of

0:46:22.319,0:46:24.480
the panels. These are the top 10

0:46:24.480,0:46:26.800
classifications

0:46:26.800,0:46:28.960
in terms of events, if you will, and then

0:46:28.960,0:46:32.319
these Snort event types, as you can see here.

0:46:32.319,0:46:33.839
So, for example, in this case, we have the

0:46:33.839,0:46:36.160
Attack-Response ID Check, which, if we

0:46:36.160,0:46:37.520
click on

0:46:37.520,0:46:40.319
right over here,

0:46:41.119,0:46:42.640
you can see that it actually displays

0:46:42.640,0:46:44.400
that, and you can then

0:46:44.400,0:46:46.400
click on the signature itself. And this

0:46:46.400,0:46:48.880
is for statistics. Now, if you click on

0:46:48.880,0:46:53.040
the Snort Event Search tab right over here,

0:46:53.040,0:46:54.880
you can see that this allows you to

0:46:54.880,0:46:57.119
search based on the source IP, the source

0:46:57.119,0:46:59.680
port, the destination IP, destination port,

0:46:59.680,0:47:02.240
and the event type. So I can check for

0:47:02.240,0:47:04.400
attack responses based on the rule set

0:47:04.400,0:47:06.480
that we had used previously.

0:47:06.480,0:47:09.359
And I can also specify the timing. Right?

0:47:09.359,0:47:12.079
So that's really fantastic there.

0:47:12.079,0:47:14.640
So you can see that right over here, we

0:47:14.640,0:47:16.240
have that logged,

0:47:16.240,0:47:19.040
which is fantastic. And

0:47:19.040,0:47:21.920
if we click on the Snort World Map,

0:47:21.920,0:47:24.000
that'll essentially--as you'll see in a

0:47:24.000,0:47:26.160
couple of seconds--this will essentially

0:47:26.160,0:47:28.559
display the countries by the source IPs.

0:47:28.559,0:47:29.839
In this case, it should display the

0:47:29.839,0:47:32.079
United States, which makes sense.

0:47:32.079,0:47:34.800
And there we are. So, again, this is

0:47:34.800,0:47:37.119
extremely helpful, especially if you work

0:47:37.119,0:47:39.839
in a SOC. And as I said, there's multiple,

0:47:39.839,0:47:41.920
you know, security tools you can

0:47:41.920,0:47:45.040
integrate with Splunk.

0:47:45.040,0:47:46.880
Now, one thing that I wanted to highlight

0:47:46.880,0:47:49.440
is--you can, if you click on Edit--and I'll

0:47:49.440,0:47:51.200
just go back to the

0:47:51.200,0:47:53.200
Event Summary here because this is very

0:47:53.200,0:47:55.119
important--

0:47:55.119,0:47:57.280
you can set this as your main dashboard.

0:47:57.280,0:47:58.960
So if you right-click here, you can set

0:47:58.960,0:48:01.520
this as your home dashboard.

0:48:01.520,0:48:03.599
So I'll just click on that there.

0:48:03.599,0:48:05.440
And now you'll see on your dashboard

0:48:05.440,0:48:08.240
here, if I just close that top menu,

0:48:08.240,0:48:10.240
that'll actually be displayed there. So

0:48:10.240,0:48:12.319
give it a couple of seconds.

0:48:12.319,0:48:15.279
And, of course, you can click on the cogwheel here

0:48:16.240,0:48:19.280
and essentially display--whatever--

0:48:19.280,0:48:21.520
you know, you can specify your default

0:48:21.520,0:48:23.200
dashboard. Now, there are a couple of

0:48:23.200,0:48:25.599
other ones that are created by default.

0:48:25.599,0:48:28.059
But yeah, you can have that on your dashboard.

0:48:28.400,0:48:31.040
And, you know, if you actually click

0:48:31.040,0:48:33.839
on the SNORT--the SNORT alert for Splunk here--

0:48:33.839,0:48:36.240
and we'll just go back into that SNORT

0:48:36.240,0:48:38.240
event summary tab,

0:48:38.240,0:48:40.880
you can actually edit the way these

0:48:40.880,0:48:44.240
particular panels are tiled. So,

0:48:44.240,0:48:46.079
you know, you can convert it to a

0:48:46.079,0:48:48.880
prebuilt panel or, you know,

0:48:48.880,0:48:50.400
you can--you can actually convert it to a

0:48:50.400,0:48:52.960
prebuilt panel. You can get rid of it.

0:48:52.960,0:48:54.720
You can also move them around based

0:48:54.720,0:48:57.440
on your own requirements. And, in this

0:48:57.440,0:48:59.680
case, you can actually--let's see if I can

0:48:59.680,0:49:02.270
show you. You can actually select the visualization.

0:49:02.480,0:49:04.240
So, in this case, I think the default

0:49:04.240,0:49:06.079
one is fine, and you can then view the

0:49:06.079,0:49:07.920
report here. So

0:49:08.960,0:49:11.359
if we click on this one here, for example,

0:49:11.359,0:49:13.280
we could actually use the bar graph to

0:49:13.280,0:49:17.200
display the--you know--the number of--the actual--

0:49:17.200,0:49:19.440
the top source countries, and have

0:49:19.440,0:49:21.599
them displayed in a bar graph style. But

0:49:21.599,0:49:23.280
we can just take it back into the pie

0:49:23.280,0:49:25.599
chart there. And you can also change this

0:49:25.599,0:49:27.440
for the events as well.

0:49:27.440,0:49:29.359
So, you know, if we wanted to view a

0:49:29.359,0:49:32.240
trend, we can click on the bar graph there.

0:49:32.240,0:49:34.000
In this case, I don't think that's

0:49:34.000,0:49:37.040
formatted correctly. So if we just use

0:49:37.040,0:49:39.440
the default one,

0:49:39.440,0:49:42.880
which I believe was--I think it was--no,

0:49:42.880,0:49:46.160
that wasn't the one. I believe it was--

0:49:46.160,0:49:47.920
let's see if I can identify it here. It

0:49:47.920,0:49:50.800
was the number. There we are. So,

0:49:50.800,0:49:53.920
as I said, you can customize this based on your own--

0:49:53.920,0:49:57.440
you know--your own requirements. So, for example,

0:49:57.440,0:49:59.839
this one might do well if it was in the

0:49:59.839,0:50:02.240
form of a bar graph. So, you know,

0:50:02.240,0:50:04.240
you can utilize that if you feel that

0:50:04.240,0:50:06.319
that is appropriate.

0:50:06.319,0:50:08.319
In this case, you know, we can also

0:50:08.319,0:50:11.920
specify the actual--you know--we can

0:50:11.920,0:50:14.559
actually list the events themselves.

0:50:14.559,0:50:16.079
Let's see which other ones look

0:50:16.079,0:50:17.920
really good here.

0:50:17.920,0:50:19.760
And yeah, once you're done with the

0:50:19.760,0:50:22.079
customization, you can then cancel or

0:50:22.079,0:50:24.559
save based on your requirements. And you

0:50:24.559,0:50:27.200
can also filter on this particular tab

0:50:27.200,0:50:30.760
here, you know, through the source IP, destination IP, etc.

0:50:31.280,0:50:35.339
Let's see, what else did I want to highlight?

0:50:35.339,0:50:38.000
Let me just refresh this once more

0:50:38.000,0:50:41.310
and, you know, to essentially get the latest data.

0:50:42.480,0:50:46.280
And you can see, in terms of the panels,

0:50:46.280,0:50:49.520
this will display the last 100 attempts.

0:50:49.520,0:50:52.960
And you can go through them like so.

0:50:53.599,0:50:55.839
You can also view--I think we've gone

0:50:55.839,0:50:57.119
through all of them--but you have the

0:50:57.119,0:50:59.440
persistent sources. So, two or more days

0:50:59.440,0:51:01.359
of activity in the last 30 days. So you

0:51:01.359,0:51:03.040
actually need a lot of data for that to

0:51:03.040,0:51:06.240
be displayed or to give you anything useful.

0:51:07.520,0:51:09.760
Yep. So that is

0:51:09.760,0:51:11.680
what I wanted to highlight in regards to

0:51:11.680,0:51:14.079
the SNORT alert for Splunk app and the

0:51:14.079,0:51:15.839
actual dashboards, which, as I said, it

0:51:15.839,0:51:17.359
already does for you.

0:51:17.359,0:51:19.119
Now, you can create your own dashboard, as

0:51:19.119,0:51:22.720
I said, if I go back into Apps > Search and Reporting,

0:51:22.720,0:51:25.200
based on your own sources. So I'll just

0:51:25.200,0:51:27.280
click on Data Summary there. And if I

0:51:27.280,0:51:29.280
click on Sources,

0:51:29.280,0:51:30.960
you can click on

0:51:30.960,0:51:33.839
this source here, for example. And,

0:51:33.839,0:51:36.640
you know, in this case, we can actually

0:51:36.640,0:51:39.680
just click on that there. And I can click

0:51:39.680,0:51:41.920
on Extract Fields,

0:51:41.920,0:51:43.359
and you can extract the fields with

0:51:43.359,0:51:46.319
regex. So I'll click on Next there.

0:51:46.319,0:51:47.760
And you can then select the fields that

0:51:47.760,0:51:50.400
you want. So, for example, in this case, we

0:51:50.400,0:51:52.720
would want the date and time.

0:51:52.720,0:51:55.280
So I can just highlight that there. So I

0:51:55.280,0:51:56.319
can say

0:51:56.319,0:51:59.520
time, for example, add the extraction.

0:51:59.520,0:52:02.000
And then, of course, we have the source IP

0:52:02.000,0:52:03.839
and the port. But I'll just highlight

0:52:03.839,0:52:05.680
them together. But I think it's actually

0:52:05.680,0:52:08.630
recommended just to highlight the source IP there.

0:52:08.880,0:52:15.280
So source—we can say src underscore port, IP.

0:52:15.520,0:52:18.480
Add that extraction, and we then have the

0:52:18.480,0:52:20.800
destination IP, which, in this case,

0:52:20.800,0:52:22.559
because this is

0:52:22.559,0:52:25.520
an SNMP broadcast

0:52:25.520,0:52:27.520
request, we can--we know that that's the

0:52:27.520,0:52:34.450
destination IP. So I'll say dst underscore IP, add the extraction.

0:52:34.450,0:52:38.040
Let's see what else we can do.

0:52:40.079,0:52:41.440
In this case, it's saying the extraction

0:52:41.440,0:52:42.960
field you're extracting--if you're

0:52:42.960,0:52:45.040
extracting multiple fields, try removing

0:52:45.040,0:52:47.040
one or more fields. Start with the

0:52:47.040,0:52:48.720
extractions that are embedded within

0:52:48.720,0:52:51.680
longer strings. Okay. So let's try and use

0:52:51.680,0:52:54.400
another alert here

0:52:54.400,0:52:58.119
that was kind of interesting. Let's see.

0:52:58.319,0:53:00.480
It's not displaying all of them here, but

0:53:00.480,0:53:02.800
you get the idea. Once you're done--

0:53:02.800,0:53:04.480
you know, for example, I can remove

0:53:04.480,0:53:06.079
that field here. I'm just giving you an

0:53:06.079,0:53:08.720
example of that. So remove that field.

0:53:08.720,0:53:12.000
There we are. I can then say Next, and

0:53:12.000,0:53:15.440
I can click on Validate and Save based

0:53:15.440,0:53:18.240
on those fields there. Hit Finish.

0:53:18.240,0:53:20.800
And then, you know, I can go back,

0:53:20.800,0:53:23.359
you know, to Search and Reporting.

0:53:23.359,0:53:25.280
And if I wanted to create a very simple

0:53:25.280,0:53:27.839
visualization, which I'll show you right now--

0:53:27.839,0:53:30.000
even though I don't really need those

0:53:30.000,0:53:31.920
extracted fields, although they might be

0:53:31.920,0:53:33.280
useful--so

0:53:33.280,0:53:36.079
I can click on those extracted fields

0:53:36.079,0:53:39.760
now. I believe they should have been added.

0:53:39.760,0:53:41.200
I'm not really sure why they aren't

0:53:41.200,0:53:43.440
being highlighted here. There we are.

0:53:43.440,0:53:45.200
So source IP.

0:53:45.200,0:53:47.760
We can also, say, specify the source port.

0:53:47.760,0:53:50.240
We--oh, there they are. So

0:53:50.240,0:53:51.760
actually, they took a while to be

0:53:51.760,0:53:53.599
displayed there. So,

0:53:53.599,0:53:56.559
source port--that--why not? We can--

0:53:56.559,0:53:59.920
yeah, I think that's pretty much it. So

0:53:59.920,0:54:02.079
based on those, we can actually build

0:54:02.079,0:54:04.480
an event type. However, if we go to

0:54:04.480,0:54:07.520
Visualization and click on Pivot here--

0:54:07.520,0:54:10.640
selected fields is five--hit OK.

0:54:10.640,0:54:12.559
We can actually, you know, visualize this

0:54:12.559,0:54:14.319
however we want. So, for example, if I

0:54:14.319,0:54:17.119
wanted a column chart here--

0:54:17.119,0:54:19.680
so number one will display the count--

0:54:19.680,0:54:22.909
I can just add the events

0:54:24.079,0:54:26.319
because that's the count. And we should

0:54:26.319,0:54:28.720
have, at the bottom, the time, which I did

0:54:28.720,0:54:33.089
specify--I believe within that range there--

0:54:34.000,0:54:36.720
but that's not being highlighted here. So

0:54:36.720,0:54:39.280
the number of events--and, you know, you

0:54:39.280,0:54:41.839
can go ahead and click as--you can

0:54:41.839,0:54:43.440
essentially save it.

0:54:43.440,0:54:45.280
So you get the idea. You don't really

0:54:45.280,0:54:46.880
need to do this because we have the

0:54:46.880,0:54:48.480
SNORT app here,

0:54:48.480,0:54:50.079
which pretty much gives you the

0:54:50.079,0:54:52.880
summaries that are useful to you or for you.

0:54:53.839,0:54:56.559
And there we are. So fantastic. So that's

0:54:56.559,0:54:57.920
going to conclude the practical

0:54:57.920,0:55:01.119
demonstration side of this video.

0:55:01.119,0:55:02.799
So, thank you very much for watching

0:55:02.799,0:55:04.559
this video. If you have any questions or

0:55:04.559,0:55:06.880
suggestions, leave them in the comment section.

0:55:07.200,0:55:08.559
If you want to reach out to me, you can

0:55:08.559,0:55:10.160
do so via

0:55:10.160,0:55:12.319
Twitter or the Discord server. The links

0:55:12.319,0:55:14.240
to both of those are in the description

0:55:14.240,0:55:16.720
section. Furthermore, we are now moving on

0:55:16.720,0:55:18.720
to part two. So this will conclude part

0:55:18.720,0:55:21.040
one. Part two will be available on the

0:55:21.040,0:55:24.559
Linode’s ON24 platform. So, the videos

0:55:24.559,0:55:26.559
are available on-demand. So all you

0:55:26.559,0:55:28.559
need to do is just click the link

0:55:28.559,0:55:31.599
in the description, register for part two,

0:55:31.599,0:55:33.520
after which an email will be sent to you,

0:55:33.520,0:55:34.720
and you'll be given--you know--

0:55:34.720,0:55:37.200
immediate access to the videos

0:55:37.200,0:55:40.000
within part two. So, thank you very

0:55:40.000,0:55:42.799
much for watching part one. In the

0:55:42.799,0:55:45.040
next video, in part two, we'll get started--

0:55:45.040,0:55:46.640
or we'll take a look--at host intrusion

0:55:46.640,0:55:49.520
detection with OSSEC. So I'll be seeing

0:55:49.520,0:55:51.381
you in the next video.

0:55:51.381,0:56:12.426
[Music].