1 00:00:01,120 --> 00:00:03,520 Hello, everyone. Welcome back to the Blue 2 00:00:03,520 --> 00:00:05,440 Team training series brought to you by 3 00:00:05,440 --> 00:00:08,160 Linode and Hackersploit. In this video, 4 00:00:08,160 --> 00:00:10,160 we're going to be taking a look at how 5 00:00:10,160 --> 00:00:12,160 to set up or how to perform security 6 00:00:12,160 --> 00:00:14,400 event monitoring with Splunk, more 7 00:00:14,400 --> 00:00:16,800 specifically, Splunk Enterprise 8 00:00:16,800 --> 00:00:18,640 Security. Right? So the objective here 9 00:00:18,640 --> 00:00:21,439 will be to monitor intrusions and 10 00:00:21,439 --> 00:00:23,519 threats with Splunk. And you might be 11 00:00:23,519 --> 00:00:25,119 asking yourself, well, how are we going to 12 00:00:25,119 --> 00:00:28,400 do this? What setup are we using? Well, the 13 00:00:28,400 --> 00:00:30,480 scenario that I've set up for this video 14 00:00:30,480 --> 00:00:32,559 is we are essentially going to 15 00:00:32,559 --> 00:00:34,320 take all the knowledge that we've 16 00:00:34,320 --> 00:00:37,680 learned during the Snort video, and we 17 00:00:37,680 --> 00:00:39,360 are going to essentially forward all of 18 00:00:39,360 --> 00:00:42,719 the Snort logs into Splunk or have 19 00:00:42,719 --> 00:00:44,480 that done automatically through the 20 00:00:44,480 --> 00:00:47,680 Splunk Universal Forwarder so that we get 21 00:00:47,680 --> 00:00:50,320 the latest logs when Snort is running on 22 00:00:50,320 --> 00:00:52,399 our Ubuntu virtual machine. 23 00:00:52,399 --> 00:00:55,039 And the objective here is to use Splunk 24 00:00:55,039 --> 00:00:58,000 in conjunction with the Splunk's Snort app 25 00:00:58,000 --> 00:01:01,039 to essentially visualize and identify or 26 00:01:01,039 --> 00:01:03,359 monitor network intrusions and any 27 00:01:03,359 --> 00:01:06,720 malicious network traffic, you know, within the 28 00:01:06,720 --> 00:01:08,980 network that I'm monitoring. 29 00:01:08,980 --> 00:01:18,782 [Music]. 30 00:01:19,360 --> 00:01:21,680 At a very high level, what will we be 31 00:01:21,680 --> 00:01:23,280 covering? Well, firstly, we'll get an 32 00:01:23,280 --> 00:01:25,439 introduction to Splunk. Now before we 33 00:01:25,439 --> 00:01:28,400 move any further or we actually carry on, 34 00:01:28,400 --> 00:01:30,720 I do want to note that this video is not 35 00:01:30,720 --> 00:01:32,400 going to be focused on Splunk 36 00:01:32,400 --> 00:01:34,640 fundamentals. I'm going 37 00:01:34,640 --> 00:01:36,400 to assume that you already know what 38 00:01:36,400 --> 00:01:40,400 Splunk is and how it can be used, you know, 39 00:01:40,400 --> 00:01:42,079 and how it's used generally speaking. 40 00:01:42,079 --> 00:01:44,720 Because Splunk is not really a tool 41 00:01:44,720 --> 00:01:48,320 that is specific to security, for example. 42 00:01:48,320 --> 00:01:49,759 That's why they have the Splunk 43 00:01:49,759 --> 00:01:52,720 Enterprise Security version or edition. 44 00:01:52,720 --> 00:01:54,320 And I'm just going to assume that you 45 00:01:54,320 --> 00:01:56,079 know how to use Splunk at a very basic 46 00:01:56,079 --> 00:01:58,320 level. So once we get an introduction to 47 00:01:58,320 --> 00:02:00,960 Splunk, we'll go over Splunk Enterprise 48 00:02:00,960 --> 00:02:05,119 Security--the Enterprise Security edition--and how it 49 00:02:05,119 --> 00:02:06,640 can be used for security event 50 00:02:06,640 --> 00:02:08,399 monitoring, especially in our case 51 00:02:08,399 --> 00:02:10,879 because we want to essentially monitor 52 00:02:10,879 --> 00:02:13,280 the intrusion detection logs 53 00:02:13,280 --> 00:02:15,360 generated by Snort. 54 00:02:15,360 --> 00:02:16,800 So we'll then move on to deploying 55 00:02:16,800 --> 00:02:18,720 Splunk Enterprise Security on Linode, 56 00:02:18,720 --> 00:02:20,640 which is absolutely fantastic because 57 00:02:20,640 --> 00:02:22,560 they have a cloud image 58 00:02:22,560 --> 00:02:24,560 available for it that allows you to spin 59 00:02:24,560 --> 00:02:26,400 it up without going through the process 60 00:02:26,400 --> 00:02:28,720 of installing it and configuring it. So 61 00:02:28,720 --> 00:02:30,720 that'll set it up for us. 62 00:02:30,720 --> 00:02:32,800 We'll then take a look at how to 63 00:02:32,800 --> 00:02:35,280 configure Splunk, and how to set up the 64 00:02:35,280 --> 00:02:38,239 Splunk Universal Forwarder on the Ubuntu 65 00:02:38,239 --> 00:02:40,480 virtual machine that is running Snort so 66 00:02:40,480 --> 00:02:42,319 that we can forward those logs into 67 00:02:42,319 --> 00:02:44,560 Splunk. And then, of course, we'll take 68 00:02:44,560 --> 00:02:46,720 a look at the Splunk Snort event 69 00:02:46,720 --> 00:02:49,519 dashboard that will be provided to us by 70 00:02:49,519 --> 00:02:52,879 the Splunk Snort app. So if this sounds like 71 00:02:52,879 --> 00:02:55,360 gibberish to you, don't worry. It will make 72 00:02:55,360 --> 00:02:58,139 sense in a couple of minutes. 73 00:02:58,879 --> 00:03:00,959 With that being said, given the fact 74 00:03:00,959 --> 00:03:02,800 that we're going to be using, you know, 75 00:03:02,800 --> 00:03:04,400 we're going to be using Snort to 76 00:03:04,400 --> 00:03:06,959 generate alerts and monitor those alerts, 77 00:03:06,959 --> 00:03:09,040 if you have not gone through 78 00:03:09,040 --> 00:03:11,519 the actual Snort video, please do that as 79 00:03:11,519 --> 00:03:14,239 it'll help you set up Snort, and you can 80 00:03:14,239 --> 00:03:16,400 then run through this demo. With that 81 00:03:16,400 --> 00:03:19,280 being said, this is not a holistic video 82 00:03:19,280 --> 00:03:20,800 that will cover everything you can do 83 00:03:20,800 --> 00:03:23,440 with Splunk Enterprise Security. We are 84 00:03:23,440 --> 00:03:26,010 just focused on the intrusion 85 00:03:26,010 --> 00:03:27,760 detection logs produced 86 00:03:27,760 --> 00:03:30,000 by Snort and how they can be 87 00:03:30,000 --> 00:03:32,879 imported or forwarded to Splunk for, 88 00:03:32,879 --> 00:03:35,680 you know, analysis and monitoring. 89 00:03:35,680 --> 00:03:38,159 So the prerequisites are the same as 90 00:03:38,159 --> 00:03:39,760 the previous videos. The only difference 91 00:03:39,760 --> 00:03:41,680 is, you know, that you need to have a 92 00:03:41,680 --> 00:03:43,840 basic familiarity with Splunk and how to 93 00:03:43,840 --> 00:03:46,080 navigate around the various menu 94 00:03:46,080 --> 00:03:47,760 elements and, yeah, 95 00:03:47,760 --> 00:03:49,680 essentially just how to use it at a very 96 00:03:49,680 --> 00:03:51,360 basic level. If you're not familiar with 97 00:03:51,360 --> 00:03:54,239 Splunk, I'll give you a few resources at 98 00:03:54,239 --> 00:03:56,780 the end of these slides 99 00:03:56,780 --> 00:03:58,159 that'll help you out or help 100 00:03:58,159 --> 00:04:00,769 you get started. Alright. 101 00:04:00,769 --> 00:04:01,760 So let's get an introduction 102 00:04:01,760 --> 00:04:04,239 to Splunk. So what is Splunk? That's the 103 00:04:04,239 --> 00:04:05,680 main question. If you've never heard of 104 00:04:05,680 --> 00:04:08,480 Splunk, Splunk is an extremely powerful 105 00:04:08,480 --> 00:04:10,400 platform that is used to analyze data 106 00:04:10,400 --> 00:04:13,360 and logs produced by systems or machines, 107 00:04:13,360 --> 00:04:15,920 as Splunk likes to call them. So 108 00:04:15,920 --> 00:04:18,639 what problem is Splunk trying to solve 109 00:04:18,639 --> 00:04:20,880 here? Well, let's look at this from the 110 00:04:20,880 --> 00:04:24,880 perspective of Web 2.0 or, you know, the 111 00:04:24,880 --> 00:04:26,720 interconnected world we live in 112 00:04:26,720 --> 00:04:29,199 today. And we're going to be looking at 113 00:04:29,199 --> 00:04:31,199 it from the context of or from the 114 00:04:31,199 --> 00:04:33,360 perspective of security. 115 00:04:33,360 --> 00:04:35,759 So if we take a simple system--let's say 116 00:04:35,759 --> 00:04:38,720 we have a Windows operating system or a 117 00:04:38,720 --> 00:04:41,360 system running Windows--well, that Windows 118 00:04:41,360 --> 00:04:44,880 system produces a lot of data or logs 119 00:04:44,880 --> 00:04:47,040 that, you know, contain 120 00:04:47,040 --> 00:04:48,800 information that, you know, at first 121 00:04:48,800 --> 00:04:51,600 glance might not seem that important. But 122 00:04:51,600 --> 00:04:53,919 once you start getting into specific 123 00:04:53,919 --> 00:04:57,360 sectors like security, those logs start, 124 00:04:57,360 --> 00:04:59,680 you know, those logs have, you know, 125 00:04:59,680 --> 00:05:02,080 very important value to organizations. 126 00:05:02,080 --> 00:05:04,880 Now multiply that by a thousand systems. 127 00:05:04,880 --> 00:05:06,800 So let's say we have an organization. 128 00:05:06,800 --> 00:05:08,560 They have a thousand computers within 129 00:05:08,560 --> 00:05:10,479 their network or, you know, distributed 130 00:05:10,479 --> 00:05:13,520 worldwide. And all of these systems, 131 00:05:13,520 --> 00:05:14,960 you know, need to be secured. Their 132 00:05:14,960 --> 00:05:17,919 security needs to be monitored. So how do 133 00:05:17,919 --> 00:05:20,560 we monitor all of this? Well, this is 134 00:05:20,560 --> 00:05:22,639 where Splunk comes into play. So Splunk 135 00:05:22,639 --> 00:05:25,280 allows you to essentially funnel all of 136 00:05:25,280 --> 00:05:27,800 this data produced by systems or 137 00:05:27,800 --> 00:05:30,720 machines into Splunk. And then Splunk allows you 138 00:05:30,720 --> 00:05:32,560 to monitor, search, and analyze this 139 00:05:32,560 --> 00:05:35,280 machine-generated data and the logs 140 00:05:35,280 --> 00:05:37,840 through a web interface. So in order to 141 00:05:37,840 --> 00:05:39,680 use Splunk, you'll need to import your 142 00:05:39,680 --> 00:05:42,479 own data or logs. Alternatively, you can 143 00:05:42,479 --> 00:05:45,280 utilize the Splunk Universal Forwarder to 144 00:05:45,280 --> 00:05:47,759 forward logs and data to Splunk for 145 00:05:47,759 --> 00:05:51,360 analysis and, of course, visualization, etc. 146 00:05:51,360 --> 00:05:53,280 Now, Splunk does so much more that I 147 00:05:53,280 --> 00:05:55,199 really can't go over all of the features 148 00:05:55,199 --> 00:05:56,880 here. But as I said, we're looking at this 149 00:05:56,880 --> 00:06:00,400 from the lens of a security engineer. 150 00:06:00,400 --> 00:06:02,240 Alright. So Splunk collates all the 151 00:06:02,240 --> 00:06:04,800 data and logs from various sources and 152 00:06:04,800 --> 00:06:06,720 provides you with a central index that 153 00:06:06,720 --> 00:06:08,800 you can search through. Splunk also 154 00:06:08,800 --> 00:06:11,039 provides you with robust visualization 155 00:06:11,039 --> 00:06:12,720 and reporting tools that allow you to 156 00:06:12,720 --> 00:06:15,360 identify the data that interests you, 157 00:06:15,360 --> 00:06:17,440 transform the data into results, and 158 00:06:17,440 --> 00:06:19,840 visualize the answers in the form of a 159 00:06:19,840 --> 00:06:23,280 report, chart, graph, etc. Alright. So what 160 00:06:23,280 --> 00:06:25,360 I'm saying here is that Splunk allows 161 00:06:25,360 --> 00:06:28,080 you to take all of this security-related 162 00:06:28,080 --> 00:06:31,600 logs and data and make sense of them and 163 00:06:31,600 --> 00:06:33,520 essentially get the answers that you're 164 00:06:33,520 --> 00:06:35,520 looking for. So, for example, from the 165 00:06:35,520 --> 00:06:37,680 perspective of a security engineer, what 166 00:06:37,680 --> 00:06:40,240 do you want from all of this data? Well, 167 00:06:40,240 --> 00:06:42,160 at a very high level, you want to know 168 00:06:42,160 --> 00:06:44,080 whether something is going wrong and 169 00:06:44,080 --> 00:06:46,400 what could go wrong. In the context of 170 00:06:46,400 --> 00:06:48,800 security, a network could be compromised. 171 00:06:48,800 --> 00:06:50,560 There could be some malicious network 172 00:06:50,560 --> 00:06:53,120 traffic or activity going on. A system 173 00:06:53,120 --> 00:06:55,919 could be compromised, etc., etc. You get the 174 00:06:55,919 --> 00:06:58,160 idea. So we need that data to be 175 00:06:58,160 --> 00:07:00,560 displayed to us as a security engineer. 176 00:07:00,560 --> 00:07:02,560 And Splunk is really one of the best 177 00:07:02,560 --> 00:07:04,960 tools, you know, when it comes down to, 178 00:07:04,960 --> 00:07:08,000 you know, taking a lot of data 179 00:07:08,000 --> 00:07:09,840 and then identifying the data that 180 00:07:09,840 --> 00:07:11,840 interests you, transforming that data 181 00:07:11,840 --> 00:07:14,960 into results, and then visualizing that 182 00:07:14,960 --> 00:07:17,360 data in the form of a report, chart, or 183 00:07:17,360 --> 00:07:19,759 graph. Right. So that's really what we're 184 00:07:19,759 --> 00:07:21,599 going to be doing. And as I said, going 185 00:07:21,599 --> 00:07:23,520 back to the scenario, we're going to be 186 00:07:23,520 --> 00:07:26,080 focusing on how to, you know, essentially 187 00:07:26,080 --> 00:07:28,800 get in or how to forward 188 00:07:28,800 --> 00:07:33,360 the logs created--or the logs and alerts created--by 189 00:07:33,360 --> 00:07:36,000 Snort into Splunk for analysis. And 190 00:07:36,000 --> 00:07:39,280 luckily for us, Splunk has a Snort app or 191 00:07:39,280 --> 00:07:40,960 plug-in, if you will, that will 192 00:07:40,960 --> 00:07:43,680 essentially simplify this process. 193 00:07:44,100 --> 00:07:47,360 So, let's get an idea as to, you know, how we 194 00:07:47,360 --> 00:07:49,120 can use Splunk for security event 195 00:07:49,120 --> 00:07:51,759 monitoring. So Splunk Enterprise Security, 196 00:07:51,759 --> 00:07:54,800 also known as Splunk ES, is a security 197 00:07:54,800 --> 00:07:56,800 information and event management 198 00:07:56,800 --> 00:07:59,199 solution, also known as a SIEM. 199 00:07:59,199 --> 00:08:01,360 It is used by security 200 00:08:01,360 --> 00:08:03,680 teams to quickly detect and respond to 201 00:08:03,680 --> 00:08:06,160 internal and external attacks or threats 202 00:08:06,160 --> 00:08:09,680 or intrusions. So Splunk ES can be used 203 00:08:09,680 --> 00:08:11,759 for security event monitoring, incident 204 00:08:11,759 --> 00:08:15,919 response, and running a SOC or Security Operations Center. 205 00:08:15,919 --> 00:08:18,080 In this video, we'll be using Splunk ES 206 00:08:18,080 --> 00:08:20,000 to monitor and visualize the Snort 207 00:08:20,000 --> 00:08:22,240 intrusion alerts. This will be 208 00:08:22,240 --> 00:08:24,400 facilitated through the help of the Snort 209 00:08:24,400 --> 00:08:26,639 app for Splunk and the Splunk Universal 210 00:08:26,639 --> 00:08:29,280 Forwarder. Now, the Splunk Universal Forwarder 211 00:08:29,280 --> 00:08:31,199 is pretty much the most important 212 00:08:31,199 --> 00:08:33,039 element of what we'll be exploring 213 00:08:33,039 --> 00:08:35,200 because what it does--and this is really 214 00:08:35,200 --> 00:08:37,200 cool--is it automatically 215 00:08:37,200 --> 00:08:39,279 forwards the latest logs, 216 00:08:39,279 --> 00:08:42,479 even when Snort is running. It forwards those 217 00:08:42,479 --> 00:08:45,040 alerts and logs into Splunk, and you can 218 00:08:45,040 --> 00:08:46,560 see them in real time, which is 219 00:08:46,560 --> 00:08:49,440 absolutely fantastic. 220 00:08:49,440 --> 00:08:52,320 So as I said, if you're new to Splunk, 221 00:08:52,320 --> 00:08:54,800 then these resources are really helpful 222 00:08:54,800 --> 00:08:57,120 for you. Splunk offers really great 223 00:08:57,120 --> 00:08:59,040 tutorials and courses designed for 224 00:08:59,040 --> 00:09:00,720 absolute beginners. You can check that 225 00:09:00,720 --> 00:09:02,959 out by clicking on the link within this 226 00:09:02,959 --> 00:09:05,600 slide. And you can learn more about the 227 00:09:05,600 --> 00:09:08,160 Splunk Enterprise Security edition from 228 00:09:08,160 --> 00:09:09,760 that particular link. 229 00:09:09,760 --> 00:09:12,240 Now, as I said, we are going to be deploying 230 00:09:12,240 --> 00:09:15,200 Splunk on Linode, more specifically 231 00:09:15,200 --> 00:09:17,120 Splunk ES. And this is the lab 232 00:09:17,120 --> 00:09:19,200 environment. So we're going to spin up, 233 00:09:19,200 --> 00:09:21,519 you know, Splunk ES on Linode. Now, again, 234 00:09:21,519 --> 00:09:23,279 to follow through with this, you 235 00:09:23,279 --> 00:09:25,760 know, Linode has been absolutely fantastic 236 00:09:25,760 --> 00:09:28,320 with, you know, by providing all of 237 00:09:28,320 --> 00:09:31,189 you guys with a way to get $100 238 00:09:31,189 --> 00:09:33,279 in free Linode credit. All you 239 00:09:33,279 --> 00:09:35,120 need to do is just click the link in the 240 00:09:35,120 --> 00:09:37,440 description section and sign up, and 241 00:09:37,440 --> 00:09:39,040 $100 will be added to your 242 00:09:39,040 --> 00:09:40,959 account so that you can follow along 243 00:09:40,959 --> 00:09:43,279 with this series. So we're going to 244 00:09:43,279 --> 00:09:45,200 set up Splunk ES on Linode. And then 245 00:09:45,200 --> 00:09:47,279 within my internal network, we're just 246 00:09:47,279 --> 00:09:49,040 going to have a very basic infrastructure. 247 00:09:49,040 --> 00:09:50,399 We're going to have the Ubuntu virtual 248 00:09:50,399 --> 00:09:52,880 machine that is running Snort. This is the 249 00:09:52,880 --> 00:09:54,880 same virtual machine that we had set up 250 00:09:54,880 --> 00:09:57,680 and used to set up Snort and set up 251 00:09:57,680 --> 00:10:00,309 Suricata and the one we had used with Wazuh. 252 00:10:01,360 --> 00:10:03,519 And, yeah, that's essentially it. We're 253 00:10:03,519 --> 00:10:04,720 going to have a very basic 254 00:10:04,720 --> 00:10:06,399 infrastructure where we have an attacker 255 00:10:06,399 --> 00:10:09,519 system that I'm going to be using to perform 256 00:10:09,519 --> 00:10:11,600 a bit of network 257 00:10:11,600 --> 00:10:15,040 intrusion detection emulation, whereby 258 00:10:15,040 --> 00:10:17,519 I will essentially perform or run a 259 00:10:17,519 --> 00:10:20,880 couple of commands or scripts to 260 00:10:20,880 --> 00:10:23,279 essentially emulate malicious network 261 00:10:23,279 --> 00:10:26,160 activity so that these logs are 262 00:10:26,160 --> 00:10:28,320 essentially--so this traffic is 263 00:10:28,320 --> 00:10:29,839 essentially logged--and that'll provide 264 00:10:29,839 --> 00:10:32,800 us with a good idea as to how helpful 265 00:10:32,800 --> 00:10:35,279 Splunk is for security event monitoring, 266 00:10:35,279 --> 00:10:38,880 especially in the context of network intrusions. 267 00:10:40,320 --> 00:10:41,920 So as I said, you don't really need to 268 00:10:41,920 --> 00:10:44,240 have a Windows workstation. You simply 269 00:10:44,240 --> 00:10:46,000 need to have the Ubuntu VM, and you can 270 00:10:46,000 --> 00:10:48,800 pretty much run everything from it. And, 271 00:10:48,800 --> 00:10:50,560 of course, you can set up the Splunk 272 00:10:50,560 --> 00:10:54,240 Enterprise Security server on Linode 273 00:10:54,240 --> 00:10:56,480 without any issues. 274 00:10:56,480 --> 00:10:58,399 So that's the lab environment. We can now 275 00:10:58,399 --> 00:11:00,000 get started with the practical 276 00:11:00,000 --> 00:11:01,440 demonstration. So I'm going to switch 277 00:11:01,440 --> 00:11:05,040 over to my Ubuntu virtual machine. 278 00:11:05,040 --> 00:11:07,600 Alright. So I'm back on my Ubuntu 279 00:11:07,600 --> 00:11:09,360 virtual machine, and you can see I have 280 00:11:09,360 --> 00:11:11,279 Linode opened up here. 281 00:11:11,279 --> 00:11:13,279 I haven't set anything up yet because 282 00:11:13,279 --> 00:11:14,640 we're going to be walking through the 283 00:11:14,640 --> 00:11:16,079 process together. 284 00:11:16,079 --> 00:11:18,959 I then have the Splunk.com website here. 285 00:11:18,959 --> 00:11:21,040 So if you're new to Splunk, then you need 286 00:11:21,040 --> 00:11:22,640 to create a new account in order to 287 00:11:22,640 --> 00:11:25,740 follow along. So just head over to 288 00:11:25,740 --> 00:11:27,279 Splunk.com and, you know, 289 00:11:27,279 --> 00:11:29,519 register for an account. It's free. 290 00:11:29,519 --> 00:11:31,120 Once that is done, 291 00:11:31,120 --> 00:11:33,120 you'll need to activate your account or 292 00:11:33,120 --> 00:11:35,120 verify your account through 293 00:11:35,120 --> 00:11:36,880 the verification email 294 00:11:36,880 --> 00:11:39,680 they'll send you. Once that is done, 295 00:11:39,680 --> 00:11:41,279 we can then move forward. Because in 296 00:11:41,279 --> 00:11:44,320 order to access the actual 297 00:11:44,320 --> 00:11:46,800 Splunk Universal Forwarder, you'll need to 298 00:11:46,800 --> 00:11:48,720 have an account. And of course, you 299 00:11:48,720 --> 00:11:50,639 know, in this case, I'll be going through 300 00:11:50,639 --> 00:11:52,800 everything as we move along in a 301 00:11:52,800 --> 00:11:55,519 structured manner. And 302 00:11:55,519 --> 00:11:59,120 then to perform the actual NIDS tests, 303 00:12:00,160 --> 00:12:01,780 we are going to be using the 304 00:12:01,780 --> 00:12:03,839 testmyNIDS.org project, 305 00:12:03,839 --> 00:12:06,480 which is on GitHub. So this is 306 00:12:06,480 --> 00:12:08,880 essentially a bash script 307 00:12:08,880 --> 00:12:11,440 that allows you to--as you can see here-- 308 00:12:11,440 --> 00:12:13,279 it allows you to essentially emulate or 309 00:12:13,279 --> 00:12:16,800 simulate malicious network traffic. So, 310 00:12:16,800 --> 00:12:19,440 previously, we had used 311 00:12:19,440 --> 00:12:21,279 the website technique to essentially get 312 00:12:21,279 --> 00:12:23,760 a Linux UID, and that traffic would be 313 00:12:23,760 --> 00:12:26,240 logged as malicious, or 314 00:12:26,240 --> 00:12:27,760 it could be logged as a potential 315 00:12:27,760 --> 00:12:30,000 intrusion. And we can run a few other 316 00:12:30,000 --> 00:12:33,360 checks like HTTP basic authentication, 317 00:12:33,360 --> 00:12:35,519 bad certificate authorities, 318 00:12:35,519 --> 00:12:38,639 an EXE or DLL download over HTTP. So, 319 00:12:38,639 --> 00:12:40,720 you know, we can run tests that, 320 00:12:40,720 --> 00:12:42,959 you know, will just make our 321 00:12:42,959 --> 00:12:45,440 intrusion detection system blow up in 322 00:12:45,440 --> 00:12:47,600 terms of alerts. And that's what we want 323 00:12:47,600 --> 00:12:49,519 because we want to see how that data is 324 00:12:49,519 --> 00:12:52,160 presented to us as a security engineer 325 00:12:52,160 --> 00:12:55,040 on Splunk. With that being said, the first 326 00:12:55,040 --> 00:12:58,030 step, of course, is to set up Splunk ES on Linode. 327 00:12:58,330 --> 00:13:04,079 So just click on “Create a Linode” and click on “Marketplace.” 328 00:13:04,079 --> 00:13:06,399 And they already have Splunk here. So 329 00:13:06,399 --> 00:13:08,480 there we are. You can click on that there. 330 00:13:08,480 --> 00:13:10,240 And if you click on this little info 331 00:13:10,240 --> 00:13:12,399 button here, it'll give you an idea as to 332 00:13:12,399 --> 00:13:14,320 how to deploy it on 333 00:13:14,320 --> 00:13:16,480 Linode. And, of course, you have more 334 00:13:16,480 --> 00:13:18,399 information regarding Splunk. So you have 335 00:13:18,399 --> 00:13:20,480 the documentation link there. So I'll 336 00:13:20,480 --> 00:13:22,959 just click on Splunk. 337 00:13:22,959 --> 00:13:24,639 Once that is clicked, we can then head 338 00:13:24,639 --> 00:13:26,720 over here. You'll need to specify the 339 00:13:26,720 --> 00:13:28,959 Splunk admin user. I recommend using 340 00:13:28,959 --> 00:13:32,510 “admin” to begin with and then specify a password. 341 00:13:33,440 --> 00:13:35,519 If you're setting up, you know, Splunk on 342 00:13:35,519 --> 00:13:37,600 a domain, then you can specify the 343 00:13:37,600 --> 00:13:39,839 Linode API token to essentially create 344 00:13:39,839 --> 00:13:42,320 the DNS records--that's if you're using 345 00:13:42,320 --> 00:13:44,320 Linode's DNS service. 346 00:13:45,839 --> 00:13:47,519 And then, of course, you need to add 347 00:13:47,519 --> 00:13:49,519 the admin email for the server. So in 348 00:13:49,519 --> 00:13:52,000 this case, I can just say, for example, 349 00:13:52,000 --> 00:13:55,080 hackersploit@gmail.com. 350 00:13:55,519 --> 00:13:57,360 Don't spam me on this email because I 351 00:13:57,360 --> 00:13:59,519 don't respond anyway. So we can create 352 00:13:59,519 --> 00:14:01,040 another user. 353 00:14:01,040 --> 00:14:02,480 This is the username for the 354 00:14:02,480 --> 00:14:04,720 Linode admin's SSH user. Please ensure 355 00:14:04,720 --> 00:14:06,480 that the username does not contain any... 356 00:14:06,480 --> 00:14:08,880 so we can just call this “admin.” And then 357 00:14:08,880 --> 00:14:11,360 for the admin user, we'll just say 358 00:14:11,360 --> 00:14:13,199 provide that there. 359 00:14:13,199 --> 00:14:14,800 So the image--we're going to set it up on 360 00:14:14,800 --> 00:14:18,079 Ubuntu 20.04. The region--I’ll say London 361 00:14:18,079 --> 00:14:19,920 because that's closest to me. 362 00:14:19,920 --> 00:14:22,240 As for the actual Linode plan, 363 00:14:22,240 --> 00:14:24,720 Linode ES doesn't require that many 364 00:14:24,720 --> 00:14:26,480 resources, especially because, you know, 365 00:14:26,480 --> 00:14:28,720 the amount of data that we're processing 366 00:14:28,720 --> 00:14:30,959 or the logs that are being forwarded to 367 00:14:30,959 --> 00:14:34,320 Splunk are relatively few--so less than 368 00:14:34,320 --> 00:14:36,160 100--which, if you've used Splunk before 369 00:14:36,160 --> 00:14:37,920 for security event monitoring, you know 370 00:14:37,920 --> 00:14:39,040 that that is 371 00:14:39,040 --> 00:14:41,199 really, really small. In 372 00:14:41,199 --> 00:14:43,199 fact, Splunk will actually tell you, 373 00:14:43,199 --> 00:14:44,959 you know, that the amount of data 374 00:14:44,959 --> 00:14:47,519 to begin with that you have imported or 375 00:14:47,519 --> 00:14:50,670 forwarded is too little to make any sense of. 376 00:14:50,880 --> 00:14:52,480 But that's where the Snort app for 377 00:14:52,480 --> 00:14:54,800 Splunk comes into play. So I'll just say 378 00:14:54,800 --> 00:14:56,000 “Splunk,” 379 00:14:56,000 --> 00:14:59,360 and I'll provide my root password for the server. 380 00:14:59,360 --> 00:15:02,079 And we can click on “Create.” 381 00:15:02,079 --> 00:15:03,360 Alright. Now, 382 00:15:03,360 --> 00:15:06,079 once this is set up and provisioned, 383 00:15:06,079 --> 00:15:08,079 the actual installer is going to begin. 384 00:15:08,079 --> 00:15:10,079 So it's going to set up because there is 385 00:15:10,079 --> 00:15:13,410 an auto-installer setup that will set up Splunk. 386 00:15:13,410 --> 00:15:15,199 Yes. For you. So, let it 387 00:15:15,199 --> 00:15:16,880 provision. After that's done, you can 388 00:15:16,880 --> 00:15:19,199 launch the Lish console to avoid logging 389 00:15:19,199 --> 00:15:22,160 in via SSH. And of course, one thing that 390 00:15:22,160 --> 00:15:24,000 I don't need to tell you 391 00:15:24,000 --> 00:15:25,680 is, if you're setting this up for 392 00:15:25,680 --> 00:15:27,680 production, then you need to make sure 393 00:15:27,680 --> 00:15:29,759 you're securing your server. So do only 394 00:15:29,759 --> 00:15:33,420 use SSH keys for authentication with the server. 395 00:15:33,759 --> 00:15:35,920 If you're new to hardening and securing 396 00:15:35,920 --> 00:15:37,759 a Linux server, you can check out the 397 00:15:37,759 --> 00:15:39,360 previous series 398 00:15:39,360 --> 00:15:41,920 that we did with Linux--the Linux Server 399 00:15:41,920 --> 00:15:44,800 Security series. They'll give you, 400 00:15:44,800 --> 00:15:46,959 you know, all the information you need to 401 00:15:46,959 --> 00:15:49,759 secure a Linux server for production. 402 00:15:49,759 --> 00:15:50,959 With that being said, I'm just going to 403 00:15:50,959 --> 00:15:52,800 let it provision, after which we can 404 00:15:52,800 --> 00:15:54,560 launch the Lish console to see what's 405 00:15:54,560 --> 00:15:56,639 going on in the background. And we can 406 00:15:56,639 --> 00:15:59,350 then get started, you know, officially 407 00:15:59,350 --> 00:16:01,839 with how to set up Splunk. We then need 408 00:16:01,839 --> 00:16:04,720 to set up the Universal Forwarder. 409 00:16:04,720 --> 00:16:07,529 So, this is booting now. 410 00:16:08,639 --> 00:16:11,120 Alright. So the server is booted, and 411 00:16:11,120 --> 00:16:12,800 you can see I've just opened up the Lish 412 00:16:12,800 --> 00:16:14,320 console here 413 00:16:14,320 --> 00:16:15,920 to essentially view what's going on. As 414 00:16:15,920 --> 00:16:18,000 you can see, it's begun setting up 415 00:16:18,000 --> 00:16:20,399 Splunk ES. So just give this a couple of 416 00:16:20,399 --> 00:16:22,809 minutes to essentially begin. 417 00:16:23,279 --> 00:16:25,600 And once it's done, it'll actually 418 00:16:25,600 --> 00:16:27,360 tell you that, and it'll provide you with the 419 00:16:27,360 --> 00:16:28,800 login prompt. 420 00:16:28,800 --> 00:16:30,399 But it's probably logged in as the root 421 00:16:30,399 --> 00:16:32,000 user already. So 422 00:16:32,000 --> 00:16:33,759 just let this complete. I'm just going to 423 00:16:33,759 --> 00:16:36,880 wait for this to actually conclude. 424 00:16:36,880 --> 00:16:40,000 Alright. So once Splunk ES is done, 425 00:16:40,000 --> 00:16:42,880 or the actual Linode is done here 426 00:16:42,880 --> 00:16:44,320 with the setup, you can see it's going to 427 00:16:44,320 --> 00:16:46,240 tell you "installation complete," 428 00:16:46,240 --> 00:16:48,160 and you can then log in. Keep this 429 00:16:48,160 --> 00:16:49,519 window open because this is going to be 430 00:16:49,519 --> 00:16:50,880 very important, as we'll need to 431 00:16:50,880 --> 00:16:53,440 configure a few firewall rules. 432 00:16:53,440 --> 00:16:56,320 By default, this Linode comes with UFW, 433 00:16:56,320 --> 00:16:58,720 which is the uncomplicated firewall for 434 00:16:58,720 --> 00:17:00,079 Debian, or 435 00:17:00,079 --> 00:17:02,000 it typically comes prepackaged with 436 00:17:02,000 --> 00:17:04,959 Debian-based distributions like Ubuntu. 437 00:17:04,959 --> 00:17:06,559 In this case, it's already added the 438 00:17:06,559 --> 00:17:08,400 firewall rule for the port that we 439 00:17:08,400 --> 00:17:10,000 wanted, but just keep it open because 440 00:17:10,000 --> 00:17:12,559 we'll need to run a few checks. So you 441 00:17:12,559 --> 00:17:14,000 can log in there. So I'm just going to 442 00:17:14,000 --> 00:17:15,679 log in with the credentials that I 443 00:17:15,679 --> 00:17:18,720 specified as the root user. And I can 444 00:17:18,720 --> 00:17:22,160 just say sudo ufw status. 445 00:17:23,839 --> 00:17:25,439 And you can see these are all the 446 00:17:25,439 --> 00:17:28,160 allowed rules or the actual rules 447 00:17:28,160 --> 00:17:30,400 configured for the firewall, which is 448 00:17:30,400 --> 00:17:32,400 looking good so far. 449 00:17:32,400 --> 00:17:35,679 So we can access the Splunk ES instance 450 00:17:35,679 --> 00:17:37,840 that we set up by pasting in the IP of 451 00:17:37,840 --> 00:17:42,080 the server and opening up port 8000. 452 00:17:42,080 --> 00:17:44,080 That's going to open up Splunk ES for 453 00:17:44,080 --> 00:17:45,760 you. So just give this a couple of 454 00:17:45,760 --> 00:17:48,240 seconds. There we are. And the credentials 455 00:17:48,240 --> 00:17:50,880 that we had used were "admin" and the 456 00:17:50,880 --> 00:17:53,280 password that I created--that, you know, 457 00:17:53,280 --> 00:17:54,559 of course, you'll be able to 458 00:17:54,559 --> 00:17:57,200 specify yourself. So just sign in. 459 00:17:57,200 --> 00:17:59,919 And once that is done, you'll be 460 00:17:59,919 --> 00:18:04,560 brought to Splunk Enterprise Security here. 461 00:18:04,560 --> 00:18:05,360 So there we are--explore 462 00:18:05,360 --> 00:18:07,200 Splunk Enterprise. 463 00:18:10,000 --> 00:18:11,360 And in this case, what we're going to be 464 00:18:11,360 --> 00:18:14,080 doing--what we're going to start off with-- 465 00:18:14,080 --> 00:18:16,240 is we need to go through a few 466 00:18:16,240 --> 00:18:19,350 configuration changes with Splunk itself. 467 00:18:19,760 --> 00:18:22,880 So the idea, firstly, is to configure 468 00:18:22,880 --> 00:18:26,120 the actual receiving of data. 469 00:18:26,120 --> 00:18:27,360 So if you head over into "Settings," 470 00:18:27,360 --> 00:18:29,440 you can click on "Data," then just click 471 00:18:29,440 --> 00:18:31,840 on "Forwarding and Receiving." 472 00:18:31,840 --> 00:18:34,400 And once that is done--once that is 473 00:18:34,400 --> 00:18:35,760 loaded up-- 474 00:18:35,760 --> 00:18:38,080 under "Receive Data," we need to 475 00:18:38,080 --> 00:18:40,000 configure this instance to receive data 476 00:18:40,000 --> 00:18:41,600 forwarded from other instances. So we 477 00:18:41,600 --> 00:18:43,520 want to configure receiving, 478 00:18:43,520 --> 00:18:46,799 and we just want to set the default receiving port. 479 00:18:46,799 --> 00:18:50,400 So we can say "New Receiving Port," 480 00:18:50,400 --> 00:18:52,160 and the port is, of course, going to be 481 00:18:52,160 --> 00:18:54,799 the default, which is 9997--which is why 482 00:18:54,799 --> 00:18:56,640 that firewall rule was added. So I'll 483 00:18:56,640 --> 00:18:58,182 click on Save. 484 00:18:58,880 --> 00:19:01,200 Alright. So once that is done, we can 485 00:19:01,200 --> 00:19:04,110 now install the Snort app 486 00:19:04,110 --> 00:19:06,240 for Splunk. So click on "Apps" and head 487 00:19:06,240 --> 00:19:08,480 over into "Find More Apps." 488 00:19:08,480 --> 00:19:11,360 And because the Ubuntu server is running-- 489 00:19:11,360 --> 00:19:13,120 or the Ubuntu VM that I'm currently 490 00:19:13,120 --> 00:19:15,919 working on is running--Snort 2, we'll need 491 00:19:15,919 --> 00:19:18,160 the appropriate app here. So I'll just 492 00:19:18,160 --> 00:19:20,160 search for "Snort" there. And we're not 493 00:19:20,160 --> 00:19:22,320 looking for the Snort 3 JSON alerts, 494 00:19:22,320 --> 00:19:24,320 although that, you know, could be quite 495 00:19:24,320 --> 00:19:26,480 useful, but we want the Snort alert for 496 00:19:26,480 --> 00:19:28,720 Splunk. Alright. So this app provides 497 00:19:28,720 --> 00:19:30,880 field extraction. So that's really great 498 00:19:30,880 --> 00:19:32,400 because performing your own field 499 00:19:32,400 --> 00:19:34,960 extractions using regex 500 00:19:34,960 --> 00:19:36,400 can be quite difficult if you're a 501 00:19:36,400 --> 00:19:39,360 beginner. So fast and full, 502 00:19:39,360 --> 00:19:42,400 as well as dashboards, saved searches, 503 00:19:42,400 --> 00:19:45,600 reports, event types, tags, and event 504 00:19:45,600 --> 00:19:48,080 search interfaces. So we'll install that. 505 00:19:48,080 --> 00:19:50,240 Now you'll need to log in with 506 00:19:50,240 --> 00:19:52,400 your Splunk account credentials that you, 507 00:19:52,400 --> 00:19:55,120 you know, actually created on 508 00:19:55,120 --> 00:19:57,760 splunk.com. So I'll just fill in my 509 00:19:57,760 --> 00:20:00,400 information really quickly. 510 00:20:00,400 --> 00:20:02,240 Alright. So I've put in my username and 511 00:20:02,240 --> 00:20:04,240 password. So I'll just say I'll accept 512 00:20:04,240 --> 00:20:06,320 the terms and conditions there. So log in 513 00:20:06,320 --> 00:20:07,600 and install. 514 00:20:07,600 --> 00:20:09,280 That's going to install it. There we are. 515 00:20:09,280 --> 00:20:10,880 So we'll just hit "Done." 516 00:20:10,880 --> 00:20:13,360 Now that that is done, if we head back over 517 00:20:13,360 --> 00:20:16,400 into our dashboard--so I'll just click on 518 00:20:16,400 --> 00:20:18,400 Splunk Enterprise there-- 519 00:20:18,400 --> 00:20:20,720 you can now see we have Snort 520 00:20:20,720 --> 00:20:23,039 Alert for Splunk. So that already 521 00:20:23,039 --> 00:20:25,600 comes preconfigured with a dashboard. 522 00:20:25,600 --> 00:20:28,600 So we'll just let this load up here. 523 00:20:28,600 --> 00:20:30,000 And you can see that we don't have 524 00:20:30,000 --> 00:20:32,480 any data yet. So this will display 525 00:20:32,480 --> 00:20:34,559 your events and sources, top source 526 00:20:34,559 --> 00:20:36,480 countries, the events. This is very 527 00:20:36,480 --> 00:20:38,480 important--these sources, top 10 528 00:20:38,480 --> 00:20:41,039 classification. So that'll classify 529 00:20:41,039 --> 00:20:44,400 your alerts in terms of the 530 00:20:44,400 --> 00:20:46,640 type, which again will make sense in a 531 00:20:46,640 --> 00:20:49,280 couple of seconds. So now that that is 532 00:20:49,280 --> 00:20:51,600 done, we actually need to configure 533 00:20:51,600 --> 00:20:54,480 the actual Splunk Universal Forwarder. So 534 00:20:54,480 --> 00:20:56,480 I'll just open that up in a new tab. It's 535 00:20:56,480 --> 00:20:59,120 absolutely free to download the Debian 536 00:20:59,120 --> 00:21:01,840 client or the Splunk Universal 537 00:21:01,840 --> 00:21:04,159 Forwarder Debian package. So Universal 538 00:21:04,159 --> 00:21:06,960 Forwarders provide reliable, secure 539 00:21:06,960 --> 00:21:09,440 data collection from remote 540 00:21:09,440 --> 00:21:11,520 sources and forward that data into 541 00:21:11,520 --> 00:21:14,159 Splunk software for indexing and 542 00:21:14,159 --> 00:21:16,880 consolidation. They can scale to tens of 543 00:21:16,880 --> 00:21:18,799 thousands of remote systems, collecting 544 00:21:18,799 --> 00:21:20,720 terabytes of data. So 545 00:21:20,720 --> 00:21:23,039 again, you can actually see why Splunk is 546 00:21:23,039 --> 00:21:25,360 so powerful and why it's widely used 547 00:21:25,360 --> 00:21:27,440 and deployed--because of the fact that 548 00:21:27,440 --> 00:21:30,480 you can literally be... 549 00:21:30,480 --> 00:21:32,640 literally forward a ton of data from a 550 00:21:32,640 --> 00:21:35,840 ton of systems into Splunk. So because 551 00:21:35,840 --> 00:21:38,480 Snort is running on this 552 00:21:38,480 --> 00:21:40,480 Ubuntu VM, we need the Debian package. So 553 00:21:40,480 --> 00:21:41,919 I'll click on Linux, and we want the 554 00:21:41,919 --> 00:21:45,039 64-bit version. Again, you can choose one 555 00:21:45,039 --> 00:21:46,559 based on your requirements. So if you're 556 00:21:46,559 --> 00:21:49,840 running on Red Hat, Fedora, or CentOS, you 557 00:21:49,840 --> 00:21:51,520 can use the RPM package. So I'll just 558 00:21:51,520 --> 00:21:54,559 download the Debian package here. 559 00:21:54,559 --> 00:21:56,080 Give that a couple of seconds. It's then 560 00:21:56,080 --> 00:21:58,240 going to begin downloading it, and then 561 00:21:58,240 --> 00:22:00,000 I'll walk you through the setup process. 562 00:22:00,000 --> 00:22:01,840 So there we are. 563 00:22:01,840 --> 00:22:04,260 It's begun the setup. 564 00:22:07,360 --> 00:22:09,440 And once that is done, I'll open up my 565 00:22:09,440 --> 00:22:10,799 terminal. So that's saved in the 566 00:22:10,799 --> 00:22:12,960 Downloads directory. So 567 00:22:12,960 --> 00:22:14,320 if we check--if we head over into the 568 00:22:14,320 --> 00:22:15,840 Downloads directory--you can see we have 569 00:22:15,840 --> 00:22:18,489 the Splunk Forwarder Debian package there. 570 00:22:19,200 --> 00:22:21,679 So what we want to do, firstly, is we want 571 00:22:21,679 --> 00:22:25,680 to move this package into the actual /opt 572 00:22:25,680 --> 00:22:28,080 directory on Linux, which will 573 00:22:28,080 --> 00:22:30,880 essentially allow us to, you know, 574 00:22:30,880 --> 00:22:33,360 to set it up as optional software. And 575 00:22:33,360 --> 00:22:35,280 it's really good to have all that 576 00:22:35,280 --> 00:22:38,240 optional software stored in the 577 00:22:38,240 --> 00:22:42,240 directory. So, once that is done and 578 00:22:42,240 --> 00:22:44,320 once that's downloaded, we can say, 579 00:22:44,320 --> 00:22:45,600 move 580 00:22:45,600 --> 00:22:48,480 Splunk forward into opt, 581 00:22:48,480 --> 00:22:50,400 and we'll need sudo privileges. So I'll 582 00:22:50,400 --> 00:22:52,559 say sudo move. There we are. And I'll just 583 00:22:52,559 --> 00:22:55,120 type in my password. Fantastic. So 584 00:22:55,120 --> 00:22:57,360 now navigate to the opt directory. And to 585 00:22:57,360 --> 00:23:00,320 install this, we can say sudo apt, 586 00:23:00,320 --> 00:23:02,960 and then we can specify install. So we 587 00:23:02,960 --> 00:23:05,120 can say sudo apt install, 588 00:23:05,120 --> 00:23:06,960 and then we specify the package itself. 589 00:23:06,960 --> 00:23:09,440 So Splunk forwarder, 590 00:23:09,440 --> 00:23:11,440 and we're just going to hit enter. That's 591 00:23:11,440 --> 00:23:13,520 going to install it for you. 592 00:23:13,520 --> 00:23:16,880 Give that a couple of seconds. 593 00:23:19,440 --> 00:23:21,520 Alright. So once that is installed, if 594 00:23:21,520 --> 00:23:23,039 you list out the contents of this 595 00:23:23,039 --> 00:23:24,559 directory, you're gonna have a Splunk 596 00:23:24,559 --> 00:23:26,559 forwarder directory here. So I'll say cd 597 00:23:26,559 --> 00:23:29,200 splunkforwarder. And under the binary 598 00:23:29,200 --> 00:23:31,200 directory, we can navigate to that here. 599 00:23:31,200 --> 00:23:32,720 We'll need to start-- 600 00:23:32,720 --> 00:23:35,600 we'll need to start Splunk. So we will 601 00:23:35,600 --> 00:23:37,280 say sudo, 602 00:23:37,280 --> 00:23:39,039 and the binary we want to run is called 603 00:23:39,039 --> 00:23:41,279 splunk, and we'll accept the license. 604 00:23:41,279 --> 00:23:42,799 The reason we're doing this is because 605 00:23:42,799 --> 00:23:44,799 we need to configure it. So we need to 606 00:23:44,799 --> 00:23:46,799 specify the username and password, or, you 607 00:23:46,799 --> 00:23:49,279 know, create a username and password. 608 00:23:49,279 --> 00:23:52,000 And once that is done, you'll actually 609 00:23:52,000 --> 00:23:53,360 see what that looks like. So I'll just 610 00:23:53,360 --> 00:23:55,679 say accept the license. 611 00:23:55,679 --> 00:23:59,200 And, you can see in this case, let's see if I 612 00:23:59,200 --> 00:24:01,200 typed that incorrectly. That should 613 00:24:01,200 --> 00:24:03,600 actually start. So splunk start. I did not 614 00:24:03,600 --> 00:24:05,440 specify start there. 615 00:24:05,440 --> 00:24:06,799 There we are. So please enter an 616 00:24:06,799 --> 00:24:09,679 administrator name. I'll just say admin. 617 00:24:09,679 --> 00:24:12,000 So again, Splunk software must create an 618 00:24:12,000 --> 00:24:14,320 administrator account during startup. 619 00:24:14,320 --> 00:24:16,559 Otherwise, you cannot log in. So create 620 00:24:16,559 --> 00:24:18,899 credentials for the administrator account. 621 00:24:20,640 --> 00:24:22,320 So in this case, you can 622 00:24:22,320 --> 00:24:23,600 create whatever you want. I'm just going 623 00:24:23,600 --> 00:24:26,000 to fill in my credentials here. 624 00:24:26,000 --> 00:24:28,640 Alright, so I've just entered my 625 00:24:28,640 --> 00:24:30,320 administrator username and then, of 626 00:24:30,320 --> 00:24:32,400 course, my password. So 627 00:24:32,400 --> 00:24:33,840 that is done. 628 00:24:33,840 --> 00:24:36,240 So it'll go through-- 629 00:24:36,240 --> 00:24:37,760 it'll essentially go through and check 630 00:24:37,760 --> 00:24:40,400 the prerequisites. New certs have been 631 00:24:40,400 --> 00:24:42,960 generated in the following directory, 632 00:24:42,960 --> 00:24:45,200 and all the preliminary checks have 633 00:24:45,200 --> 00:24:47,520 passed. So starting the Splunk server 634 00:24:47,520 --> 00:24:49,440 daemon--so that started. You can also 635 00:24:49,440 --> 00:24:52,159 enable it to run on system startup. So if 636 00:24:52,159 --> 00:24:56,330 I say, you know, for example, sudo systemctl 637 00:24:56,720 --> 00:24:58,910 status splunk, 638 00:24:59,520 --> 00:25:01,840 let me type that correctly here. So 639 00:25:01,840 --> 00:25:03,360 splunk-- 640 00:25:03,360 --> 00:25:07,520 sorry, systemctl, 641 00:25:07,520 --> 00:25:10,240 and we can say splunkd. 642 00:25:10,240 --> 00:25:12,880 Sorry. So we can say splunk. I'm not 643 00:25:12,880 --> 00:25:15,039 really sure why that's not loading here. 644 00:25:15,039 --> 00:25:17,520 But I do know that the daemon is running, 645 00:25:17,520 --> 00:25:23,620 and there should be an init daemon for that. 646 00:25:23,620 --> 00:25:24,799 But in any case, 647 00:25:24,799 --> 00:25:27,360 you can always start it that way. 648 00:25:27,360 --> 00:25:29,840 Once that is done, we will need to add 649 00:25:29,840 --> 00:25:32,320 our forward server. So we need to add 650 00:25:32,320 --> 00:25:34,960 the address of the server--the 651 00:25:34,960 --> 00:25:37,039 Splunk server that we're forwarding our 652 00:25:37,039 --> 00:25:39,600 logs to. We'll move on to what 653 00:25:39,600 --> 00:25:42,480 logs we want to forward in a second. But 654 00:25:42,480 --> 00:25:44,159 let's do that first. So again, we're going 655 00:25:44,159 --> 00:25:45,799 to use the 656 00:25:47,520 --> 00:25:51,220 Splunk binary, and we're going to say forward-server. 657 00:25:51,220 --> 00:25:52,559 And we'll just copy the IP 658 00:25:52,559 --> 00:25:56,419 address of your Splunk server here. 659 00:25:56,419 --> 00:25:59,850 So there we are. And I'll paste that in there. 660 00:26:00,640 --> 00:26:03,320 And then you need to type in the port--so 661 00:26:03,320 --> 00:26:07,780 9997, that's the port to connect to. Hit enter. 662 00:26:08,400 --> 00:26:10,799 So splunk forward-- 663 00:26:11,279 --> 00:26:13,279 yeah, we need to add it. I keep forgetting 664 00:26:13,279 --> 00:26:16,910 the preliminary command. So add forward-server, 665 00:26:16,910 --> 00:26:18,260 Splunk username. 666 00:26:18,320 --> 00:26:21,919 So in this case, let me just put 667 00:26:21,919 --> 00:26:25,840 in my credentials here. 668 00:26:26,640 --> 00:26:29,440 Alright. And it's going to then add the 669 00:26:29,440 --> 00:26:31,760 forwarding to that particular address. 670 00:26:31,760 --> 00:26:33,760 Alright. Now that that is done, 671 00:26:33,760 --> 00:26:35,440 we actually need to 672 00:26:35,440 --> 00:26:37,919 configure a particular file, 673 00:26:37,919 --> 00:26:40,720 and that is going to be the outputs.conf 674 00:26:40,720 --> 00:26:43,039 directory. If it's already set up for us, 675 00:26:43,039 --> 00:26:45,039 which it should be, 676 00:26:45,039 --> 00:26:46,880 then we do not need to go through the 677 00:26:46,880 --> 00:26:49,360 initial setup. So, 678 00:26:49,360 --> 00:26:51,120 if we head over into the following 679 00:26:51,120 --> 00:26:52,640 directory--so I'll just take a step back-- 680 00:26:52,640 --> 00:26:55,120 we're still in the Splunk forwarder directory. 681 00:26:55,279 --> 00:26:59,739 We'll head over into the etc directory. 682 00:26:59,739 --> 00:27:01,679 And under system, 683 00:27:01,679 --> 00:27:05,039 we have a file under local, I think. It is 684 00:27:05,039 --> 00:27:06,640 called outputs here. Right? So I'm going to say 685 00:27:06,640 --> 00:27:09,680 sudo vim outputs.conf. 686 00:27:09,840 --> 00:27:11,840 And really, the only thing that is 687 00:27:11,840 --> 00:27:14,290 required here is, 688 00:27:14,290 --> 00:27:16,159 of course, just leave the default 689 00:27:16,159 --> 00:27:18,320 configuration as is. The default group is 690 00:27:18,320 --> 00:27:21,760 fine. So tcpout:default-autolb-group, 691 00:27:21,760 --> 00:27:23,279 that's fine. So make sure that the 692 00:27:23,279 --> 00:27:25,840 server option here is configured--that's 693 00:27:25,840 --> 00:27:29,100 the most important. And the tcpout-server 694 00:27:29,100 --> 00:27:30,320 address is also configured in 695 00:27:30,320 --> 00:27:32,000 this format. So we don't need to make any 696 00:27:32,000 --> 00:27:34,670 changes there. So I'll just say quit and exit. 697 00:27:35,120 --> 00:27:38,640 Once that is done, we also need to check 698 00:27:38,640 --> 00:27:41,279 the actual inputs configuration file. 699 00:27:41,279 --> 00:27:43,200 But before we do that, 700 00:27:43,200 --> 00:27:45,279 let's take a look. So if you revisit the 701 00:27:45,279 --> 00:27:46,880 Snort video, 702 00:27:46,880 --> 00:27:48,880 you know that all the logs are stored 703 00:27:48,880 --> 00:27:53,110 under /var/log/snort. 704 00:27:53,110 --> 00:27:55,760 Right? So we have the alert log, 705 00:27:55,760 --> 00:27:59,279 and we also have--so again, based on 706 00:27:59,279 --> 00:28:02,000 the type of alerts 707 00:28:02,000 --> 00:28:03,200 you want generated--so, you know, 708 00:28:03,200 --> 00:28:05,440 if I say man snort here, 709 00:28:05,440 --> 00:28:08,090 you can see that we have the alert mode. 710 00:28:08,090 --> 00:28:09,440 So you can use the fast mode or the 711 00:28:09,440 --> 00:28:11,360 full mode. In this case, I'll be using the 712 00:28:11,360 --> 00:28:12,559 fast mode, 713 00:28:13,760 --> 00:28:15,279 and I'll give you a description of what's 714 00:28:15,279 --> 00:28:17,279 going on here. Right? So 715 00:28:17,279 --> 00:28:19,919 full writes the alert to the alert 716 00:28:19,919 --> 00:28:21,919 file with the full decoded header as 717 00:28:21,919 --> 00:28:24,720 well as the alert message, which might be 718 00:28:24,720 --> 00:28:27,279 important. So we can also do that as well. 719 00:28:27,279 --> 00:28:29,600 So this was from the previous--from 720 00:28:29,600 --> 00:28:31,760 the Snort video where we 721 00:28:31,760 --> 00:28:33,360 had run... 722 00:28:33,360 --> 00:28:35,840 essentially run Snort and, you know, 723 00:28:35,840 --> 00:28:38,480 where we were identifying various alerts. 724 00:28:38,480 --> 00:28:41,919 So, what we can do is, again, we'll 725 00:28:41,919 --> 00:28:43,760 go through what needs to be created, but 726 00:28:43,760 --> 00:28:45,600 we can run a quick test command just to 727 00:28:45,600 --> 00:28:46,880 see whether 728 00:28:46,880 --> 00:28:48,799 the actual alerts are being logged 729 00:28:48,799 --> 00:28:50,320 within the alert file, because we have 730 00:28:50,320 --> 00:28:53,039 alert.1. Ideally, we would only want 731 00:28:53,039 --> 00:28:55,760 to forward this file into Splunk. 732 00:28:55,760 --> 00:28:58,080 So, in order to do this, what I'm going 733 00:28:58,080 --> 00:29:00,080 to do now is I'm just gonna run Snort 734 00:29:00,080 --> 00:29:03,590 really quickly. So I'm going to say sudo snort -q, 735 00:29:03,919 --> 00:29:06,000 for quiet, and then 736 00:29:06,000 --> 00:29:10,500 the actual directory for the logs is /var/log/snort. 737 00:29:11,360 --> 00:29:14,640 And then we can say the interface is enp0s3. 738 00:29:14,640 --> 00:29:16,240 Again, make sure to replace that with 739 00:29:16,240 --> 00:29:19,039 your own interface. The alert, we can 740 00:29:19,039 --> 00:29:20,320 say full, 741 00:29:20,320 --> 00:29:26,190 and the configuration is /etc/snort/snort.conf. 742 00:29:26,399 --> 00:29:28,320 I believe we had another configuration 743 00:29:28,320 --> 00:29:30,720 file. Yeah. We had used the snort.conf file. 744 00:29:30,720 --> 00:29:32,399 So I'll hit enter. 745 00:29:32,399 --> 00:29:35,560 And now let me open up my file explorer here. 746 00:29:35,840 --> 00:29:38,720 We take a look at the var directory 747 00:29:38,720 --> 00:29:42,240 under log. And under snort, 748 00:29:42,240 --> 00:29:44,960 we have alert. There we are. So, 749 00:29:44,960 --> 00:29:47,960 that has been modified. The last was 750 00:29:47,960 --> 00:29:50,050 modified 751 00:29:51,200 --> 00:29:53,919 right over there. Okay. So that's 19. Yeah. 752 00:29:53,919 --> 00:29:55,679 So this is the last modified. So I know 753 00:29:55,679 --> 00:29:58,000 this file is not human-readable. We 754 00:29:58,000 --> 00:30:00,979 are not going to be forwarding this .log file. 755 00:30:00,979 --> 00:30:02,960 So I'll just close that there. 756 00:30:02,960 --> 00:30:07,440 So I'm just going to try and perform a few 757 00:30:07,440 --> 00:30:09,679 checks on the network, like a few pings, 758 00:30:09,679 --> 00:30:11,760 just to see if that's detected. 759 00:30:11,760 --> 00:30:15,679 So I'll just, you know, perform a ping really quickly. 760 00:30:15,679 --> 00:30:17,520 Again, the alerts will not be logged on 761 00:30:17,520 --> 00:30:18,960 our terminal because they're being 762 00:30:18,960 --> 00:30:21,200 logged, you know, into the respective 763 00:30:21,200 --> 00:30:24,159 alert file or the alert log file. So I'll 764 00:30:24,159 --> 00:30:26,080 just perform, you know, a few pings, as 765 00:30:26,080 --> 00:30:27,679 I was saying, which I'm doing right now 766 00:30:27,679 --> 00:30:29,520 on the attacker system. 767 00:30:29,520 --> 00:30:31,760 Once that is done, let's see whether 768 00:30:31,760 --> 00:30:33,760 those changes are being highlighted in 769 00:30:33,760 --> 00:30:37,600 alert. Indeed, they are. Okay. So now, 770 00:30:40,159 --> 00:30:42,399 as you can see here, 771 00:30:42,399 --> 00:30:45,279 this is the full-- 772 00:30:45,360 --> 00:30:48,000 these are... So to begin with, we had used 773 00:30:48,000 --> 00:30:52,729 the fast alert output mode. 774 00:30:54,000 --> 00:30:56,080 And right over here, we then have the 775 00:30:56,080 --> 00:31:00,159 full alert mode, which I'm not really sure how 776 00:31:00,159 --> 00:31:01,919 we want to 777 00:31:01,919 --> 00:31:05,360 go about doing this. But you can see, 778 00:31:05,360 --> 00:31:07,360 we can actually make a few changes. 779 00:31:07,360 --> 00:31:11,110 What we can do is we can get rid of this traffic here. 780 00:31:11,440 --> 00:31:13,519 But you can see the message is actually 781 00:31:13,519 --> 00:31:15,279 being logged. So 782 00:31:15,279 --> 00:31:17,760 we can get rid of this here 783 00:31:17,760 --> 00:31:25,749 because we don't want to mix fast alerts 784 00:31:26,080 --> 00:31:31,519 with the full mode. So we can just get rid of that 785 00:31:31,519 --> 00:31:33,611 there and save that. 786 00:31:34,159 --> 00:31:37,840 Once that is done, I'll just say-- 787 00:31:37,840 --> 00:31:41,290 we actually need permissions to modify that file. 788 00:31:42,000 --> 00:31:45,600 But, you know, what we can do is--what I am 789 00:31:45,600 --> 00:31:47,279 going to do actually is close without 790 00:31:47,279 --> 00:31:50,159 saving. I'm just going to stop Snort there. 791 00:31:50,399 --> 00:31:52,080 And I'm just going to say 792 00:31:52,080 --> 00:31:58,150 sudo rm /var/log/snort. 793 00:31:58,150 --> 00:32:00,520 And we're going to remove alert. 794 00:32:01,360 --> 00:32:04,240 Alright. And we're also going to remove alert.1. 795 00:32:04,240 --> 00:32:05,440 Alright. So I'm just going to run this 796 00:32:05,440 --> 00:32:08,240 again, just to see that the file is generated. 797 00:32:08,240 --> 00:32:11,120 So there we are. We have alert there. 798 00:32:11,120 --> 00:32:12,559 So now it's much cleaner. I'll just 799 00:32:12,559 --> 00:32:14,240 run a few pings, just to make sure that 800 00:32:14,240 --> 00:32:16,480 the traffic is being logged--all those 801 00:32:16,480 --> 00:32:18,480 alerts are being logged. 802 00:32:18,480 --> 00:32:21,519 So there we are. We have a few pings there. 803 00:32:21,519 --> 00:32:24,640 And we can also, you know, just run a few 804 00:32:24,640 --> 00:32:26,960 checks there. Okay. So there we are. We can 805 00:32:26,960 --> 00:32:29,360 see that those are now being logged. And 806 00:32:29,360 --> 00:32:32,029 of course, we can change the format based on-- 807 00:32:32,320 --> 00:32:33,519 well, you can change it based on your 808 00:32:33,519 --> 00:32:35,039 requirements. Right? 809 00:32:35,039 --> 00:32:35,941 So 810 00:32:38,000 --> 00:32:39,919 now that that is done, 811 00:32:39,919 --> 00:32:42,000 what we can do is we can close that up, 812 00:32:42,000 --> 00:32:45,880 and we can actually leave Snort running as is. 813 00:32:46,320 --> 00:32:48,960 So what I'll do is I'm just going to 814 00:32:48,960 --> 00:32:51,120 open up another tab. 815 00:32:51,120 --> 00:32:54,200 So just, you know--I can say Ctrl+Shift+T. 816 00:32:54,200 --> 00:32:56,799 There we are. And we're currently within the following 817 00:32:56,799 --> 00:33:01,519 directory: /opt/splunkforwarder/etc/system/local. 818 00:33:01,519 --> 00:33:03,120 So, 819 00:33:03,120 --> 00:33:06,000 once that is done, we now need to add 820 00:33:06,000 --> 00:33:09,388 the files that we would like to monitor 821 00:33:09,388 --> 00:33:12,240 or that we would like to forward. Right? 822 00:33:12,240 --> 00:33:15,360 So, the log files. I'll go back into the bin directory. 823 00:33:15,360 --> 00:33:17,679 So there we are--cd bin--because that's 824 00:33:17,679 --> 00:33:19,360 where we have the Splunk binary. So I'll 825 00:33:19,360 --> 00:33:23,040 say sudo splunk. 826 00:33:24,399 --> 00:33:26,981 And we can say add monitor. 827 00:33:28,320 --> 00:33:30,720 And the file that we want to forward is 828 00:33:30,720 --> 00:33:34,399 under /var/log/snort, and it is just alert. 829 00:33:34,399 --> 00:33:36,559 Right? So that's all. That's really all 830 00:33:36,559 --> 00:33:38,720 that we want to do. Right? 831 00:33:38,720 --> 00:33:41,600 And we can also utilize the fast alerts, 832 00:33:41,600 --> 00:33:44,399 but let's just do this for now. 833 00:33:44,399 --> 00:33:46,399 We only want the alerts--we don't 834 00:33:46,399 --> 00:33:48,320 want the actual log files that contain 835 00:33:48,320 --> 00:33:53,840 the packets themselves. So I'll hit Enter. 836 00:33:54,480 --> 00:33:56,399 Alright. So it's now going to forward 837 00:33:56,399 --> 00:33:58,960 those alerts into Splunk, which pretty 838 00:33:58,960 --> 00:34:02,159 much means that on our end, we are done. 839 00:34:02,159 --> 00:34:04,000 However, we still need to check one more 840 00:34:04,000 --> 00:34:05,840 configuration file. So I'll just take a 841 00:34:05,840 --> 00:34:08,000 step back here, and we'll head over into 842 00:34:08,000 --> 00:34:12,169 the /etc directory under apps/search, 843 00:34:13,119 --> 00:34:15,520 and then into local. 844 00:34:15,520 --> 00:34:16,720 I think we'll need root 845 00:34:16,720 --> 00:34:18,320 permissions to access this. So I'll just 846 00:34:18,320 --> 00:34:20,079 switch to the root user and head over 847 00:34:20,079 --> 00:34:21,520 into local. 848 00:34:21,520 --> 00:34:27,341 And we're looking for the inputs.conf file. Right? 849 00:34:27,341 --> 00:34:28,079 We need to actually 850 00:34:28,079 --> 00:34:29,760 configure this because this is very 851 00:34:29,760 --> 00:34:31,040 important. 852 00:34:31,040 --> 00:34:35,919 The first thing we want to do is--let us 853 00:34:35,919 --> 00:34:38,639 add a new line here. And within the 854 00:34:38,639 --> 00:34:43,530 square brackets, I'll just say [splunk-tcp]. 855 00:34:44,240 --> 00:34:46,399 And we then want to specify the port--so 856 00:34:46,399 --> 00:34:47,653 9997. 857 00:34:48,399 --> 00:34:51,520 Let me make sure I type that in correctly. 858 00:34:51,520 --> 00:34:55,250 We then need to actually put in the connection. 859 00:34:56,960 --> 00:35:01,770 So the connection_host 860 00:35:01,770 --> 00:35:03,440 is going to be equal to the IP 861 00:35:03,440 --> 00:35:06,100 address of the Splunk server. 862 00:35:06,560 --> 00:35:10,080 So I'll just copy that there and paste that in there. 863 00:35:11,280 --> 00:35:14,000 Once that is done, 864 00:35:14,000 --> 00:35:16,950 this is fine here--disabled is set to false. 865 00:35:16,950 --> 00:35:20,320 We want index to be equal to main. 866 00:35:20,320 --> 00:35:23,680 And then the sourcetype 867 00:35:23,680 --> 00:35:28,330 is going to be equal to snort_alert_full. 868 00:35:28,960 --> 00:35:31,280 And we can then say the source is equal 869 00:35:31,280 --> 00:35:33,040 to snort. Alright? So this is a very 870 00:35:33,040 --> 00:35:35,280 important configuration. Let me just 871 00:35:35,280 --> 00:35:36,640 go through those options or 872 00:35:36,640 --> 00:35:40,080 configurations again. We have the splunk-tcp option. 873 00:35:40,320 --> 00:35:43,530 We then have the actual connection_host. 874 00:35:43,530 --> 00:35:46,640 The monitor is set correctly to that file. 875 00:35:46,640 --> 00:35:52,500 It's enabled, index=main, sourcetype=snort_alert_full, source=snort. 876 00:35:52,500 --> 00:35:53,485 Fantastic. 877 00:35:53,485 --> 00:35:54,720 So we'll write and quit. 878 00:35:54,720 --> 00:35:57,040 Once this is done, 879 00:35:57,040 --> 00:35:58,720 we'll need to restart Splunk. So I'll 880 00:35:58,720 --> 00:36:00,800 switch back to my user, Lexus, here, and 881 00:36:00,800 --> 00:36:04,560 we'll navigate back to the bin directory. 882 00:36:04,560 --> 00:36:06,400 So I'll say cd bin, 883 00:36:06,400 --> 00:36:15,680 and we'll say sudo splunk restart. Alright, hit Enter. 884 00:36:15,680 --> 00:36:18,320 It's going to stop the Splunk daemon, 885 00:36:18,320 --> 00:36:19,680 shut it down, 886 00:36:19,680 --> 00:36:22,160 restart it--and it's done successfully. So 887 00:36:22,160 --> 00:36:24,560 all the checks were completed without 888 00:36:24,560 --> 00:36:27,119 any issue. Alright, so 889 00:36:27,119 --> 00:36:29,040 now that this is done, we can actually go 890 00:36:29,040 --> 00:36:31,440 back into Splunk here, and we'll navigate 891 00:36:31,440 --> 00:36:33,280 to the dashboard. 892 00:36:33,280 --> 00:36:35,839 This is your Splunk server. Right? 893 00:36:35,839 --> 00:36:37,440 And let's take a look at the messages 894 00:36:37,440 --> 00:36:39,920 here. That's just a few updates--we 895 00:36:39,920 --> 00:36:41,920 don't need to do anything there. So if we 896 00:36:41,920 --> 00:36:43,119 click on 897 00:36:43,119 --> 00:36:45,599 Search & Reporting, just to verify that 898 00:36:45,599 --> 00:36:47,839 data has indeed been forwarded, I'll 899 00:36:47,839 --> 00:36:49,280 just skip through this. If we click on 900 00:36:49,280 --> 00:36:51,040 Data Summary, 901 00:36:51,040 --> 00:36:52,880 under Sources, you should see that we 902 00:36:52,880 --> 00:36:55,680 have the host. And in my case, the name of 903 00:36:55,680 --> 00:36:58,640 the system is blackbox, so that should 904 00:36:58,640 --> 00:37:01,625 be reflected there. So there we are--blackbox. 905 00:37:01,625 --> 00:37:03,280 We have 42 906 00:37:03,280 --> 00:37:06,800 logs or alerts, if you will. Sources: 42. We 907 00:37:06,800 --> 00:37:08,640 can click on that there to just see the 908 00:37:08,640 --> 00:37:11,280 data that has been logged. Indeed, we can 909 00:37:11,280 --> 00:37:13,040 see that has been done correctly. So 910 00:37:13,040 --> 00:37:14,880 sourcetype is alert. 911 00:37:14,880 --> 00:37:17,280 We can see that it's imported, you 912 00:37:17,280 --> 00:37:19,440 know, pretty much all the data--or, you 913 00:37:19,440 --> 00:37:21,119 know, these are the... this is the full log 914 00:37:21,119 --> 00:37:24,349 whereby we have the reference to that there. 915 00:37:24,880 --> 00:37:26,800 That's weird--I didn’t actually run 916 00:37:26,800 --> 00:37:30,240 anything weird, but there you go. 917 00:37:30,240 --> 00:37:32,720 So now that this is done, you can 918 00:37:32,720 --> 00:37:34,880 use Splunk to essentially visualize this 919 00:37:34,880 --> 00:37:36,800 data however you want. So, you 920 00:37:36,800 --> 00:37:39,359 know, I can go into Visualization, 921 00:37:39,359 --> 00:37:42,240 and we can click on--maybe we can 922 00:37:42,240 --> 00:37:44,720 create a... 923 00:37:44,720 --> 00:37:46,880 we can select a few fields. So if I go 924 00:37:46,880 --> 00:37:50,240 back into the Events here, I can select a 925 00:37:50,240 --> 00:37:52,240 few fields that I want displayed here, 926 00:37:52,240 --> 00:37:54,320 and I can, you know, essentially extract 927 00:37:54,320 --> 00:37:57,040 the fields that I want with regex. 928 00:37:57,040 --> 00:37:59,680 But I don't think this is necessary at this 929 00:37:59,680 --> 00:38:01,520 point, because if we actually go back to 930 00:38:01,520 --> 00:38:03,599 the dashboard 931 00:38:03,599 --> 00:38:06,160 and we click on-- 932 00:38:06,160 --> 00:38:10,079 let's see--Snort Alerts for Splunk, 933 00:38:10,079 --> 00:38:11,440 let's see if this is actually whether 934 00:38:11,440 --> 00:38:15,200 this automates that process for us. 935 00:38:15,200 --> 00:38:17,280 There we are. Actually, it looks like 936 00:38:17,280 --> 00:38:21,599 it does. So, classification: bad-traffic. 937 00:38:21,599 --> 00:38:24,160 So it looks like that is working. 938 00:38:24,160 --> 00:38:26,400 What we can do now 939 00:38:26,400 --> 00:38:28,720 is run a few-- 940 00:38:28,720 --> 00:38:32,080 we can actually utilize this script here, 941 00:38:33,520 --> 00:38:37,119 the TestMyNIDS script here. So all 942 00:38:37,119 --> 00:38:39,440 you need to do to run it is just copy 943 00:38:39,440 --> 00:38:41,520 this one-liner script here--or this 944 00:38:41,520 --> 00:38:43,200 command--that will download it into your 945 00:38:43,200 --> 00:38:46,000 /tmp directory and will then execute it. 946 00:38:46,000 --> 00:38:49,200 So, you know, to execute it within your 947 00:38:49,200 --> 00:38:51,599 temp directory, you can just execute 948 00:38:51,599 --> 00:38:53,040 the actual, 949 00:38:54,400 --> 00:38:56,240 you know, the actual binary there. It is a 950 00:38:56,240 --> 00:38:58,800 binary, not a script. 951 00:38:58,800 --> 00:39:01,280 And once that is done, you can then 952 00:39:01,280 --> 00:39:03,520 select the option here. So let me just do 953 00:39:03,520 --> 00:39:05,920 that on my attacker system. 954 00:39:05,920 --> 00:39:08,880 I'm just going to run it one more time. So 955 00:39:08,880 --> 00:39:14,359 I'm just going to say ls here. And 956 00:39:16,160 --> 00:39:18,960 if I open up the documentation--so 957 00:39:18,960 --> 00:39:22,809 firstly, I will run 958 00:39:23,440 --> 00:39:26,640 a quick Linux UID check. So 959 00:39:26,640 --> 00:39:28,461 I'll just hit Enter. 960 00:39:28,960 --> 00:39:31,280 Okay. That is done. I'll then perform an 961 00:39:31,280 --> 00:39:35,119 HTTP basic authentication 962 00:39:35,119 --> 00:39:37,839 and a malware user-agent. So I'm doing 963 00:39:37,839 --> 00:39:40,640 that right now. 964 00:39:40,839 --> 00:39:46,000 Okay. And we can run one more here. So, 965 00:39:46,000 --> 00:39:48,720 let's see. Let's see. Let's see. We 966 00:39:48,720 --> 00:39:51,520 can try EXE or DLL download over HTTP. 967 00:39:51,520 --> 00:39:55,940 That is surely going to be logged, 968 00:39:57,040 --> 00:39:59,839 or that's going to trigger an alert. 969 00:39:59,839 --> 00:40:00,640 So, 970 00:40:00,640 --> 00:40:03,040 do we have--that is running. 971 00:40:03,040 --> 00:40:05,280 Alright. So Snort is running. That's great. 972 00:40:05,280 --> 00:40:08,079 So we know that the log is being-- 973 00:40:08,079 --> 00:40:10,240 the actual alerts are being forwarded. 974 00:40:10,240 --> 00:40:12,960 Absolutely fantastic. So let's go back in 975 00:40:12,960 --> 00:40:15,040 here. I've already run those 976 00:40:15,040 --> 00:40:16,995 particular checks. 977 00:40:18,400 --> 00:40:20,160 So let me just refresh this. I know it 978 00:40:20,160 --> 00:40:22,160 usually takes a couple of seconds to a 979 00:40:22,160 --> 00:40:24,400 couple of minutes, but that data should 980 00:40:24,400 --> 00:40:26,240 start--should actually be reflected. There 981 00:40:26,240 --> 00:40:28,160 we are. Fantastic. So 982 00:40:28,160 --> 00:40:31,119 we can see that--firstly, 983 00:40:31,119 --> 00:40:32,880 I'll just explain the dashboard here 984 00:40:32,880 --> 00:40:33,760 because 985 00:40:33,760 --> 00:40:36,160 this dashboard is automatically, you 986 00:40:36,160 --> 00:40:38,000 know, set up for you by the Snort app, 987 00:40:38,000 --> 00:40:39,920 which is really awesome. As I said, you 988 00:40:39,920 --> 00:40:42,340 don't need to go through that process yourself. 989 00:40:42,560 --> 00:40:44,560 So the first graph here essentially 990 00:40:44,560 --> 00:40:46,400 tells you your events, 991 00:40:46,400 --> 00:40:48,560 and it also displays the, you know, 992 00:40:48,560 --> 00:40:50,400 the total number of sources. So you can 993 00:40:50,400 --> 00:40:52,560 see that there. You also have the time. 994 00:40:52,560 --> 00:40:54,480 So you have your events and 995 00:40:54,480 --> 00:40:56,079 then the timeline here. And you can 996 00:40:56,079 --> 00:40:58,880 essentially, you know, view a trend--or the 997 00:40:58,880 --> 00:41:01,680 trend--of events there. You then 998 00:41:01,680 --> 00:41:04,880 have the top source countries 999 00:41:04,880 --> 00:41:07,040 right over here. And if I just run 1000 00:41:07,040 --> 00:41:08,720 another check really quickly here 1001 00:41:08,720 --> 00:41:11,119 through the NIDS website-- 1002 00:41:11,119 --> 00:41:14,720 so let me just run the curl command-- 1003 00:41:14,720 --> 00:41:16,640 you should actually see that because 1004 00:41:16,640 --> 00:41:19,280 we are reaching out to, you know, there's a 1005 00:41:19,280 --> 00:41:21,280 connection made to an external server, 1006 00:41:21,280 --> 00:41:23,680 that it should reflect that info under 1007 00:41:23,680 --> 00:41:26,740 the top countries--the top source countries. 1008 00:41:26,800 --> 00:41:28,800 So we then have the events here, which, 1009 00:41:28,800 --> 00:41:31,280 you know, you can click on. And then, 1010 00:41:31,280 --> 00:41:33,119 of course, you have the sources. 1011 00:41:33,119 --> 00:41:36,079 So these are the Snort event types, 1012 00:41:36,079 --> 00:41:37,760 and these are actually the 1013 00:41:37,760 --> 00:41:39,680 classifications. So we can see potentially 1014 00:41:39,680 --> 00:41:42,640 bad traffic, attempted information leak, 1015 00:41:42,640 --> 00:41:44,720 and, you know, you can just refresh your 1016 00:41:44,720 --> 00:41:47,440 dashboard to get the latest. 1017 00:41:47,440 --> 00:41:49,359 So we'll give that a couple of seconds. 1018 00:41:49,359 --> 00:41:53,110 And you can also specify the actual interval period. 1019 00:41:53,599 --> 00:41:56,400 So I'll just wait for this. Let's 1020 00:41:56,400 --> 00:41:58,880 see if it's actually being logged or 1021 00:41:58,880 --> 00:42:00,319 whether we can see all of that. So I'll 1022 00:42:00,319 --> 00:42:04,000 just go back into the dashboard here, 1023 00:42:04,000 --> 00:42:07,359 and we'll go into Search and Reporting. 1024 00:42:07,359 --> 00:42:09,920 And we click on the actual 1025 00:42:09,920 --> 00:42:13,040 Data Summary and the Sources. We can 1026 00:42:13,040 --> 00:42:16,399 see we have Snort there, and then /var/snort/alert. 1027 00:42:16,399 --> 00:42:20,060 So we click on Snort there. Okay. 1028 00:42:20,060 --> 00:42:22,000 So this is bad traffic. That's 1029 00:42:22,000 --> 00:42:25,440 really weird because 1030 00:42:26,079 --> 00:42:27,920 the source is Snort. We had added two 1031 00:42:27,920 --> 00:42:29,520 sources there. 1032 00:42:29,520 --> 00:42:32,720 So Data Summary-- 1033 00:42:32,720 --> 00:42:34,800 let me just click on that there. And if 1034 00:42:34,800 --> 00:42:36,960 we click on the sources there, this is 1035 00:42:36,960 --> 00:42:40,800 the one that we want, ideally. 1036 00:42:43,200 --> 00:42:47,049 Yeah. So that looks like the correct one there. 1037 00:42:49,599 --> 00:42:51,680 Yeah. That's the correct traffic. I 1038 00:42:51,680 --> 00:42:55,119 think that's why the actual--let me 1039 00:42:55,119 --> 00:42:56,960 see if I can find it. So Snort Alerts for 1040 00:42:56,960 --> 00:43:00,640 Splunk--let me click on the app there. 1041 00:43:02,480 --> 00:43:04,160 Show Filters. It should be displaying 1042 00:43:04,160 --> 00:43:06,400 much more than that because I know--yeah, 1043 00:43:06,400 --> 00:43:08,319 there are not just four. 1044 00:43:08,319 --> 00:43:09,920 So 1045 00:43:09,920 --> 00:43:12,640 if we actually head over into the 1046 00:43:12,640 --> 00:43:16,560 Snort Event Search here, 1047 00:43:18,480 --> 00:43:20,800 we can actually search for--you know, 1048 00:43:20,800 --> 00:43:25,359 we can utilize--yeah. So these are only-- 1049 00:43:25,359 --> 00:43:28,400 this is only monitoring the pings. So 1050 00:43:28,400 --> 00:43:30,240 that's weird. I'm not really sure why we 1051 00:43:30,240 --> 00:43:32,319 have two data sources. I think it's to do 1052 00:43:32,319 --> 00:43:33,839 with the fact 1053 00:43:33,839 --> 00:43:37,040 that, you know, we had--so let me 1054 00:43:37,040 --> 00:43:39,520 just go back here. 1055 00:43:39,520 --> 00:43:42,640 Apps > Search, and sudo root. 1056 00:43:42,640 --> 00:43:46,720 Let me just check that here. So cd local, 1057 00:43:46,720 --> 00:43:47,839 vim 1058 00:43:47,839 --> 00:43:50,640 inputs.conf. So there we are. So the 1059 00:43:50,640 --> 00:43:52,285 source is Snort. 1060 00:43:53,280 --> 00:43:56,079 We already specified the source as Snort 1061 00:43:56,079 --> 00:43:57,599 there, 1062 00:43:57,599 --> 00:43:59,520 but it's also adding 1063 00:43:59,520 --> 00:44:02,319 this particular, you know, the alert, 1064 00:44:02,319 --> 00:44:04,160 as a source as well. 1065 00:44:04,160 --> 00:44:08,150 And then the source type is snort_alert_full, index main. 1066 00:44:08,150 --> 00:44:09,040 Yeah. That 1067 00:44:09,040 --> 00:44:10,560 should be working. That should be working 1068 00:44:10,560 --> 00:44:12,319 without any issues. I'm not really sure 1069 00:44:12,319 --> 00:44:14,079 why that is the case, but 1070 00:44:14,079 --> 00:44:16,480 we can actually customize what dataset 1071 00:44:16,480 --> 00:44:18,000 we want to use. 1072 00:44:18,000 --> 00:44:19,359 So 1073 00:44:19,359 --> 00:44:21,520 I think--let me actually showcase how to 1074 00:44:21,520 --> 00:44:23,359 do that right now. 1075 00:44:23,359 --> 00:44:25,839 So apologies about that. I actually 1076 00:44:25,839 --> 00:44:27,599 figured out what the issue was. It was 1077 00:44:27,599 --> 00:44:30,319 because the system I was running 1078 00:44:30,319 --> 00:44:32,079 these particular 1079 00:44:32,079 --> 00:44:34,560 attacks from wasn't even connected to 1080 00:44:34,560 --> 00:44:36,800 the local network. 1081 00:44:36,800 --> 00:44:38,880 And even though I was running 1082 00:44:38,880 --> 00:44:41,040 these attacks, I did realize that, of 1083 00:44:41,040 --> 00:44:44,530 course, they weren't working. So I've just reconnected it. 1084 00:44:44,530 --> 00:44:47,359 And what I'm going to do is I'm just going to 1085 00:44:47,359 --> 00:44:49,599 run this one more time. 1086 00:44:49,599 --> 00:44:53,359 So just give me a second here, and I'll 1087 00:44:53,359 --> 00:44:56,319 be able to do that one more time. So 1088 00:44:56,319 --> 00:44:58,560 let me just navigate to that particular 1089 00:44:58,560 --> 00:45:00,079 directory, 1090 00:45:00,079 --> 00:45:03,120 and we'll actually see whether this will work. 1091 00:45:03,120 --> 00:45:04,400 So 1092 00:45:04,400 --> 00:45:06,000 you can actually see there's much more 1093 00:45:06,000 --> 00:45:07,920 that has been captured in regards to 1094 00:45:07,920 --> 00:45:10,160 events, and I'll be explaining this 1095 00:45:10,160 --> 00:45:12,480 dashboard in a couple of seconds. 1096 00:45:12,480 --> 00:45:14,960 So let me just 1097 00:45:14,960 --> 00:45:17,359 launch that first attack there--so that 1098 00:45:17,359 --> 00:45:19,440 you know--let me just launch that first 1099 00:45:19,440 --> 00:45:22,240 type of check. And of course, I'm using 1100 00:45:22,240 --> 00:45:26,400 TestMyNIDS here. So, unfortunately, 1101 00:45:26,400 --> 00:45:28,000 that wasn't even being logged, which is 1102 00:45:28,000 --> 00:45:30,000 why I was a bit confused as to why those 1103 00:45:30,000 --> 00:45:32,800 logs are not being displayed here. 1104 00:45:32,800 --> 00:45:35,520 So I'll give that a couple of seconds, 1105 00:45:35,520 --> 00:45:38,880 and we'll be able to see this happen 1106 00:45:38,880 --> 00:45:41,260 in real time as well. 1107 00:45:41,920 --> 00:45:44,560 Alright. So that is done. So I've 1108 00:45:44,560 --> 00:45:46,319 essentially launched a couple of those 1109 00:45:46,319 --> 00:45:48,319 tests. And, as I said, 1110 00:45:48,319 --> 00:45:50,640 this is your default 1111 00:45:50,640 --> 00:45:52,560 dashboard that you're provided with here. 1112 00:45:52,560 --> 00:45:53,520 So, 1113 00:45:53,520 --> 00:45:55,760 you know, you can actually refresh 1114 00:45:55,760 --> 00:45:59,550 all of these panels here, if you will. 1115 00:45:59,550 --> 00:46:00,800 So that'll display the 1116 00:46:00,800 --> 00:46:03,920 latest. And, as I said here, because I'd 1117 00:46:03,920 --> 00:46:07,680 performed the actual check 1118 00:46:07,680 --> 00:46:09,520 and it connected to an external server, 1119 00:46:09,520 --> 00:46:11,680 you can see that the top source 1120 00:46:11,680 --> 00:46:13,680 countries are highlighted there. 1121 00:46:13,680 --> 00:46:15,839 You can also refresh the number of 1122 00:46:15,839 --> 00:46:18,160 events, as you can see here, 1123 00:46:18,160 --> 00:46:20,319 and the number of sources. So 1124 00:46:20,319 --> 00:46:22,319 you can also do that for the rest of 1125 00:46:22,319 --> 00:46:24,480 the panels. These are the top 10 1126 00:46:24,480 --> 00:46:26,800 classifications 1127 00:46:26,800 --> 00:46:28,960 in terms of events, if you will, and then 1128 00:46:28,960 --> 00:46:32,319 these Snort event types, as you can see here. 1129 00:46:32,319 --> 00:46:33,839 So, for example, in this case, we have the 1130 00:46:33,839 --> 00:46:36,160 Attack-Response ID Check, which, if we 1131 00:46:36,160 --> 00:46:37,520 click on 1132 00:46:37,520 --> 00:46:40,319 right over here, 1133 00:46:41,119 --> 00:46:42,640 you can see that it actually displays 1134 00:46:42,640 --> 00:46:44,400 that, and you can then 1135 00:46:44,400 --> 00:46:46,400 click on the signature itself. And this 1136 00:46:46,400 --> 00:46:48,880 is for statistics. Now, if you click on 1137 00:46:48,880 --> 00:46:53,040 the Snort Event Search tab right over here, 1138 00:46:53,040 --> 00:46:54,880 you can see that this allows you to 1139 00:46:54,880 --> 00:46:57,119 search based on the source IP, the source 1140 00:46:57,119 --> 00:46:59,680 port, the destination IP, destination port, 1141 00:46:59,680 --> 00:47:02,240 and the event type. So I can check for 1142 00:47:02,240 --> 00:47:04,400 attack responses based on the rule set 1143 00:47:04,400 --> 00:47:06,480 that we had used previously. 1144 00:47:06,480 --> 00:47:09,359 And I can also specify the timing. Right? 1145 00:47:09,359 --> 00:47:12,079 So that's really fantastic there. 1146 00:47:12,079 --> 00:47:14,640 So you can see that right over here, we 1147 00:47:14,640 --> 00:47:16,240 have that logged, 1148 00:47:16,240 --> 00:47:19,040 which is fantastic. And 1149 00:47:19,040 --> 00:47:21,920 if we click on the Snort World Map, 1150 00:47:21,920 --> 00:47:24,000 that'll essentially--as you'll see in a 1151 00:47:24,000 --> 00:47:26,160 couple of seconds--this will essentially 1152 00:47:26,160 --> 00:47:28,559 display the countries by the source IPs. 1153 00:47:28,559 --> 00:47:29,839 In this case, it should display the 1154 00:47:29,839 --> 00:47:32,079 United States, which makes sense. 1155 00:47:32,079 --> 00:47:34,800 And there we are. So, again, this is 1156 00:47:34,800 --> 00:47:37,119 extremely helpful, especially if you work 1157 00:47:37,119 --> 00:47:39,839 in a SOC. And as I said, there's multiple, 1158 00:47:39,839 --> 00:47:41,920 you know, security tools you can 1159 00:47:41,920 --> 00:47:45,040 integrate with Splunk. 1160 00:47:45,040 --> 00:47:46,880 Now, one thing that I wanted to highlight 1161 00:47:46,880 --> 00:47:49,440 is--you can, if you click on Edit--and I'll 1162 00:47:49,440 --> 00:47:51,200 just go back to the 1163 00:47:51,200 --> 00:47:53,200 Event Summary here because this is very 1164 00:47:53,200 --> 00:47:55,119 important-- 1165 00:47:55,119 --> 00:47:57,280 you can set this as your main dashboard. 1166 00:47:57,280 --> 00:47:58,960 So if you right-click here, you can set 1167 00:47:58,960 --> 00:48:01,520 this as your home dashboard. 1168 00:48:01,520 --> 00:48:03,599 So I'll just click on that there. 1169 00:48:03,599 --> 00:48:05,440 And now you'll see on your dashboard 1170 00:48:05,440 --> 00:48:08,240 here, if I just close that top menu, 1171 00:48:08,240 --> 00:48:10,240 that'll actually be displayed there. So 1172 00:48:10,240 --> 00:48:12,319 give it a couple of seconds. 1173 00:48:12,319 --> 00:48:15,279 And, of course, you can click on the cogwheel here 1174 00:48:16,240 --> 00:48:19,280 and essentially display--whatever-- 1175 00:48:19,280 --> 00:48:21,520 you know, you can specify your default 1176 00:48:21,520 --> 00:48:23,200 dashboard. Now, there are a couple of 1177 00:48:23,200 --> 00:48:25,599 other ones that are created by default. 1178 00:48:25,599 --> 00:48:28,059 But yeah, you can have that on your dashboard. 1179 00:48:28,400 --> 00:48:31,040 And, you know, if you actually click 1180 00:48:31,040 --> 00:48:33,839 on the SNORT--the SNORT alert for Splunk here-- 1181 00:48:33,839 --> 00:48:36,240 and we'll just go back into that SNORT 1182 00:48:36,240 --> 00:48:38,240 event summary tab, 1183 00:48:38,240 --> 00:48:40,880 you can actually edit the way these 1184 00:48:40,880 --> 00:48:44,240 particular panels are tiled. So, 1185 00:48:44,240 --> 00:48:46,079 you know, you can convert it to a 1186 00:48:46,079 --> 00:48:48,880 prebuilt panel or, you know, 1187 00:48:48,880 --> 00:48:50,400 you can--you can actually convert it to a 1188 00:48:50,400 --> 00:48:52,960 prebuilt panel. You can get rid of it. 1189 00:48:52,960 --> 00:48:54,720 You can also move them around based 1190 00:48:54,720 --> 00:48:57,440 on your own requirements. And, in this 1191 00:48:57,440 --> 00:48:59,680 case, you can actually--let's see if I can 1192 00:48:59,680 --> 00:49:02,270 show you. You can actually select the visualization. 1193 00:49:02,480 --> 00:49:04,240 So, in this case, I think the default 1194 00:49:04,240 --> 00:49:06,079 one is fine, and you can then view the 1195 00:49:06,079 --> 00:49:07,920 report here. So 1196 00:49:08,960 --> 00:49:11,359 if we click on this one here, for example, 1197 00:49:11,359 --> 00:49:13,280 we could actually use the bar graph to 1198 00:49:13,280 --> 00:49:17,200 display the--you know--the number of--the actual-- 1199 00:49:17,200 --> 00:49:19,440 the top source countries, and have 1200 00:49:19,440 --> 00:49:21,599 them displayed in a bar graph style. But 1201 00:49:21,599 --> 00:49:23,280 we can just take it back into the pie 1202 00:49:23,280 --> 00:49:25,599 chart there. And you can also change this 1203 00:49:25,599 --> 00:49:27,440 for the events as well. 1204 00:49:27,440 --> 00:49:29,359 So, you know, if we wanted to view a 1205 00:49:29,359 --> 00:49:32,240 trend, we can click on the bar graph there. 1206 00:49:32,240 --> 00:49:34,000 In this case, I don't think that's 1207 00:49:34,000 --> 00:49:37,040 formatted correctly. So if we just use 1208 00:49:37,040 --> 00:49:39,440 the default one, 1209 00:49:39,440 --> 00:49:42,880 which I believe was--I think it was--no, 1210 00:49:42,880 --> 00:49:46,160 that wasn't the one. I believe it was-- 1211 00:49:46,160 --> 00:49:47,920 let's see if I can identify it here. It 1212 00:49:47,920 --> 00:49:50,800 was the number. There we are. So, 1213 00:49:50,800 --> 00:49:53,920 as I said, you can customize this based on your own-- 1214 00:49:53,920 --> 00:49:57,440 you know--your own requirements. So, for example, 1215 00:49:57,440 --> 00:49:59,839 this one might do well if it was in the 1216 00:49:59,839 --> 00:50:02,240 form of a bar graph. So, you know, 1217 00:50:02,240 --> 00:50:04,240 you can utilize that if you feel that 1218 00:50:04,240 --> 00:50:06,319 that is appropriate. 1219 00:50:06,319 --> 00:50:08,319 In this case, you know, we can also 1220 00:50:08,319 --> 00:50:11,920 specify the actual--you know--we can 1221 00:50:11,920 --> 00:50:14,559 actually list the events themselves. 1222 00:50:14,559 --> 00:50:16,079 Let's see which other ones look 1223 00:50:16,079 --> 00:50:17,920 really good here. 1224 00:50:17,920 --> 00:50:19,760 And yeah, once you're done with the 1225 00:50:19,760 --> 00:50:22,079 customization, you can then cancel or 1226 00:50:22,079 --> 00:50:24,559 save based on your requirements. And you 1227 00:50:24,559 --> 00:50:27,200 can also filter on this particular tab 1228 00:50:27,200 --> 00:50:30,760 here, you know, through the source IP, destination IP, etc. 1229 00:50:31,280 --> 00:50:35,339 Let's see, what else did I want to highlight? 1230 00:50:35,339 --> 00:50:38,000 Let me just refresh this once more 1231 00:50:38,000 --> 00:50:41,310 and, you know, to essentially get the latest data. 1232 00:50:42,480 --> 00:50:46,280 And you can see, in terms of the panels, 1233 00:50:46,280 --> 00:50:49,520 this will display the last 100 attempts. 1234 00:50:49,520 --> 00:50:52,960 And you can go through them like so. 1235 00:50:53,599 --> 00:50:55,839 You can also view--I think we've gone 1236 00:50:55,839 --> 00:50:57,119 through all of them--but you have the 1237 00:50:57,119 --> 00:50:59,440 persistent sources. So, two or more days 1238 00:50:59,440 --> 00:51:01,359 of activity in the last 30 days. So you 1239 00:51:01,359 --> 00:51:03,040 actually need a lot of data for that to 1240 00:51:03,040 --> 00:51:06,240 be displayed or to give you anything useful. 1241 00:51:07,520 --> 00:51:09,760 Yep. So that is 1242 00:51:09,760 --> 00:51:11,680 what I wanted to highlight in regards to 1243 00:51:11,680 --> 00:51:14,079 the SNORT alert for Splunk app and the 1244 00:51:14,079 --> 00:51:15,839 actual dashboards, which, as I said, it 1245 00:51:15,839 --> 00:51:17,359 already does for you. 1246 00:51:17,359 --> 00:51:19,119 Now, you can create your own dashboard, as 1247 00:51:19,119 --> 00:51:22,720 I said, if I go back into Apps > Search and Reporting, 1248 00:51:22,720 --> 00:51:25,200 based on your own sources. So I'll just 1249 00:51:25,200 --> 00:51:27,280 click on Data Summary there. And if I 1250 00:51:27,280 --> 00:51:29,280 click on Sources, 1251 00:51:29,280 --> 00:51:30,960 you can click on 1252 00:51:30,960 --> 00:51:33,839 this source here, for example. And, 1253 00:51:33,839 --> 00:51:36,640 you know, in this case, we can actually 1254 00:51:36,640 --> 00:51:39,680 just click on that there. And I can click 1255 00:51:39,680 --> 00:51:41,920 on Extract Fields, 1256 00:51:41,920 --> 00:51:43,359 and you can extract the fields with 1257 00:51:43,359 --> 00:51:46,319 regex. So I'll click on Next there. 1258 00:51:46,319 --> 00:51:47,760 And you can then select the fields that 1259 00:51:47,760 --> 00:51:50,400 you want. So, for example, in this case, we 1260 00:51:50,400 --> 00:51:52,720 would want the date and time. 1261 00:51:52,720 --> 00:51:55,280 So I can just highlight that there. So I 1262 00:51:55,280 --> 00:51:56,319 can say 1263 00:51:56,319 --> 00:51:59,520 time, for example, add the extraction. 1264 00:51:59,520 --> 00:52:02,000 And then, of course, we have the source IP 1265 00:52:02,000 --> 00:52:03,839 and the port. But I'll just highlight 1266 00:52:03,839 --> 00:52:05,680 them together. But I think it's actually 1267 00:52:05,680 --> 00:52:08,630 recommended just to highlight the source IP there. 1268 00:52:08,880 --> 00:52:15,280 So source—we can say src underscore port, IP. 1269 00:52:15,520 --> 00:52:18,480 Add that extraction, and we then have the 1270 00:52:18,480 --> 00:52:20,800 destination IP, which, in this case, 1271 00:52:20,800 --> 00:52:22,559 because this is 1272 00:52:22,559 --> 00:52:25,520 an SNMP broadcast 1273 00:52:25,520 --> 00:52:27,520 request, we can--we know that that's the 1274 00:52:27,520 --> 00:52:34,450 destination IP. So I'll say dst underscore IP, add the extraction. 1275 00:52:34,450 --> 00:52:38,040 Let's see what else we can do. 1276 00:52:40,079 --> 00:52:41,440 In this case, it's saying the extraction 1277 00:52:41,440 --> 00:52:42,960 field you're extracting--if you're 1278 00:52:42,960 --> 00:52:45,040 extracting multiple fields, try removing 1279 00:52:45,040 --> 00:52:47,040 one or more fields. Start with the 1280 00:52:47,040 --> 00:52:48,720 extractions that are embedded within 1281 00:52:48,720 --> 00:52:51,680 longer strings. Okay. So let's try and use 1282 00:52:51,680 --> 00:52:54,400 another alert here 1283 00:52:54,400 --> 00:52:58,119 that was kind of interesting. Let's see. 1284 00:52:58,319 --> 00:53:00,480 It's not displaying all of them here, but 1285 00:53:00,480 --> 00:53:02,800 you get the idea. Once you're done-- 1286 00:53:02,800 --> 00:53:04,480 you know, for example, I can remove 1287 00:53:04,480 --> 00:53:06,079 that field here. I'm just giving you an 1288 00:53:06,079 --> 00:53:08,720 example of that. So remove that field. 1289 00:53:08,720 --> 00:53:12,000 There we are. I can then say Next, and 1290 00:53:12,000 --> 00:53:15,440 I can click on Validate and Save based 1291 00:53:15,440 --> 00:53:18,240 on those fields there. Hit Finish. 1292 00:53:18,240 --> 00:53:20,800 And then, you know, I can go back, 1293 00:53:20,800 --> 00:53:23,359 you know, to Search and Reporting. 1294 00:53:23,359 --> 00:53:25,280 And if I wanted to create a very simple 1295 00:53:25,280 --> 00:53:27,839 visualization, which I'll show you right now-- 1296 00:53:27,839 --> 00:53:30,000 even though I don't really need those 1297 00:53:30,000 --> 00:53:31,920 extracted fields, although they might be 1298 00:53:31,920 --> 00:53:33,280 useful--so 1299 00:53:33,280 --> 00:53:36,079 I can click on those extracted fields 1300 00:53:36,079 --> 00:53:39,760 now. I believe they should have been added. 1301 00:53:39,760 --> 00:53:41,200 I'm not really sure why they aren't 1302 00:53:41,200 --> 00:53:43,440 being highlighted here. There we are. 1303 00:53:43,440 --> 00:53:45,200 So source IP. 1304 00:53:45,200 --> 00:53:47,760 We can also, say, specify the source port. 1305 00:53:47,760 --> 00:53:50,240 We--oh, there they are. So 1306 00:53:50,240 --> 00:53:51,760 actually, they took a while to be 1307 00:53:51,760 --> 00:53:53,599 displayed there. So, 1308 00:53:53,599 --> 00:53:56,559 source port--that--why not? We can-- 1309 00:53:56,559 --> 00:53:59,920 yeah, I think that's pretty much it. So 1310 00:53:59,920 --> 00:54:02,079 based on those, we can actually build 1311 00:54:02,079 --> 00:54:04,480 an event type. However, if we go to 1312 00:54:04,480 --> 00:54:07,520 Visualization and click on Pivot here-- 1313 00:54:07,520 --> 00:54:10,640 selected fields is five--hit OK. 1314 00:54:10,640 --> 00:54:12,559 We can actually, you know, visualize this 1315 00:54:12,559 --> 00:54:14,319 however we want. So, for example, if I 1316 00:54:14,319 --> 00:54:17,119 wanted a column chart here-- 1317 00:54:17,119 --> 00:54:19,680 so number one will display the count-- 1318 00:54:19,680 --> 00:54:22,909 I can just add the events 1319 00:54:24,079 --> 00:54:26,319 because that's the count. And we should 1320 00:54:26,319 --> 00:54:28,720 have, at the bottom, the time, which I did 1321 00:54:28,720 --> 00:54:33,089 specify--I believe within that range there-- 1322 00:54:34,000 --> 00:54:36,720 but that's not being highlighted here. So 1323 00:54:36,720 --> 00:54:39,280 the number of events--and, you know, you 1324 00:54:39,280 --> 00:54:41,839 can go ahead and click as--you can 1325 00:54:41,839 --> 00:54:43,440 essentially save it. 1326 00:54:43,440 --> 00:54:45,280 So you get the idea. You don't really 1327 00:54:45,280 --> 00:54:46,880 need to do this because we have the 1328 00:54:46,880 --> 00:54:48,480 SNORT app here, 1329 00:54:48,480 --> 00:54:50,079 which pretty much gives you the 1330 00:54:50,079 --> 00:54:52,880 summaries that are useful to you or for you. 1331 00:54:53,839 --> 00:54:56,559 And there we are. So fantastic. So that's 1332 00:54:56,559 --> 00:54:57,920 going to conclude the practical 1333 00:54:57,920 --> 00:55:01,119 demonstration side of this video. 1334 00:55:01,119 --> 00:55:02,799 So, thank you very much for watching 1335 00:55:02,799 --> 00:55:04,559 this video. If you have any questions or 1336 00:55:04,559 --> 00:55:06,880 suggestions, leave them in the comment section. 1337 00:55:07,200 --> 00:55:08,559 If you want to reach out to me, you can 1338 00:55:08,559 --> 00:55:10,160 do so via 1339 00:55:10,160 --> 00:55:12,319 Twitter or the Discord server. The links 1340 00:55:12,319 --> 00:55:14,240 to both of those are in the description 1341 00:55:14,240 --> 00:55:16,720 section. Furthermore, we are now moving on 1342 00:55:16,720 --> 00:55:18,720 to part two. So this will conclude part 1343 00:55:18,720 --> 00:55:21,040 one. Part two will be available on the 1344 00:55:21,040 --> 00:55:24,559 Linode’s ON24 platform. So, the videos 1345 00:55:24,559 --> 00:55:26,559 are available on-demand. So all you 1346 00:55:26,559 --> 00:55:28,559 need to do is just click the link 1347 00:55:28,559 --> 00:55:31,599 in the description, register for part two, 1348 00:55:31,599 --> 00:55:33,520 after which an email will be sent to you, 1349 00:55:33,520 --> 00:55:34,720 and you'll be given--you know-- 1350 00:55:34,720 --> 00:55:37,200 immediate access to the videos 1351 00:55:37,200 --> 00:55:40,000 within part two. So, thank you very 1352 00:55:40,000 --> 00:55:42,799 much for watching part one. In the 1353 00:55:42,799 --> 00:55:45,040 next video, in part two, we'll get started-- 1354 00:55:45,040 --> 00:55:46,640 or we'll take a look--at host intrusion 1355 00:55:46,640 --> 00:55:49,520 detection with OSSEC. So I'll be seeing 1356 00:55:49,520 --> 00:55:51,381 you in the next video. 1357 00:55:51,381 --> 00:56:12,426 [Music].