[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:01.12,0:00:03.52,Default,,0000,0000,0000,,Hello, everyone. Welcome back to the Blue
Dialogue: 0,0:00:03.52,0:00:05.44,Default,,0000,0000,0000,,Team training series brought to you by
Dialogue: 0,0:00:05.44,0:00:08.16,Default,,0000,0000,0000,,Linode and Hackersploit. In this video,
Dialogue: 0,0:00:08.16,0:00:10.16,Default,,0000,0000,0000,,we're going to be taking a look at how
Dialogue: 0,0:00:10.16,0:00:12.16,Default,,0000,0000,0000,,to set up or how to perform security
Dialogue: 0,0:00:12.16,0:00:14.40,Default,,0000,0000,0000,,event monitoring with Splunk, more
Dialogue: 0,0:00:14.40,0:00:16.80,Default,,0000,0000,0000,,specifically, Splunk Enterprise
Dialogue: 0,0:00:16.80,0:00:18.64,Default,,0000,0000,0000,,Security. Right? So the objective here
Dialogue: 0,0:00:18.64,0:00:21.44,Default,,0000,0000,0000,,will be to monitor intrusions and
Dialogue: 0,0:00:21.44,0:00:23.52,Default,,0000,0000,0000,,threats with Splunk. And you might be
Dialogue: 0,0:00:23.52,0:00:25.12,Default,,0000,0000,0000,,asking yourself, well, how are we going to
Dialogue: 0,0:00:25.12,0:00:28.40,Default,,0000,0000,0000,,do this? What setup are we using? Well, the
Dialogue: 0,0:00:28.40,0:00:30.48,Default,,0000,0000,0000,,scenario that I've set up for this video
Dialogue: 0,0:00:30.48,0:00:32.56,Default,,0000,0000,0000,,is we are essentially going to
Dialogue: 0,0:00:32.56,0:00:34.32,Default,,0000,0000,0000,,take all the knowledge that we've
Dialogue: 0,0:00:34.32,0:00:37.68,Default,,0000,0000,0000,,learned during the Snort video, and we
Dialogue: 0,0:00:37.68,0:00:39.36,Default,,0000,0000,0000,,are going to essentially forward all of
Dialogue: 0,0:00:39.36,0:00:42.72,Default,,0000,0000,0000,,the Snort logs into Splunk or have
Dialogue: 0,0:00:42.72,0:00:44.48,Default,,0000,0000,0000,,that done automatically through the
Dialogue: 0,0:00:44.48,0:00:47.68,Default,,0000,0000,0000,,Splunk Universal Forwarder so that we get
Dialogue: 0,0:00:47.68,0:00:50.32,Default,,0000,0000,0000,,the latest logs when Snort is running on
Dialogue: 0,0:00:50.32,0:00:52.40,Default,,0000,0000,0000,,our Ubuntu virtual machine.
Dialogue: 0,0:00:52.40,0:00:55.04,Default,,0000,0000,0000,,And the objective here is to use Splunk
Dialogue: 0,0:00:55.04,0:00:58.00,Default,,0000,0000,0000,,in conjunction with the Splunk's Snort app
Dialogue: 0,0:00:58.00,0:01:01.04,Default,,0000,0000,0000,,to essentially visualize and identify or
Dialogue: 0,0:01:01.04,0:01:03.36,Default,,0000,0000,0000,,monitor network intrusions and any
Dialogue: 0,0:01:03.36,0:01:06.72,Default,,0000,0000,0000,,malicious network traffic, you know, within the
Dialogue: 0,0:01:06.72,0:01:08.98,Default,,0000,0000,0000,,network that I'm monitoring.
Dialogue: 0,0:01:08.98,0:01:18.78,Default,,0000,0000,0000,,[Music].
Dialogue: 0,0:01:19.36,0:01:21.68,Default,,0000,0000,0000,,At a very high level, what will we be
Dialogue: 0,0:01:21.68,0:01:23.28,Default,,0000,0000,0000,,covering? Well, firstly, we'll get an
Dialogue: 0,0:01:23.28,0:01:25.44,Default,,0000,0000,0000,,introduction to Splunk. Now before we
Dialogue: 0,0:01:25.44,0:01:28.40,Default,,0000,0000,0000,,move any further or we actually carry on,
Dialogue: 0,0:01:28.40,0:01:30.72,Default,,0000,0000,0000,,I do want to note that this video is not
Dialogue: 0,0:01:30.72,0:01:32.40,Default,,0000,0000,0000,,going to be focused on Splunk
Dialogue: 0,0:01:32.40,0:01:34.64,Default,,0000,0000,0000,,fundamentals. I'm going
Dialogue: 0,0:01:34.64,0:01:36.40,Default,,0000,0000,0000,,to assume that you already know what
Dialogue: 0,0:01:36.40,0:01:40.40,Default,,0000,0000,0000,,Splunk is and how it can be used, you know,
Dialogue: 0,0:01:40.40,0:01:42.08,Default,,0000,0000,0000,,and how it's used generally speaking.
Dialogue: 0,0:01:42.08,0:01:44.72,Default,,0000,0000,0000,,Because Splunk is not really a tool
Dialogue: 0,0:01:44.72,0:01:48.32,Default,,0000,0000,0000,,that is specific to security, for example.
Dialogue: 0,0:01:48.32,0:01:49.76,Default,,0000,0000,0000,,That's why they have the Splunk
Dialogue: 0,0:01:49.76,0:01:52.72,Default,,0000,0000,0000,,Enterprise Security version or edition.
Dialogue: 0,0:01:52.72,0:01:54.32,Default,,0000,0000,0000,,And I'm just going to assume that you
Dialogue: 0,0:01:54.32,0:01:56.08,Default,,0000,0000,0000,,know how to use Splunk at a very basic
Dialogue: 0,0:01:56.08,0:01:58.32,Default,,0000,0000,0000,,level. So once we get an introduction to
Dialogue: 0,0:01:58.32,0:02:00.96,Default,,0000,0000,0000,,Splunk, we'll go over Splunk Enterprise
Dialogue: 0,0:02:00.96,0:02:05.12,Default,,0000,0000,0000,,Security--the Enterprise Security edition--and how it
Dialogue: 0,0:02:05.12,0:02:06.64,Default,,0000,0000,0000,,can be used for security event
Dialogue: 0,0:02:06.64,0:02:08.40,Default,,0000,0000,0000,,monitoring, especially in our case
Dialogue: 0,0:02:08.40,0:02:10.88,Default,,0000,0000,0000,,because we want to essentially monitor
Dialogue: 0,0:02:10.88,0:02:13.28,Default,,0000,0000,0000,,the intrusion detection logs
Dialogue: 0,0:02:13.28,0:02:15.36,Default,,0000,0000,0000,,generated by Snort.
Dialogue: 0,0:02:15.36,0:02:16.80,Default,,0000,0000,0000,,So we'll then move on to deploying
Dialogue: 0,0:02:16.80,0:02:18.72,Default,,0000,0000,0000,,Splunk Enterprise Security on Linode,
Dialogue: 0,0:02:18.72,0:02:20.64,Default,,0000,0000,0000,,which is absolutely fantastic because
Dialogue: 0,0:02:20.64,0:02:22.56,Default,,0000,0000,0000,,they have a cloud image
Dialogue: 0,0:02:22.56,0:02:24.56,Default,,0000,0000,0000,,available for it that allows you to spin
Dialogue: 0,0:02:24.56,0:02:26.40,Default,,0000,0000,0000,,it up without going through the process
Dialogue: 0,0:02:26.40,0:02:28.72,Default,,0000,0000,0000,,of installing it and configuring it. So
Dialogue: 0,0:02:28.72,0:02:30.72,Default,,0000,0000,0000,,that'll set it up for us.
Dialogue: 0,0:02:30.72,0:02:32.80,Default,,0000,0000,0000,,We'll then take a look at how to
Dialogue: 0,0:02:32.80,0:02:35.28,Default,,0000,0000,0000,,configure Splunk, and how to set up the
Dialogue: 0,0:02:35.28,0:02:38.24,Default,,0000,0000,0000,,Splunk Universal Forwarder on the Ubuntu
Dialogue: 0,0:02:38.24,0:02:40.48,Default,,0000,0000,0000,,virtual machine that is running Snort so
Dialogue: 0,0:02:40.48,0:02:42.32,Default,,0000,0000,0000,,that we can forward those logs into
Dialogue: 0,0:02:42.32,0:02:44.56,Default,,0000,0000,0000,,Splunk. And then, of course, we'll take
Dialogue: 0,0:02:44.56,0:02:46.72,Default,,0000,0000,0000,,a look at the Splunk Snort event
Dialogue: 0,0:02:46.72,0:02:49.52,Default,,0000,0000,0000,,dashboard that will be provided to us by
Dialogue: 0,0:02:49.52,0:02:52.88,Default,,0000,0000,0000,,the Splunk Snort app. So if this sounds like
Dialogue: 0,0:02:52.88,0:02:55.36,Default,,0000,0000,0000,,gibberish to you, don't worry. It will make
Dialogue: 0,0:02:55.36,0:02:58.14,Default,,0000,0000,0000,,sense in a couple of minutes.
Dialogue: 0,0:02:58.88,0:03:00.96,Default,,0000,0000,0000,,With that being said, given the fact
Dialogue: 0,0:03:00.96,0:03:02.80,Default,,0000,0000,0000,,that we're going to be using, you know,
Dialogue: 0,0:03:02.80,0:03:04.40,Default,,0000,0000,0000,,we're going to be using Snort to
Dialogue: 0,0:03:04.40,0:03:06.96,Default,,0000,0000,0000,,generate alerts and monitor those alerts,
Dialogue: 0,0:03:06.96,0:03:09.04,Default,,0000,0000,0000,,if you have not gone through
Dialogue: 0,0:03:09.04,0:03:11.52,Default,,0000,0000,0000,,the actual Snort video, please do that as
Dialogue: 0,0:03:11.52,0:03:14.24,Default,,0000,0000,0000,,it'll help you set up Snort, and you can
Dialogue: 0,0:03:14.24,0:03:16.40,Default,,0000,0000,0000,,then run through this demo. With that
Dialogue: 0,0:03:16.40,0:03:19.28,Default,,0000,0000,0000,,being said, this is not a holistic video
Dialogue: 0,0:03:19.28,0:03:20.80,Default,,0000,0000,0000,,that will cover everything you can do
Dialogue: 0,0:03:20.80,0:03:23.44,Default,,0000,0000,0000,,with Splunk Enterprise Security. We are
Dialogue: 0,0:03:23.44,0:03:26.01,Default,,0000,0000,0000,,just focused on the intrusion
Dialogue: 0,0:03:26.01,0:03:27.76,Default,,0000,0000,0000,,detection logs produced
Dialogue: 0,0:03:27.76,0:03:30.00,Default,,0000,0000,0000,,by Snort and how they can be
Dialogue: 0,0:03:30.00,0:03:32.88,Default,,0000,0000,0000,,imported or forwarded to Splunk for,
Dialogue: 0,0:03:32.88,0:03:35.68,Default,,0000,0000,0000,,you know, analysis and monitoring.
Dialogue: 0,0:03:35.68,0:03:38.16,Default,,0000,0000,0000,,So the prerequisites are the same as
Dialogue: 0,0:03:38.16,0:03:39.76,Default,,0000,0000,0000,,the previous videos. The only difference
Dialogue: 0,0:03:39.76,0:03:41.68,Default,,0000,0000,0000,,is, you know, that you need to have a
Dialogue: 0,0:03:41.68,0:03:43.84,Default,,0000,0000,0000,,basic familiarity with Splunk and how to
Dialogue: 0,0:03:43.84,0:03:46.08,Default,,0000,0000,0000,,navigate around the various menu
Dialogue: 0,0:03:46.08,0:03:47.76,Default,,0000,0000,0000,,elements and, yeah,
Dialogue: 0,0:03:47.76,0:03:49.68,Default,,0000,0000,0000,,essentially just how to use it at a very
Dialogue: 0,0:03:49.68,0:03:51.36,Default,,0000,0000,0000,,basic level. If you're not familiar with
Dialogue: 0,0:03:51.36,0:03:54.24,Default,,0000,0000,0000,,Splunk, I'll give you a few resources at
Dialogue: 0,0:03:54.24,0:03:56.78,Default,,0000,0000,0000,,the end of these slides
Dialogue: 0,0:03:56.78,0:03:58.16,Default,,0000,0000,0000,,that'll help you out or help
Dialogue: 0,0:03:58.16,0:04:00.77,Default,,0000,0000,0000,,you get started. Alright.
Dialogue: 0,0:04:00.77,0:04:01.76,Default,,0000,0000,0000,,So let's get an introduction
Dialogue: 0,0:04:01.76,0:04:04.24,Default,,0000,0000,0000,,to Splunk. So what is Splunk? That's the
Dialogue: 0,0:04:04.24,0:04:05.68,Default,,0000,0000,0000,,main question. If you've never heard of
Dialogue: 0,0:04:05.68,0:04:08.48,Default,,0000,0000,0000,,Splunk, Splunk is an extremely powerful
Dialogue: 0,0:04:08.48,0:04:10.40,Default,,0000,0000,0000,,platform that is used to analyze data
Dialogue: 0,0:04:10.40,0:04:13.36,Default,,0000,0000,0000,,and logs produced by systems or machines,
Dialogue: 0,0:04:13.36,0:04:15.92,Default,,0000,0000,0000,,as Splunk likes to call them. So
Dialogue: 0,0:04:15.92,0:04:18.64,Default,,0000,0000,0000,,what problem is Splunk trying to solve
Dialogue: 0,0:04:18.64,0:04:20.88,Default,,0000,0000,0000,,here? Well, let's look at this from the
Dialogue: 0,0:04:20.88,0:04:24.88,Default,,0000,0000,0000,,perspective of Web 2.0 or, you know, the
Dialogue: 0,0:04:24.88,0:04:26.72,Default,,0000,0000,0000,,interconnected world we live in
Dialogue: 0,0:04:26.72,0:04:29.20,Default,,0000,0000,0000,,today. And we're going to be looking at
Dialogue: 0,0:04:29.20,0:04:31.20,Default,,0000,0000,0000,,it from the context of or from the
Dialogue: 0,0:04:31.20,0:04:33.36,Default,,0000,0000,0000,,perspective of security.
Dialogue: 0,0:04:33.36,0:04:35.76,Default,,0000,0000,0000,,So if we take a simple system--let's say
Dialogue: 0,0:04:35.76,0:04:38.72,Default,,0000,0000,0000,,we have a Windows operating system or a
Dialogue: 0,0:04:38.72,0:04:41.36,Default,,0000,0000,0000,,system running Windows--well, that Windows
Dialogue: 0,0:04:41.36,0:04:44.88,Default,,0000,0000,0000,,system produces a lot of data or logs
Dialogue: 0,0:04:44.88,0:04:47.04,Default,,0000,0000,0000,,that, you know, contain
Dialogue: 0,0:04:47.04,0:04:48.80,Default,,0000,0000,0000,,information that, you know, at first
Dialogue: 0,0:04:48.80,0:04:51.60,Default,,0000,0000,0000,,glance might not seem that important. But
Dialogue: 0,0:04:51.60,0:04:53.92,Default,,0000,0000,0000,,once you start getting into specific
Dialogue: 0,0:04:53.92,0:04:57.36,Default,,0000,0000,0000,,sectors like security, those logs start,
Dialogue: 0,0:04:57.36,0:04:59.68,Default,,0000,0000,0000,,you know, those logs have, you know,
Dialogue: 0,0:04:59.68,0:05:02.08,Default,,0000,0000,0000,,very important value to organizations.
Dialogue: 0,0:05:02.08,0:05:04.88,Default,,0000,0000,0000,,Now multiply that by a thousand systems.
Dialogue: 0,0:05:04.88,0:05:06.80,Default,,0000,0000,0000,,So let's say we have an organization.
Dialogue: 0,0:05:06.80,0:05:08.56,Default,,0000,0000,0000,,They have a thousand computers within
Dialogue: 0,0:05:08.56,0:05:10.48,Default,,0000,0000,0000,,their network or, you know, distributed
Dialogue: 0,0:05:10.48,0:05:13.52,Default,,0000,0000,0000,,worldwide. And all of these systems,
Dialogue: 0,0:05:13.52,0:05:14.96,Default,,0000,0000,0000,,you know, need to be secured. Their
Dialogue: 0,0:05:14.96,0:05:17.92,Default,,0000,0000,0000,,security needs to be monitored. So how do
Dialogue: 0,0:05:17.92,0:05:20.56,Default,,0000,0000,0000,,we monitor all of this? Well, this is
Dialogue: 0,0:05:20.56,0:05:22.64,Default,,0000,0000,0000,,where Splunk comes into play. So Splunk
Dialogue: 0,0:05:22.64,0:05:25.28,Default,,0000,0000,0000,,allows you to essentially funnel all of
Dialogue: 0,0:05:25.28,0:05:27.80,Default,,0000,0000,0000,,this data produced by systems or
Dialogue: 0,0:05:27.80,0:05:30.72,Default,,0000,0000,0000,,machines into Splunk. And then Splunk allows you
Dialogue: 0,0:05:30.72,0:05:32.56,Default,,0000,0000,0000,,to monitor, search, and analyze this
Dialogue: 0,0:05:32.56,0:05:35.28,Default,,0000,0000,0000,,machine-generated data and the logs
Dialogue: 0,0:05:35.28,0:05:37.84,Default,,0000,0000,0000,,through a web interface. So in order to
Dialogue: 0,0:05:37.84,0:05:39.68,Default,,0000,0000,0000,,use Splunk, you'll need to import your
Dialogue: 0,0:05:39.68,0:05:42.48,Default,,0000,0000,0000,,own data or logs. Alternatively, you can
Dialogue: 0,0:05:42.48,0:05:45.28,Default,,0000,0000,0000,,utilize the Splunk Universal Forwarder to
Dialogue: 0,0:05:45.28,0:05:47.76,Default,,0000,0000,0000,,forward logs and data to Splunk for
Dialogue: 0,0:05:47.76,0:05:51.36,Default,,0000,0000,0000,,analysis and, of course, visualization, etc.
Dialogue: 0,0:05:51.36,0:05:53.28,Default,,0000,0000,0000,,Now, Splunk does so much more that I
Dialogue: 0,0:05:53.28,0:05:55.20,Default,,0000,0000,0000,,really can't go over all of the features
Dialogue: 0,0:05:55.20,0:05:56.88,Default,,0000,0000,0000,,here. But as I said, we're looking at this
Dialogue: 0,0:05:56.88,0:06:00.40,Default,,0000,0000,0000,,from the lens of a security engineer.
Dialogue: 0,0:06:00.40,0:06:02.24,Default,,0000,0000,0000,,Alright. So Splunk collates all the
Dialogue: 0,0:06:02.24,0:06:04.80,Default,,0000,0000,0000,,data and logs from various sources and
Dialogue: 0,0:06:04.80,0:06:06.72,Default,,0000,0000,0000,,provides you with a central index that
Dialogue: 0,0:06:06.72,0:06:08.80,Default,,0000,0000,0000,,you can search through. Splunk also
Dialogue: 0,0:06:08.80,0:06:11.04,Default,,0000,0000,0000,,provides you with robust visualization
Dialogue: 0,0:06:11.04,0:06:12.72,Default,,0000,0000,0000,,and reporting tools that allow you to
Dialogue: 0,0:06:12.72,0:06:15.36,Default,,0000,0000,0000,,identify the data that interests you,
Dialogue: 0,0:06:15.36,0:06:17.44,Default,,0000,0000,0000,,transform the data into results, and
Dialogue: 0,0:06:17.44,0:06:19.84,Default,,0000,0000,0000,,visualize the answers in the form of a
Dialogue: 0,0:06:19.84,0:06:23.28,Default,,0000,0000,0000,,report, chart, graph, etc. Alright. So what
Dialogue: 0,0:06:23.28,0:06:25.36,Default,,0000,0000,0000,,I'm saying here is that Splunk allows
Dialogue: 0,0:06:25.36,0:06:28.08,Default,,0000,0000,0000,,you to take all of this security-related
Dialogue: 0,0:06:28.08,0:06:31.60,Default,,0000,0000,0000,,logs and data and make sense of them and
Dialogue: 0,0:06:31.60,0:06:33.52,Default,,0000,0000,0000,,essentially get the answers that you're
Dialogue: 0,0:06:33.52,0:06:35.52,Default,,0000,0000,0000,,looking for. So, for example, from the
Dialogue: 0,0:06:35.52,0:06:37.68,Default,,0000,0000,0000,,perspective of a security engineer, what
Dialogue: 0,0:06:37.68,0:06:40.24,Default,,0000,0000,0000,,do you want from all of this data? Well,
Dialogue: 0,0:06:40.24,0:06:42.16,Default,,0000,0000,0000,,at a very high level, you want to know
Dialogue: 0,0:06:42.16,0:06:44.08,Default,,0000,0000,0000,,whether something is going wrong and
Dialogue: 0,0:06:44.08,0:06:46.40,Default,,0000,0000,0000,,what could go wrong. In the context of
Dialogue: 0,0:06:46.40,0:06:48.80,Default,,0000,0000,0000,,security, a network could be compromised.
Dialogue: 0,0:06:48.80,0:06:50.56,Default,,0000,0000,0000,,There could be some malicious network
Dialogue: 0,0:06:50.56,0:06:53.12,Default,,0000,0000,0000,,traffic or activity going on. A system
Dialogue: 0,0:06:53.12,0:06:55.92,Default,,0000,0000,0000,,could be compromised, etc., etc. You get the
Dialogue: 0,0:06:55.92,0:06:58.16,Default,,0000,0000,0000,,idea. So we need that data to be
Dialogue: 0,0:06:58.16,0:07:00.56,Default,,0000,0000,0000,,displayed to us as a security engineer.
Dialogue: 0,0:07:00.56,0:07:02.56,Default,,0000,0000,0000,,And Splunk is really one of the best
Dialogue: 0,0:07:02.56,0:07:04.96,Default,,0000,0000,0000,,tools, you know, when it comes down to,
Dialogue: 0,0:07:04.96,0:07:08.00,Default,,0000,0000,0000,,you know, taking a lot of data
Dialogue: 0,0:07:08.00,0:07:09.84,Default,,0000,0000,0000,,and then identifying the data that
Dialogue: 0,0:07:09.84,0:07:11.84,Default,,0000,0000,0000,,interests you, transforming that data
Dialogue: 0,0:07:11.84,0:07:14.96,Default,,0000,0000,0000,,into results, and then visualizing that
Dialogue: 0,0:07:14.96,0:07:17.36,Default,,0000,0000,0000,,data in the form of a report, chart, or
Dialogue: 0,0:07:17.36,0:07:19.76,Default,,0000,0000,0000,,graph. Right. So that's really what we're
Dialogue: 0,0:07:19.76,0:07:21.60,Default,,0000,0000,0000,,going to be doing. And as I said, going
Dialogue: 0,0:07:21.60,0:07:23.52,Default,,0000,0000,0000,,back to the scenario, we're going to be
Dialogue: 0,0:07:23.52,0:07:26.08,Default,,0000,0000,0000,,focusing on how to, you know, essentially
Dialogue: 0,0:07:26.08,0:07:28.80,Default,,0000,0000,0000,,get in or how to forward
Dialogue: 0,0:07:28.80,0:07:33.36,Default,,0000,0000,0000,,the logs created--or the logs and alerts created--by
Dialogue: 0,0:07:33.36,0:07:36.00,Default,,0000,0000,0000,,Snort into Splunk for analysis. And
Dialogue: 0,0:07:36.00,0:07:39.28,Default,,0000,0000,0000,,luckily for us, Splunk has a Snort app or
Dialogue: 0,0:07:39.28,0:07:40.96,Default,,0000,0000,0000,,plug-in, if you will, that will
Dialogue: 0,0:07:40.96,0:07:43.68,Default,,0000,0000,0000,,essentially simplify this process.
Dialogue: 0,0:07:44.10,0:07:47.36,Default,,0000,0000,0000,,So, let's get an idea as to, you know, how we
Dialogue: 0,0:07:47.36,0:07:49.12,Default,,0000,0000,0000,,can use Splunk for security event
Dialogue: 0,0:07:49.12,0:07:51.76,Default,,0000,0000,0000,,monitoring. So Splunk Enterprise Security,
Dialogue: 0,0:07:51.76,0:07:54.80,Default,,0000,0000,0000,,also known as Splunk ES, is a security
Dialogue: 0,0:07:54.80,0:07:56.80,Default,,0000,0000,0000,,information and event management
Dialogue: 0,0:07:56.80,0:07:59.20,Default,,0000,0000,0000,,solution, also known as a SIEM.
Dialogue: 0,0:07:59.20,0:08:01.36,Default,,0000,0000,0000,,It is used by security
Dialogue: 0,0:08:01.36,0:08:03.68,Default,,0000,0000,0000,,teams to quickly detect and respond to
Dialogue: 0,0:08:03.68,0:08:06.16,Default,,0000,0000,0000,,internal and external attacks or threats
Dialogue: 0,0:08:06.16,0:08:09.68,Default,,0000,0000,0000,,or intrusions. So Splunk ES can be used
Dialogue: 0,0:08:09.68,0:08:11.76,Default,,0000,0000,0000,,for security event monitoring, incident
Dialogue: 0,0:08:11.76,0:08:15.92,Default,,0000,0000,0000,,response, and running a SOC or Security Operations Center.
Dialogue: 0,0:08:15.92,0:08:18.08,Default,,0000,0000,0000,,In this video, we'll be using Splunk ES
Dialogue: 0,0:08:18.08,0:08:20.00,Default,,0000,0000,0000,,to monitor and visualize the Snort
Dialogue: 0,0:08:20.00,0:08:22.24,Default,,0000,0000,0000,,intrusion alerts. This will be
Dialogue: 0,0:08:22.24,0:08:24.40,Default,,0000,0000,0000,,facilitated through the help of the Snort
Dialogue: 0,0:08:24.40,0:08:26.64,Default,,0000,0000,0000,,app for Splunk and the Splunk Universal
Dialogue: 0,0:08:26.64,0:08:29.28,Default,,0000,0000,0000,,Forwarder. Now, the Splunk Universal Forwarder
Dialogue: 0,0:08:29.28,0:08:31.20,Default,,0000,0000,0000,,is pretty much the most important
Dialogue: 0,0:08:31.20,0:08:33.04,Default,,0000,0000,0000,,element of what we'll be exploring
Dialogue: 0,0:08:33.04,0:08:35.20,Default,,0000,0000,0000,,because what it does--and this is really
Dialogue: 0,0:08:35.20,0:08:37.20,Default,,0000,0000,0000,,cool--is it automatically
Dialogue: 0,0:08:37.20,0:08:39.28,Default,,0000,0000,0000,,forwards the latest logs,
Dialogue: 0,0:08:39.28,0:08:42.48,Default,,0000,0000,0000,,even when Snort is running. It forwards those
Dialogue: 0,0:08:42.48,0:08:45.04,Default,,0000,0000,0000,,alerts and logs into Splunk, and you can
Dialogue: 0,0:08:45.04,0:08:46.56,Default,,0000,0000,0000,,see them in real time, which is
Dialogue: 0,0:08:46.56,0:08:49.44,Default,,0000,0000,0000,,absolutely fantastic.
Dialogue: 0,0:08:49.44,0:08:52.32,Default,,0000,0000,0000,,So as I said, if you're new to Splunk,
Dialogue: 0,0:08:52.32,0:08:54.80,Default,,0000,0000,0000,,then these resources are really helpful
Dialogue: 0,0:08:54.80,0:08:57.12,Default,,0000,0000,0000,,for you. Splunk offers really great
Dialogue: 0,0:08:57.12,0:08:59.04,Default,,0000,0000,0000,,tutorials and courses designed for
Dialogue: 0,0:08:59.04,0:09:00.72,Default,,0000,0000,0000,,absolute beginners. You can check that
Dialogue: 0,0:09:00.72,0:09:02.96,Default,,0000,0000,0000,,out by clicking on the link within this
Dialogue: 0,0:09:02.96,0:09:05.60,Default,,0000,0000,0000,,slide. And you can learn more about the
Dialogue: 0,0:09:05.60,0:09:08.16,Default,,0000,0000,0000,,Splunk Enterprise Security edition from
Dialogue: 0,0:09:08.16,0:09:09.76,Default,,0000,0000,0000,,that particular link.
Dialogue: 0,0:09:09.76,0:09:12.24,Default,,0000,0000,0000,,Now, as I said, we are going to be deploying
Dialogue: 0,0:09:12.24,0:09:15.20,Default,,0000,0000,0000,,Splunk on Linode, more specifically
Dialogue: 0,0:09:15.20,0:09:17.12,Default,,0000,0000,0000,,Splunk ES. And this is the lab
Dialogue: 0,0:09:17.12,0:09:19.20,Default,,0000,0000,0000,,environment. So we're going to spin up,
Dialogue: 0,0:09:19.20,0:09:21.52,Default,,0000,0000,0000,,you know, Splunk ES on Linode. Now, again,
Dialogue: 0,0:09:21.52,0:09:23.28,Default,,0000,0000,0000,,to follow through with this, you
Dialogue: 0,0:09:23.28,0:09:25.76,Default,,0000,0000,0000,,know, Linode has been absolutely fantastic
Dialogue: 0,0:09:25.76,0:09:28.32,Default,,0000,0000,0000,,with, you know, by providing all of
Dialogue: 0,0:09:28.32,0:09:31.19,Default,,0000,0000,0000,,you guys with a way to get $100
Dialogue: 0,0:09:31.19,0:09:33.28,Default,,0000,0000,0000,,in free Linode credit. All you
Dialogue: 0,0:09:33.28,0:09:35.12,Default,,0000,0000,0000,,need to do is just click the link in the
Dialogue: 0,0:09:35.12,0:09:37.44,Default,,0000,0000,0000,,description section and sign up, and
Dialogue: 0,0:09:37.44,0:09:39.04,Default,,0000,0000,0000,,$100 will be added to your
Dialogue: 0,0:09:39.04,0:09:40.96,Default,,0000,0000,0000,,account so that you can follow along
Dialogue: 0,0:09:40.96,0:09:43.28,Default,,0000,0000,0000,,with this series. So we're going to
Dialogue: 0,0:09:43.28,0:09:45.20,Default,,0000,0000,0000,,set up Splunk ES on Linode. And then
Dialogue: 0,0:09:45.20,0:09:47.28,Default,,0000,0000,0000,,within my internal network, we're just
Dialogue: 0,0:09:47.28,0:09:49.04,Default,,0000,0000,0000,,going to have a very basic infrastructure.
Dialogue: 0,0:09:49.04,0:09:50.40,Default,,0000,0000,0000,,We're going to have the Ubuntu virtual
Dialogue: 0,0:09:50.40,0:09:52.88,Default,,0000,0000,0000,,machine that is running Snort. This is the
Dialogue: 0,0:09:52.88,0:09:54.88,Default,,0000,0000,0000,,same virtual machine that we had set up
Dialogue: 0,0:09:54.88,0:09:57.68,Default,,0000,0000,0000,,and used to set up Snort and set up
Dialogue: 0,0:09:57.68,0:10:00.31,Default,,0000,0000,0000,,Suricata and the one we had used with Wazuh.
Dialogue: 0,0:10:01.36,0:10:03.52,Default,,0000,0000,0000,,And, yeah, that's essentially it. We're
Dialogue: 0,0:10:03.52,0:10:04.72,Default,,0000,0000,0000,,going to have a very basic
Dialogue: 0,0:10:04.72,0:10:06.40,Default,,0000,0000,0000,,infrastructure where we have an attacker
Dialogue: 0,0:10:06.40,0:10:09.52,Default,,0000,0000,0000,,system that I'm going to be using to perform
Dialogue: 0,0:10:09.52,0:10:11.60,Default,,0000,0000,0000,,a bit of network
Dialogue: 0,0:10:11.60,0:10:15.04,Default,,0000,0000,0000,,intrusion detection emulation, whereby
Dialogue: 0,0:10:15.04,0:10:17.52,Default,,0000,0000,0000,,I will essentially perform or run a
Dialogue: 0,0:10:17.52,0:10:20.88,Default,,0000,0000,0000,,couple of commands or scripts to
Dialogue: 0,0:10:20.88,0:10:23.28,Default,,0000,0000,0000,,essentially emulate malicious network
Dialogue: 0,0:10:23.28,0:10:26.16,Default,,0000,0000,0000,,activity so that these logs are
Dialogue: 0,0:10:26.16,0:10:28.32,Default,,0000,0000,0000,,essentially--so this traffic is
Dialogue: 0,0:10:28.32,0:10:29.84,Default,,0000,0000,0000,,essentially logged--and that'll provide
Dialogue: 0,0:10:29.84,0:10:32.80,Default,,0000,0000,0000,,us with a good idea as to how helpful
Dialogue: 0,0:10:32.80,0:10:35.28,Default,,0000,0000,0000,,Splunk is for security event monitoring,
Dialogue: 0,0:10:35.28,0:10:38.88,Default,,0000,0000,0000,,especially in the context of network intrusions.
Dialogue: 0,0:10:40.32,0:10:41.92,Default,,0000,0000,0000,,So as I said, you don't really need to
Dialogue: 0,0:10:41.92,0:10:44.24,Default,,0000,0000,0000,,have a Windows workstation. You simply
Dialogue: 0,0:10:44.24,0:10:46.00,Default,,0000,0000,0000,,need to have the Ubuntu VM, and you can
Dialogue: 0,0:10:46.00,0:10:48.80,Default,,0000,0000,0000,,pretty much run everything from it. And,
Dialogue: 0,0:10:48.80,0:10:50.56,Default,,0000,0000,0000,,of course, you can set up the Splunk
Dialogue: 0,0:10:50.56,0:10:54.24,Default,,0000,0000,0000,,Enterprise Security server on Linode
Dialogue: 0,0:10:54.24,0:10:56.48,Default,,0000,0000,0000,,without any issues.
Dialogue: 0,0:10:56.48,0:10:58.40,Default,,0000,0000,0000,,So that's the lab environment. We can now
Dialogue: 0,0:10:58.40,0:11:00.00,Default,,0000,0000,0000,,get started with the practical
Dialogue: 0,0:11:00.00,0:11:01.44,Default,,0000,0000,0000,,demonstration. So I'm going to switch
Dialogue: 0,0:11:01.44,0:11:05.04,Default,,0000,0000,0000,,over to my Ubuntu virtual machine.
Dialogue: 0,0:11:05.04,0:11:07.60,Default,,0000,0000,0000,,Alright. So I'm back on my Ubuntu
Dialogue: 0,0:11:07.60,0:11:09.36,Default,,0000,0000,0000,,virtual machine, and you can see I have
Dialogue: 0,0:11:09.36,0:11:11.28,Default,,0000,0000,0000,,Linode opened up here.
Dialogue: 0,0:11:11.28,0:11:13.28,Default,,0000,0000,0000,,I haven't set anything up yet because
Dialogue: 0,0:11:13.28,0:11:14.64,Default,,0000,0000,0000,,we're going to be walking through the
Dialogue: 0,0:11:14.64,0:11:16.08,Default,,0000,0000,0000,,process together.
Dialogue: 0,0:11:16.08,0:11:18.96,Default,,0000,0000,0000,,I then have the Splunk.com website here.
Dialogue: 0,0:11:18.96,0:11:21.04,Default,,0000,0000,0000,,So if you're new to Splunk, then you need
Dialogue: 0,0:11:21.04,0:11:22.64,Default,,0000,0000,0000,,to create a new account in order to
Dialogue: 0,0:11:22.64,0:11:25.74,Default,,0000,0000,0000,,follow along. So just head over to
Dialogue: 0,0:11:25.74,0:11:27.28,Default,,0000,0000,0000,,Splunk.com and, you know,
Dialogue: 0,0:11:27.28,0:11:29.52,Default,,0000,0000,0000,,register for an account. It's free.
Dialogue: 0,0:11:29.52,0:11:31.12,Default,,0000,0000,0000,,Once that is done,
Dialogue: 0,0:11:31.12,0:11:33.12,Default,,0000,0000,0000,,you'll need to activate your account or
Dialogue: 0,0:11:33.12,0:11:35.12,Default,,0000,0000,0000,,verify your account through
Dialogue: 0,0:11:35.12,0:11:36.88,Default,,0000,0000,0000,,the verification email
Dialogue: 0,0:11:36.88,0:11:39.68,Default,,0000,0000,0000,,they'll send you. Once that is done,
Dialogue: 0,0:11:39.68,0:11:41.28,Default,,0000,0000,0000,,we can then move forward. Because in
Dialogue: 0,0:11:41.28,0:11:44.32,Default,,0000,0000,0000,,order to access the actual
Dialogue: 0,0:11:44.32,0:11:46.80,Default,,0000,0000,0000,,Splunk Universal Forwarder, you'll need to
Dialogue: 0,0:11:46.80,0:11:48.72,Default,,0000,0000,0000,,have an account. And of course, you
Dialogue: 0,0:11:48.72,0:11:50.64,Default,,0000,0000,0000,,know, in this case, I'll be going through
Dialogue: 0,0:11:50.64,0:11:52.80,Default,,0000,0000,0000,,everything as we move along in a
Dialogue: 0,0:11:52.80,0:11:55.52,Default,,0000,0000,0000,,structured manner. And
Dialogue: 0,0:11:55.52,0:11:59.12,Default,,0000,0000,0000,,then to perform the actual NIDS tests,
Dialogue: 0,0:12:00.16,0:12:01.78,Default,,0000,0000,0000,,we are going to be using the
Dialogue: 0,0:12:01.78,0:12:03.84,Default,,0000,0000,0000,,testmyNIDS.org project,
Dialogue: 0,0:12:03.84,0:12:06.48,Default,,0000,0000,0000,,which is on GitHub. So this is
Dialogue: 0,0:12:06.48,0:12:08.88,Default,,0000,0000,0000,,essentially a bash script
Dialogue: 0,0:12:08.88,0:12:11.44,Default,,0000,0000,0000,,that allows you to--as you can see here--
Dialogue: 0,0:12:11.44,0:12:13.28,Default,,0000,0000,0000,,it allows you to essentially emulate or
Dialogue: 0,0:12:13.28,0:12:16.80,Default,,0000,0000,0000,,simulate malicious network traffic. So,
Dialogue: 0,0:12:16.80,0:12:19.44,Default,,0000,0000,0000,,previously, we had used
Dialogue: 0,0:12:19.44,0:12:21.28,Default,,0000,0000,0000,,the website technique to essentially get
Dialogue: 0,0:12:21.28,0:12:23.76,Default,,0000,0000,0000,,a Linux UID, and that traffic would be
Dialogue: 0,0:12:23.76,0:12:26.24,Default,,0000,0000,0000,,logged as malicious, or
Dialogue: 0,0:12:26.24,0:12:27.76,Default,,0000,0000,0000,,it could be logged as a potential
Dialogue: 0,0:12:27.76,0:12:30.00,Default,,0000,0000,0000,,intrusion. And we can run a few other
Dialogue: 0,0:12:30.00,0:12:33.36,Default,,0000,0000,0000,,checks like HTTP basic authentication,
Dialogue: 0,0:12:33.36,0:12:35.52,Default,,0000,0000,0000,,bad certificate authorities,
Dialogue: 0,0:12:35.52,0:12:38.64,Default,,0000,0000,0000,,an EXE or DLL download over HTTP. So,
Dialogue: 0,0:12:38.64,0:12:40.72,Default,,0000,0000,0000,,you know, we can run tests that,
Dialogue: 0,0:12:40.72,0:12:42.96,Default,,0000,0000,0000,,you know, will just make our
Dialogue: 0,0:12:42.96,0:12:45.44,Default,,0000,0000,0000,,intrusion detection system blow up in
Dialogue: 0,0:12:45.44,0:12:47.60,Default,,0000,0000,0000,,terms of alerts. And that's what we want
Dialogue: 0,0:12:47.60,0:12:49.52,Default,,0000,0000,0000,,because we want to see how that data is
Dialogue: 0,0:12:49.52,0:12:52.16,Default,,0000,0000,0000,,presented to us as a security engineer
Dialogue: 0,0:12:52.16,0:12:55.04,Default,,0000,0000,0000,,on Splunk. With that being said, the first
Dialogue: 0,0:12:55.04,0:12:58.03,Default,,0000,0000,0000,,step, of course, is to set up Splunk ES on Linode.
Dialogue: 0,0:12:58.33,0:13:04.08,Default,,0000,0000,0000,,So just click on “Create a Linode” and click on “Marketplace.”
Dialogue: 0,0:13:04.08,0:13:06.40,Default,,0000,0000,0000,,And they already have Splunk here. So
Dialogue: 0,0:13:06.40,0:13:08.48,Default,,0000,0000,0000,,there we are. You can click on that there.
Dialogue: 0,0:13:08.48,0:13:10.24,Default,,0000,0000,0000,,And if you click on this little info
Dialogue: 0,0:13:10.24,0:13:12.40,Default,,0000,0000,0000,,button here, it'll give you an idea as to
Dialogue: 0,0:13:12.40,0:13:14.32,Default,,0000,0000,0000,,how to deploy it on
Dialogue: 0,0:13:14.32,0:13:16.48,Default,,0000,0000,0000,,Linode. And, of course, you have more
Dialogue: 0,0:13:16.48,0:13:18.40,Default,,0000,0000,0000,,information regarding Splunk. So you have
Dialogue: 0,0:13:18.40,0:13:20.48,Default,,0000,0000,0000,,the documentation link there. So I'll
Dialogue: 0,0:13:20.48,0:13:22.96,Default,,0000,0000,0000,,just click on Splunk.
Dialogue: 0,0:13:22.96,0:13:24.64,Default,,0000,0000,0000,,Once that is clicked, we can then head
Dialogue: 0,0:13:24.64,0:13:26.72,Default,,0000,0000,0000,,over here. You'll need to specify the
Dialogue: 0,0:13:26.72,0:13:28.96,Default,,0000,0000,0000,,Splunk admin user. I recommend using
Dialogue: 0,0:13:28.96,0:13:32.51,Default,,0000,0000,0000,,“admin” to begin with and then specify a password.
Dialogue: 0,0:13:33.44,0:13:35.52,Default,,0000,0000,0000,,If you're setting up, you know, Splunk on
Dialogue: 0,0:13:35.52,0:13:37.60,Default,,0000,0000,0000,,a domain, then you can specify the
Dialogue: 0,0:13:37.60,0:13:39.84,Default,,0000,0000,0000,,Linode API token to essentially create
Dialogue: 0,0:13:39.84,0:13:42.32,Default,,0000,0000,0000,,the DNS records--that's if you're using
Dialogue: 0,0:13:42.32,0:13:44.32,Default,,0000,0000,0000,,Linode's DNS service.
Dialogue: 0,0:13:45.84,0:13:47.52,Default,,0000,0000,0000,,And then, of course, you need to add
Dialogue: 0,0:13:47.52,0:13:49.52,Default,,0000,0000,0000,,the admin email for the server. So in
Dialogue: 0,0:13:49.52,0:13:52.00,Default,,0000,0000,0000,,this case, I can just say, for example,
Dialogue: 0,0:13:52.00,0:13:55.08,Default,,0000,0000,0000,,hackersploit@gmail.com.
Dialogue: 0,0:13:55.52,0:13:57.36,Default,,0000,0000,0000,,Don't spam me on this email because I
Dialogue: 0,0:13:57.36,0:13:59.52,Default,,0000,0000,0000,,don't respond anyway. So we can create
Dialogue: 0,0:13:59.52,0:14:01.04,Default,,0000,0000,0000,,another user.
Dialogue: 0,0:14:01.04,0:14:02.48,Default,,0000,0000,0000,,This is the username for the
Dialogue: 0,0:14:02.48,0:14:04.72,Default,,0000,0000,0000,,Linode admin's SSH user. Please ensure
Dialogue: 0,0:14:04.72,0:14:06.48,Default,,0000,0000,0000,,that the username does not contain any...
Dialogue: 0,0:14:06.48,0:14:08.88,Default,,0000,0000,0000,,so we can just call this “admin.” And then
Dialogue: 0,0:14:08.88,0:14:11.36,Default,,0000,0000,0000,,for the admin user, we'll just say
Dialogue: 0,0:14:11.36,0:14:13.20,Default,,0000,0000,0000,,provide that there.
Dialogue: 0,0:14:13.20,0:14:14.80,Default,,0000,0000,0000,,So the image--we're going to set it up on
Dialogue: 0,0:14:14.80,0:14:18.08,Default,,0000,0000,0000,,Ubuntu 20.04. The region--I’ll say London
Dialogue: 0,0:14:18.08,0:14:19.92,Default,,0000,0000,0000,,because that's closest to me.
Dialogue: 0,0:14:19.92,0:14:22.24,Default,,0000,0000,0000,,As for the actual Linode plan,
Dialogue: 0,0:14:22.24,0:14:24.72,Default,,0000,0000,0000,,Linode ES doesn't require that many
Dialogue: 0,0:14:24.72,0:14:26.48,Default,,0000,0000,0000,,resources, especially because, you know,
Dialogue: 0,0:14:26.48,0:14:28.72,Default,,0000,0000,0000,,the amount of data that we're processing
Dialogue: 0,0:14:28.72,0:14:30.96,Default,,0000,0000,0000,,or the logs that are being forwarded to
Dialogue: 0,0:14:30.96,0:14:34.32,Default,,0000,0000,0000,,Splunk are relatively few--so less than
Dialogue: 0,0:14:34.32,0:14:36.16,Default,,0000,0000,0000,,100--which, if you've used Splunk before
Dialogue: 0,0:14:36.16,0:14:37.92,Default,,0000,0000,0000,,for security event monitoring, you know
Dialogue: 0,0:14:37.92,0:14:39.04,Default,,0000,0000,0000,,that that is
Dialogue: 0,0:14:39.04,0:14:41.20,Default,,0000,0000,0000,,really, really small. In
Dialogue: 0,0:14:41.20,0:14:43.20,Default,,0000,0000,0000,,fact, Splunk will actually tell you,
Dialogue: 0,0:14:43.20,0:14:44.96,Default,,0000,0000,0000,,you know, that the amount of data
Dialogue: 0,0:14:44.96,0:14:47.52,Default,,0000,0000,0000,,to begin with that you have imported or
Dialogue: 0,0:14:47.52,0:14:50.67,Default,,0000,0000,0000,,forwarded is too little to make any sense of.
Dialogue: 0,0:14:50.88,0:14:52.48,Default,,0000,0000,0000,,But that's where the Snort app for
Dialogue: 0,0:14:52.48,0:14:54.80,Default,,0000,0000,0000,,Splunk comes into play. So I'll just say
Dialogue: 0,0:14:54.80,0:14:56.00,Default,,0000,0000,0000,,“Splunk,”
Dialogue: 0,0:14:56.00,0:14:59.36,Default,,0000,0000,0000,,and I'll provide my root password for the server.
Dialogue: 0,0:14:59.36,0:15:02.08,Default,,0000,0000,0000,,And we can click on “Create.”
Dialogue: 0,0:15:02.08,0:15:03.36,Default,,0000,0000,0000,,Alright. Now,
Dialogue: 0,0:15:03.36,0:15:06.08,Default,,0000,0000,0000,,once this is set up and provisioned,
Dialogue: 0,0:15:06.08,0:15:08.08,Default,,0000,0000,0000,,the actual installer is going to begin.
Dialogue: 0,0:15:08.08,0:15:10.08,Default,,0000,0000,0000,,So it's going to set up because there is
Dialogue: 0,0:15:10.08,0:15:13.41,Default,,0000,0000,0000,,an auto-installer setup that will set up Splunk.
Dialogue: 0,0:15:13.41,0:15:15.20,Default,,0000,0000,0000,,Yes. For you. So, let it
Dialogue: 0,0:15:15.20,0:15:16.88,Default,,0000,0000,0000,,provision. After that's done, you can
Dialogue: 0,0:15:16.88,0:15:19.20,Default,,0000,0000,0000,,launch the Lish console to avoid logging
Dialogue: 0,0:15:19.20,0:15:22.16,Default,,0000,0000,0000,,in via SSH. And of course, one thing that
Dialogue: 0,0:15:22.16,0:15:24.00,Default,,0000,0000,0000,,I don't need to tell you
Dialogue: 0,0:15:24.00,0:15:25.68,Default,,0000,0000,0000,,is, if you're setting this up for
Dialogue: 0,0:15:25.68,0:15:27.68,Default,,0000,0000,0000,,production, then you need to make sure
Dialogue: 0,0:15:27.68,0:15:29.76,Default,,0000,0000,0000,,you're securing your server. So do only
Dialogue: 0,0:15:29.76,0:15:33.42,Default,,0000,0000,0000,,use SSH keys for authentication with the server.
Dialogue: 0,0:15:33.76,0:15:35.92,Default,,0000,0000,0000,,If you're new to hardening and securing
Dialogue: 0,0:15:35.92,0:15:37.76,Default,,0000,0000,0000,,a Linux server, you can check out the
Dialogue: 0,0:15:37.76,0:15:39.36,Default,,0000,0000,0000,,previous series
Dialogue: 0,0:15:39.36,0:15:41.92,Default,,0000,0000,0000,,that we did with Linux--the Linux Server
Dialogue: 0,0:15:41.92,0:15:44.80,Default,,0000,0000,0000,,Security series. They'll give you,
Dialogue: 0,0:15:44.80,0:15:46.96,Default,,0000,0000,0000,,you know, all the information you need to
Dialogue: 0,0:15:46.96,0:15:49.76,Default,,0000,0000,0000,,secure a Linux server for production.
Dialogue: 0,0:15:49.76,0:15:50.96,Default,,0000,0000,0000,,With that being said, I'm just going to
Dialogue: 0,0:15:50.96,0:15:52.80,Default,,0000,0000,0000,,let it provision, after which we can
Dialogue: 0,0:15:52.80,0:15:54.56,Default,,0000,0000,0000,,launch the Lish console to see what's
Dialogue: 0,0:15:54.56,0:15:56.64,Default,,0000,0000,0000,,going on in the background. And we can
Dialogue: 0,0:15:56.64,0:15:59.35,Default,,0000,0000,0000,,then get started, you know, officially
Dialogue: 0,0:15:59.35,0:16:01.84,Default,,0000,0000,0000,,with how to set up Splunk. We then need
Dialogue: 0,0:16:01.84,0:16:04.72,Default,,0000,0000,0000,,to set up the Universal Forwarder.
Dialogue: 0,0:16:04.72,0:16:07.53,Default,,0000,0000,0000,,So, this is booting now.
Dialogue: 0,0:16:08.64,0:16:11.12,Default,,0000,0000,0000,,Alright. So the server is booted, and
Dialogue: 0,0:16:11.12,0:16:12.80,Default,,0000,0000,0000,,you can see I've just opened up the Lish
Dialogue: 0,0:16:12.80,0:16:14.32,Default,,0000,0000,0000,,console here
Dialogue: 0,0:16:14.32,0:16:15.92,Default,,0000,0000,0000,,to essentially view what's going on. As
Dialogue: 0,0:16:15.92,0:16:18.00,Default,,0000,0000,0000,,you can see, it's begun setting up
Dialogue: 0,0:16:18.00,0:16:20.40,Default,,0000,0000,0000,,Splunk ES. So just give this a couple of
Dialogue: 0,0:16:20.40,0:16:22.81,Default,,0000,0000,0000,,minutes to essentially begin.
Dialogue: 0,0:16:23.28,0:16:25.60,Default,,0000,0000,0000,,And once it's done, it'll actually
Dialogue: 0,0:16:25.60,0:16:27.36,Default,,0000,0000,0000,,tell you that, and it'll provide you with the
Dialogue: 0,0:16:27.36,0:16:28.80,Default,,0000,0000,0000,,login prompt.
Dialogue: 0,0:16:28.80,0:16:30.40,Default,,0000,0000,0000,,But it's probably logged in as the root
Dialogue: 0,0:16:30.40,0:16:32.00,Default,,0000,0000,0000,,user already. So
Dialogue: 0,0:16:32.00,0:16:33.76,Default,,0000,0000,0000,,just let this complete. I'm just going to
Dialogue: 0,0:16:33.76,0:16:36.88,Default,,0000,0000,0000,,wait for this to actually conclude.
Dialogue: 0,0:16:36.88,0:16:40.00,Default,,0000,0000,0000,,Alright. So once Splunk ES is done,
Dialogue: 0,0:16:40.00,0:16:42.88,Default,,0000,0000,0000,,or the actual Linode is done here
Dialogue: 0,0:16:42.88,0:16:44.32,Default,,0000,0000,0000,,with the setup, you can see it's going to
Dialogue: 0,0:16:44.32,0:16:46.24,Default,,0000,0000,0000,,tell you "installation complete,"
Dialogue: 0,0:16:46.24,0:16:48.16,Default,,0000,0000,0000,,and you can then log in. Keep this
Dialogue: 0,0:16:48.16,0:16:49.52,Default,,0000,0000,0000,,window open because this is going to be
Dialogue: 0,0:16:49.52,0:16:50.88,Default,,0000,0000,0000,,very important, as we'll need to
Dialogue: 0,0:16:50.88,0:16:53.44,Default,,0000,0000,0000,,configure a few firewall rules.
Dialogue: 0,0:16:53.44,0:16:56.32,Default,,0000,0000,0000,,By default, this Linode comes with UFW,
Dialogue: 0,0:16:56.32,0:16:58.72,Default,,0000,0000,0000,,which is the uncomplicated firewall for
Dialogue: 0,0:16:58.72,0:17:00.08,Default,,0000,0000,0000,,Debian, or
Dialogue: 0,0:17:00.08,0:17:02.00,Default,,0000,0000,0000,,it typically comes prepackaged with
Dialogue: 0,0:17:02.00,0:17:04.96,Default,,0000,0000,0000,,Debian-based distributions like Ubuntu.
Dialogue: 0,0:17:04.96,0:17:06.56,Default,,0000,0000,0000,,In this case, it's already added the
Dialogue: 0,0:17:06.56,0:17:08.40,Default,,0000,0000,0000,,firewall rule for the port that we
Dialogue: 0,0:17:08.40,0:17:10.00,Default,,0000,0000,0000,,wanted, but just keep it open because
Dialogue: 0,0:17:10.00,0:17:12.56,Default,,0000,0000,0000,,we'll need to run a few checks. So you
Dialogue: 0,0:17:12.56,0:17:14.00,Default,,0000,0000,0000,,can log in there. So I'm just going to
Dialogue: 0,0:17:14.00,0:17:15.68,Default,,0000,0000,0000,,log in with the credentials that I
Dialogue: 0,0:17:15.68,0:17:18.72,Default,,0000,0000,0000,,specified as the root user. And I can
Dialogue: 0,0:17:18.72,0:17:22.16,Default,,0000,0000,0000,,just say sudo ufw status.
Dialogue: 0,0:17:23.84,0:17:25.44,Default,,0000,0000,0000,,And you can see these are all the
Dialogue: 0,0:17:25.44,0:17:28.16,Default,,0000,0000,0000,,allowed rules or the actual rules
Dialogue: 0,0:17:28.16,0:17:30.40,Default,,0000,0000,0000,,configured for the firewall, which is
Dialogue: 0,0:17:30.40,0:17:32.40,Default,,0000,0000,0000,,looking good so far.
Dialogue: 0,0:17:32.40,0:17:35.68,Default,,0000,0000,0000,,So we can access the Splunk ES instance
Dialogue: 0,0:17:35.68,0:17:37.84,Default,,0000,0000,0000,,that we set up by pasting in the IP of
Dialogue: 0,0:17:37.84,0:17:42.08,Default,,0000,0000,0000,,the server and opening up port 8000.
Dialogue: 0,0:17:42.08,0:17:44.08,Default,,0000,0000,0000,,That's going to open up Splunk ES for
Dialogue: 0,0:17:44.08,0:17:45.76,Default,,0000,0000,0000,,you. So just give this a couple of
Dialogue: 0,0:17:45.76,0:17:48.24,Default,,0000,0000,0000,,seconds. There we are. And the credentials
Dialogue: 0,0:17:48.24,0:17:50.88,Default,,0000,0000,0000,,that we had used were "admin" and the
Dialogue: 0,0:17:50.88,0:17:53.28,Default,,0000,0000,0000,,password that I created--that, you know,
Dialogue: 0,0:17:53.28,0:17:54.56,Default,,0000,0000,0000,,of course, you'll be able to
Dialogue: 0,0:17:54.56,0:17:57.20,Default,,0000,0000,0000,,specify yourself. So just sign in.
Dialogue: 0,0:17:57.20,0:17:59.92,Default,,0000,0000,0000,,And once that is done, you'll be
Dialogue: 0,0:17:59.92,0:18:04.56,Default,,0000,0000,0000,,brought to Splunk Enterprise Security here.
Dialogue: 0,0:18:04.56,0:18:05.36,Default,,0000,0000,0000,,So there we are--explore
Dialogue: 0,0:18:05.36,0:18:07.20,Default,,0000,0000,0000,,Splunk Enterprise.
Dialogue: 0,0:18:10.00,0:18:11.36,Default,,0000,0000,0000,,And in this case, what we're going to be
Dialogue: 0,0:18:11.36,0:18:14.08,Default,,0000,0000,0000,,doing--what we're going to start off with--
Dialogue: 0,0:18:14.08,0:18:16.24,Default,,0000,0000,0000,,is we need to go through a few
Dialogue: 0,0:18:16.24,0:18:19.35,Default,,0000,0000,0000,,configuration changes with Splunk itself.
Dialogue: 0,0:18:19.76,0:18:22.88,Default,,0000,0000,0000,,So the idea, firstly, is to configure
Dialogue: 0,0:18:22.88,0:18:26.12,Default,,0000,0000,0000,,the actual receiving of data.
Dialogue: 0,0:18:26.12,0:18:27.36,Default,,0000,0000,0000,,So if you head over into "Settings,"
Dialogue: 0,0:18:27.36,0:18:29.44,Default,,0000,0000,0000,,you can click on "Data," then just click
Dialogue: 0,0:18:29.44,0:18:31.84,Default,,0000,0000,0000,,on "Forwarding and Receiving."
Dialogue: 0,0:18:31.84,0:18:34.40,Default,,0000,0000,0000,,And once that is done--once that is
Dialogue: 0,0:18:34.40,0:18:35.76,Default,,0000,0000,0000,,loaded up--
Dialogue: 0,0:18:35.76,0:18:38.08,Default,,0000,0000,0000,,under "Receive Data," we need to
Dialogue: 0,0:18:38.08,0:18:40.00,Default,,0000,0000,0000,,configure this instance to receive data
Dialogue: 0,0:18:40.00,0:18:41.60,Default,,0000,0000,0000,,forwarded from other instances. So we
Dialogue: 0,0:18:41.60,0:18:43.52,Default,,0000,0000,0000,,want to configure receiving,
Dialogue: 0,0:18:43.52,0:18:46.80,Default,,0000,0000,0000,,and we just want to set the default receiving port.
Dialogue: 0,0:18:46.80,0:18:50.40,Default,,0000,0000,0000,,So we can say "New Receiving Port,"
Dialogue: 0,0:18:50.40,0:18:52.16,Default,,0000,0000,0000,,and the port is, of course, going to be
Dialogue: 0,0:18:52.16,0:18:54.80,Default,,0000,0000,0000,,the default, which is 9997--which is why
Dialogue: 0,0:18:54.80,0:18:56.64,Default,,0000,0000,0000,,that firewall rule was added. So I'll
Dialogue: 0,0:18:56.64,0:18:58.18,Default,,0000,0000,0000,,click on Save.
Dialogue: 0,0:18:58.88,0:19:01.20,Default,,0000,0000,0000,,Alright. So once that is done, we can
Dialogue: 0,0:19:01.20,0:19:04.11,Default,,0000,0000,0000,,now install the Snort app
Dialogue: 0,0:19:04.11,0:19:06.24,Default,,0000,0000,0000,,for Splunk. So click on "Apps" and head
Dialogue: 0,0:19:06.24,0:19:08.48,Default,,0000,0000,0000,,over into "Find More Apps."
Dialogue: 0,0:19:08.48,0:19:11.36,Default,,0000,0000,0000,,And because the Ubuntu server is running--
Dialogue: 0,0:19:11.36,0:19:13.12,Default,,0000,0000,0000,,or the Ubuntu VM that I'm currently
Dialogue: 0,0:19:13.12,0:19:15.92,Default,,0000,0000,0000,,working on is running--Snort 2, we'll need
Dialogue: 0,0:19:15.92,0:19:18.16,Default,,0000,0000,0000,,the appropriate app here. So I'll just
Dialogue: 0,0:19:18.16,0:19:20.16,Default,,0000,0000,0000,,search for "Snort" there. And we're not
Dialogue: 0,0:19:20.16,0:19:22.32,Default,,0000,0000,0000,,looking for the Snort 3 JSON alerts,
Dialogue: 0,0:19:22.32,0:19:24.32,Default,,0000,0000,0000,,although that, you know, could be quite
Dialogue: 0,0:19:24.32,0:19:26.48,Default,,0000,0000,0000,,useful, but we want the Snort alert for
Dialogue: 0,0:19:26.48,0:19:28.72,Default,,0000,0000,0000,,Splunk. Alright. So this app provides
Dialogue: 0,0:19:28.72,0:19:30.88,Default,,0000,0000,0000,,field extraction. So that's really great
Dialogue: 0,0:19:30.88,0:19:32.40,Default,,0000,0000,0000,,because performing your own field
Dialogue: 0,0:19:32.40,0:19:34.96,Default,,0000,0000,0000,,extractions using regex
Dialogue: 0,0:19:34.96,0:19:36.40,Default,,0000,0000,0000,,can be quite difficult if you're a
Dialogue: 0,0:19:36.40,0:19:39.36,Default,,0000,0000,0000,,beginner. So fast and full,
Dialogue: 0,0:19:39.36,0:19:42.40,Default,,0000,0000,0000,,as well as dashboards, saved searches,
Dialogue: 0,0:19:42.40,0:19:45.60,Default,,0000,0000,0000,,reports, event types, tags, and event
Dialogue: 0,0:19:45.60,0:19:48.08,Default,,0000,0000,0000,,search interfaces. So we'll install that.
Dialogue: 0,0:19:48.08,0:19:50.24,Default,,0000,0000,0000,,Now you'll need to log in with
Dialogue: 0,0:19:50.24,0:19:52.40,Default,,0000,0000,0000,,your Splunk account credentials that you,
Dialogue: 0,0:19:52.40,0:19:55.12,Default,,0000,0000,0000,,you know, actually created on
Dialogue: 0,0:19:55.12,0:19:57.76,Default,,0000,0000,0000,,splunk.com. So I'll just fill in my
Dialogue: 0,0:19:57.76,0:20:00.40,Default,,0000,0000,0000,,information really quickly.
Dialogue: 0,0:20:00.40,0:20:02.24,Default,,0000,0000,0000,,Alright. So I've put in my username and
Dialogue: 0,0:20:02.24,0:20:04.24,Default,,0000,0000,0000,,password. So I'll just say I'll accept
Dialogue: 0,0:20:04.24,0:20:06.32,Default,,0000,0000,0000,,the terms and conditions there. So log in
Dialogue: 0,0:20:06.32,0:20:07.60,Default,,0000,0000,0000,,and install.
Dialogue: 0,0:20:07.60,0:20:09.28,Default,,0000,0000,0000,,That's going to install it. There we are.
Dialogue: 0,0:20:09.28,0:20:10.88,Default,,0000,0000,0000,,So we'll just hit "Done."
Dialogue: 0,0:20:10.88,0:20:13.36,Default,,0000,0000,0000,,Now that that is done, if we head back over
Dialogue: 0,0:20:13.36,0:20:16.40,Default,,0000,0000,0000,,into our dashboard--so I'll just click on
Dialogue: 0,0:20:16.40,0:20:18.40,Default,,0000,0000,0000,,Splunk Enterprise there--
Dialogue: 0,0:20:18.40,0:20:20.72,Default,,0000,0000,0000,,you can now see we have Snort
Dialogue: 0,0:20:20.72,0:20:23.04,Default,,0000,0000,0000,,Alert for Splunk. So that already
Dialogue: 0,0:20:23.04,0:20:25.60,Default,,0000,0000,0000,,comes preconfigured with a dashboard.
Dialogue: 0,0:20:25.60,0:20:28.60,Default,,0000,0000,0000,,So we'll just let this load up here.
Dialogue: 0,0:20:28.60,0:20:30.00,Default,,0000,0000,0000,,And you can see that we don't have
Dialogue: 0,0:20:30.00,0:20:32.48,Default,,0000,0000,0000,,any data yet. So this will display
Dialogue: 0,0:20:32.48,0:20:34.56,Default,,0000,0000,0000,,your events and sources, top source
Dialogue: 0,0:20:34.56,0:20:36.48,Default,,0000,0000,0000,,countries, the events. This is very
Dialogue: 0,0:20:36.48,0:20:38.48,Default,,0000,0000,0000,,important--these sources, top 10
Dialogue: 0,0:20:38.48,0:20:41.04,Default,,0000,0000,0000,,classification. So that'll classify
Dialogue: 0,0:20:41.04,0:20:44.40,Default,,0000,0000,0000,,your alerts in terms of the
Dialogue: 0,0:20:44.40,0:20:46.64,Default,,0000,0000,0000,,type, which again will make sense in a
Dialogue: 0,0:20:46.64,0:20:49.28,Default,,0000,0000,0000,,couple of seconds. So now that that is
Dialogue: 0,0:20:49.28,0:20:51.60,Default,,0000,0000,0000,,done, we actually need to configure
Dialogue: 0,0:20:51.60,0:20:54.48,Default,,0000,0000,0000,,the actual Splunk Universal Forwarder. So
Dialogue: 0,0:20:54.48,0:20:56.48,Default,,0000,0000,0000,,I'll just open that up in a new tab. It's
Dialogue: 0,0:20:56.48,0:20:59.12,Default,,0000,0000,0000,,absolutely free to download the Debian
Dialogue: 0,0:20:59.12,0:21:01.84,Default,,0000,0000,0000,,client or the Splunk Universal
Dialogue: 0,0:21:01.84,0:21:04.16,Default,,0000,0000,0000,,Forwarder Debian package. So Universal
Dialogue: 0,0:21:04.16,0:21:06.96,Default,,0000,0000,0000,,Forwarders provide reliable, secure
Dialogue: 0,0:21:06.96,0:21:09.44,Default,,0000,0000,0000,,data collection from remote
Dialogue: 0,0:21:09.44,0:21:11.52,Default,,0000,0000,0000,,sources and forward that data into
Dialogue: 0,0:21:11.52,0:21:14.16,Default,,0000,0000,0000,,Splunk software for indexing and
Dialogue: 0,0:21:14.16,0:21:16.88,Default,,0000,0000,0000,,consolidation. They can scale to tens of
Dialogue: 0,0:21:16.88,0:21:18.80,Default,,0000,0000,0000,,thousands of remote systems, collecting
Dialogue: 0,0:21:18.80,0:21:20.72,Default,,0000,0000,0000,,terabytes of data. So
Dialogue: 0,0:21:20.72,0:21:23.04,Default,,0000,0000,0000,,again, you can actually see why Splunk is
Dialogue: 0,0:21:23.04,0:21:25.36,Default,,0000,0000,0000,,so powerful and why it's widely used
Dialogue: 0,0:21:25.36,0:21:27.44,Default,,0000,0000,0000,,and deployed--because of the fact that
Dialogue: 0,0:21:27.44,0:21:30.48,Default,,0000,0000,0000,,you can literally be...
Dialogue: 0,0:21:30.48,0:21:32.64,Default,,0000,0000,0000,,literally forward a ton of data from a
Dialogue: 0,0:21:32.64,0:21:35.84,Default,,0000,0000,0000,,ton of systems into Splunk. So because
Dialogue: 0,0:21:35.84,0:21:38.48,Default,,0000,0000,0000,,Snort is running on this
Dialogue: 0,0:21:38.48,0:21:40.48,Default,,0000,0000,0000,,Ubuntu VM, we need the Debian package. So
Dialogue: 0,0:21:40.48,0:21:41.92,Default,,0000,0000,0000,,I'll click on Linux, and we want the
Dialogue: 0,0:21:41.92,0:21:45.04,Default,,0000,0000,0000,,64-bit version. Again, you can choose one
Dialogue: 0,0:21:45.04,0:21:46.56,Default,,0000,0000,0000,,based on your requirements. So if you're
Dialogue: 0,0:21:46.56,0:21:49.84,Default,,0000,0000,0000,,running on Red Hat, Fedora, or CentOS, you
Dialogue: 0,0:21:49.84,0:21:51.52,Default,,0000,0000,0000,,can use the RPM package. So I'll just
Dialogue: 0,0:21:51.52,0:21:54.56,Default,,0000,0000,0000,,download the Debian package here.
Dialogue: 0,0:21:54.56,0:21:56.08,Default,,0000,0000,0000,,Give that a couple of seconds. It's then
Dialogue: 0,0:21:56.08,0:21:58.24,Default,,0000,0000,0000,,going to begin downloading it, and then
Dialogue: 0,0:21:58.24,0:22:00.00,Default,,0000,0000,0000,,I'll walk you through the setup process.
Dialogue: 0,0:22:00.00,0:22:01.84,Default,,0000,0000,0000,,So there we are.
Dialogue: 0,0:22:01.84,0:22:04.26,Default,,0000,0000,0000,,It's begun the setup.
Dialogue: 0,0:22:07.36,0:22:09.44,Default,,0000,0000,0000,,And once that is done, I'll open up my
Dialogue: 0,0:22:09.44,0:22:10.80,Default,,0000,0000,0000,,terminal. So that's saved in the
Dialogue: 0,0:22:10.80,0:22:12.96,Default,,0000,0000,0000,,Downloads directory. So
Dialogue: 0,0:22:12.96,0:22:14.32,Default,,0000,0000,0000,,if we check--if we head over into the
Dialogue: 0,0:22:14.32,0:22:15.84,Default,,0000,0000,0000,,Downloads directory--you can see we have
Dialogue: 0,0:22:15.84,0:22:18.49,Default,,0000,0000,0000,,the Splunk Forwarder Debian package there.
Dialogue: 0,0:22:19.20,0:22:21.68,Default,,0000,0000,0000,,So what we want to do, firstly, is we want
Dialogue: 0,0:22:21.68,0:22:25.68,Default,,0000,0000,0000,,to move this package into the actual /opt
Dialogue: 0,0:22:25.68,0:22:28.08,Default,,0000,0000,0000,,directory on Linux, which will
Dialogue: 0,0:22:28.08,0:22:30.88,Default,,0000,0000,0000,,essentially allow us to, you know,
Dialogue: 0,0:22:30.88,0:22:33.36,Default,,0000,0000,0000,,to set it up as optional software. And
Dialogue: 0,0:22:33.36,0:22:35.28,Default,,0000,0000,0000,,it's really good to have all that
Dialogue: 0,0:22:35.28,0:22:38.24,Default,,0000,0000,0000,,optional software stored in the
Dialogue: 0,0:22:38.24,0:22:42.24,Default,,0000,0000,0000,,directory. So, once that is done and
Dialogue: 0,0:22:42.24,0:22:44.32,Default,,0000,0000,0000,,once that's downloaded, we can say,
Dialogue: 0,0:22:44.32,0:22:45.60,Default,,0000,0000,0000,,move
Dialogue: 0,0:22:45.60,0:22:48.48,Default,,0000,0000,0000,,Splunk forward into opt,
Dialogue: 0,0:22:48.48,0:22:50.40,Default,,0000,0000,0000,,and we'll need sudo privileges. So I'll
Dialogue: 0,0:22:50.40,0:22:52.56,Default,,0000,0000,0000,,say sudo move. There we are. And I'll just
Dialogue: 0,0:22:52.56,0:22:55.12,Default,,0000,0000,0000,,type in my password. Fantastic. So
Dialogue: 0,0:22:55.12,0:22:57.36,Default,,0000,0000,0000,,now navigate to the opt directory. And to
Dialogue: 0,0:22:57.36,0:23:00.32,Default,,0000,0000,0000,,install this, we can say sudo apt,
Dialogue: 0,0:23:00.32,0:23:02.96,Default,,0000,0000,0000,,and then we can specify install. So we
Dialogue: 0,0:23:02.96,0:23:05.12,Default,,0000,0000,0000,,can say sudo apt install,
Dialogue: 0,0:23:05.12,0:23:06.96,Default,,0000,0000,0000,,and then we specify the package itself.
Dialogue: 0,0:23:06.96,0:23:09.44,Default,,0000,0000,0000,,So Splunk forwarder,
Dialogue: 0,0:23:09.44,0:23:11.44,Default,,0000,0000,0000,,and we're just going to hit enter. That's
Dialogue: 0,0:23:11.44,0:23:13.52,Default,,0000,0000,0000,,going to install it for you.
Dialogue: 0,0:23:13.52,0:23:16.88,Default,,0000,0000,0000,,Give that a couple of seconds.
Dialogue: 0,0:23:19.44,0:23:21.52,Default,,0000,0000,0000,,Alright. So once that is installed, if
Dialogue: 0,0:23:21.52,0:23:23.04,Default,,0000,0000,0000,,you list out the contents of this
Dialogue: 0,0:23:23.04,0:23:24.56,Default,,0000,0000,0000,,directory, you're gonna have a Splunk
Dialogue: 0,0:23:24.56,0:23:26.56,Default,,0000,0000,0000,,forwarder directory here. So I'll say cd
Dialogue: 0,0:23:26.56,0:23:29.20,Default,,0000,0000,0000,,splunkforwarder. And under the binary
Dialogue: 0,0:23:29.20,0:23:31.20,Default,,0000,0000,0000,,directory, we can navigate to that here.
Dialogue: 0,0:23:31.20,0:23:32.72,Default,,0000,0000,0000,,We'll need to start--
Dialogue: 0,0:23:32.72,0:23:35.60,Default,,0000,0000,0000,,we'll need to start Splunk. So we will
Dialogue: 0,0:23:35.60,0:23:37.28,Default,,0000,0000,0000,,say sudo,
Dialogue: 0,0:23:37.28,0:23:39.04,Default,,0000,0000,0000,,and the binary we want to run is called
Dialogue: 0,0:23:39.04,0:23:41.28,Default,,0000,0000,0000,,splunk, and we'll accept the license.
Dialogue: 0,0:23:41.28,0:23:42.80,Default,,0000,0000,0000,,The reason we're doing this is because
Dialogue: 0,0:23:42.80,0:23:44.80,Default,,0000,0000,0000,,we need to configure it. So we need to
Dialogue: 0,0:23:44.80,0:23:46.80,Default,,0000,0000,0000,,specify the username and password, or, you
Dialogue: 0,0:23:46.80,0:23:49.28,Default,,0000,0000,0000,,know, create a username and password.
Dialogue: 0,0:23:49.28,0:23:52.00,Default,,0000,0000,0000,,And once that is done, you'll actually
Dialogue: 0,0:23:52.00,0:23:53.36,Default,,0000,0000,0000,,see what that looks like. So I'll just
Dialogue: 0,0:23:53.36,0:23:55.68,Default,,0000,0000,0000,,say accept the license.
Dialogue: 0,0:23:55.68,0:23:59.20,Default,,0000,0000,0000,,And, you can see in this case, let's see if I
Dialogue: 0,0:23:59.20,0:24:01.20,Default,,0000,0000,0000,,typed that incorrectly. That should
Dialogue: 0,0:24:01.20,0:24:03.60,Default,,0000,0000,0000,,actually start. So splunk start. I did not
Dialogue: 0,0:24:03.60,0:24:05.44,Default,,0000,0000,0000,,specify start there.
Dialogue: 0,0:24:05.44,0:24:06.80,Default,,0000,0000,0000,,There we are. So please enter an
Dialogue: 0,0:24:06.80,0:24:09.68,Default,,0000,0000,0000,,administrator name. I'll just say admin.
Dialogue: 0,0:24:09.68,0:24:12.00,Default,,0000,0000,0000,,So again, Splunk software must create an
Dialogue: 0,0:24:12.00,0:24:14.32,Default,,0000,0000,0000,,administrator account during startup.
Dialogue: 0,0:24:14.32,0:24:16.56,Default,,0000,0000,0000,,Otherwise, you cannot log in. So create
Dialogue: 0,0:24:16.56,0:24:18.90,Default,,0000,0000,0000,,credentials for the administrator account.
Dialogue: 0,0:24:20.64,0:24:22.32,Default,,0000,0000,0000,,So in this case, you can
Dialogue: 0,0:24:22.32,0:24:23.60,Default,,0000,0000,0000,,create whatever you want. I'm just going
Dialogue: 0,0:24:23.60,0:24:26.00,Default,,0000,0000,0000,,to fill in my credentials here.
Dialogue: 0,0:24:26.00,0:24:28.64,Default,,0000,0000,0000,,Alright, so I've just entered my
Dialogue: 0,0:24:28.64,0:24:30.32,Default,,0000,0000,0000,,administrator username and then, of
Dialogue: 0,0:24:30.32,0:24:32.40,Default,,0000,0000,0000,,course, my password. So
Dialogue: 0,0:24:32.40,0:24:33.84,Default,,0000,0000,0000,,that is done.
Dialogue: 0,0:24:33.84,0:24:36.24,Default,,0000,0000,0000,,So it'll go through--
Dialogue: 0,0:24:36.24,0:24:37.76,Default,,0000,0000,0000,,it'll essentially go through and check
Dialogue: 0,0:24:37.76,0:24:40.40,Default,,0000,0000,0000,,the prerequisites. New certs have been
Dialogue: 0,0:24:40.40,0:24:42.96,Default,,0000,0000,0000,,generated in the following directory,
Dialogue: 0,0:24:42.96,0:24:45.20,Default,,0000,0000,0000,,and all the preliminary checks have
Dialogue: 0,0:24:45.20,0:24:47.52,Default,,0000,0000,0000,,passed. So starting the Splunk server
Dialogue: 0,0:24:47.52,0:24:49.44,Default,,0000,0000,0000,,daemon--so that started. You can also
Dialogue: 0,0:24:49.44,0:24:52.16,Default,,0000,0000,0000,,enable it to run on system startup. So if
Dialogue: 0,0:24:52.16,0:24:56.33,Default,,0000,0000,0000,,I say, you know, for example, sudo systemctl
Dialogue: 0,0:24:56.72,0:24:58.91,Default,,0000,0000,0000,,status splunk,
Dialogue: 0,0:24:59.52,0:25:01.84,Default,,0000,0000,0000,,let me type that correctly here. So
Dialogue: 0,0:25:01.84,0:25:03.36,Default,,0000,0000,0000,,splunk--
Dialogue: 0,0:25:03.36,0:25:07.52,Default,,0000,0000,0000,,sorry, systemctl,
Dialogue: 0,0:25:07.52,0:25:10.24,Default,,0000,0000,0000,,and we can say splunkd.
Dialogue: 0,0:25:10.24,0:25:12.88,Default,,0000,0000,0000,,Sorry. So we can say splunk. I'm not
Dialogue: 0,0:25:12.88,0:25:15.04,Default,,0000,0000,0000,,really sure why that's not loading here.
Dialogue: 0,0:25:15.04,0:25:17.52,Default,,0000,0000,0000,,But I do know that the daemon is running,
Dialogue: 0,0:25:17.52,0:25:23.62,Default,,0000,0000,0000,,and there should be an init daemon for that.
Dialogue: 0,0:25:23.62,0:25:24.80,Default,,0000,0000,0000,,But in any case,
Dialogue: 0,0:25:24.80,0:25:27.36,Default,,0000,0000,0000,,you can always start it that way.
Dialogue: 0,0:25:27.36,0:25:29.84,Default,,0000,0000,0000,,Once that is done, we will need to add
Dialogue: 0,0:25:29.84,0:25:32.32,Default,,0000,0000,0000,,our forward server. So we need to add
Dialogue: 0,0:25:32.32,0:25:34.96,Default,,0000,0000,0000,,the address of the server--the
Dialogue: 0,0:25:34.96,0:25:37.04,Default,,0000,0000,0000,,Splunk server that we're forwarding our
Dialogue: 0,0:25:37.04,0:25:39.60,Default,,0000,0000,0000,,logs to. We'll move on to what
Dialogue: 0,0:25:39.60,0:25:42.48,Default,,0000,0000,0000,,logs we want to forward in a second. But
Dialogue: 0,0:25:42.48,0:25:44.16,Default,,0000,0000,0000,,let's do that first. So again, we're going
Dialogue: 0,0:25:44.16,0:25:45.80,Default,,0000,0000,0000,,to use the
Dialogue: 0,0:25:47.52,0:25:51.22,Default,,0000,0000,0000,,Splunk binary, and we're going to say forward-server.
Dialogue: 0,0:25:51.22,0:25:52.56,Default,,0000,0000,0000,,And we'll just copy the IP
Dialogue: 0,0:25:52.56,0:25:56.42,Default,,0000,0000,0000,,address of your Splunk server here.
Dialogue: 0,0:25:56.42,0:25:59.85,Default,,0000,0000,0000,,So there we are. And I'll paste that in there.
Dialogue: 0,0:26:00.64,0:26:03.32,Default,,0000,0000,0000,,And then you need to type in the port--so
Dialogue: 0,0:26:03.32,0:26:07.78,Default,,0000,0000,0000,,9997, that's the port to connect to. Hit enter.
Dialogue: 0,0:26:08.40,0:26:10.80,Default,,0000,0000,0000,,So splunk forward--
Dialogue: 0,0:26:11.28,0:26:13.28,Default,,0000,0000,0000,,yeah, we need to add it. I keep forgetting
Dialogue: 0,0:26:13.28,0:26:16.91,Default,,0000,0000,0000,,the preliminary command. So add forward-server,
Dialogue: 0,0:26:16.91,0:26:18.26,Default,,0000,0000,0000,,Splunk username.
Dialogue: 0,0:26:18.32,0:26:21.92,Default,,0000,0000,0000,,So in this case, let me just put
Dialogue: 0,0:26:21.92,0:26:25.84,Default,,0000,0000,0000,,in my credentials here.
Dialogue: 0,0:26:26.64,0:26:29.44,Default,,0000,0000,0000,,Alright. And it's going to then add the
Dialogue: 0,0:26:29.44,0:26:31.76,Default,,0000,0000,0000,,forwarding to that particular address.
Dialogue: 0,0:26:31.76,0:26:33.76,Default,,0000,0000,0000,,Alright. Now that that is done,
Dialogue: 0,0:26:33.76,0:26:35.44,Default,,0000,0000,0000,,we actually need to
Dialogue: 0,0:26:35.44,0:26:37.92,Default,,0000,0000,0000,,configure a particular file,
Dialogue: 0,0:26:37.92,0:26:40.72,Default,,0000,0000,0000,,and that is going to be the outputs.conf
Dialogue: 0,0:26:40.72,0:26:43.04,Default,,0000,0000,0000,,directory. If it's already set up for us,
Dialogue: 0,0:26:43.04,0:26:45.04,Default,,0000,0000,0000,,which it should be,
Dialogue: 0,0:26:45.04,0:26:46.88,Default,,0000,0000,0000,,then we do not need to go through the
Dialogue: 0,0:26:46.88,0:26:49.36,Default,,0000,0000,0000,,initial setup. So,
Dialogue: 0,0:26:49.36,0:26:51.12,Default,,0000,0000,0000,,if we head over into the following
Dialogue: 0,0:26:51.12,0:26:52.64,Default,,0000,0000,0000,,directory--so I'll just take a step back--
Dialogue: 0,0:26:52.64,0:26:55.12,Default,,0000,0000,0000,,we're still in the Splunk forwarder directory.
Dialogue: 0,0:26:55.28,0:26:59.74,Default,,0000,0000,0000,,We'll head over into the etc directory.
Dialogue: 0,0:26:59.74,0:27:01.68,Default,,0000,0000,0000,,And under system,
Dialogue: 0,0:27:01.68,0:27:05.04,Default,,0000,0000,0000,,we have a file under local, I think. It is
Dialogue: 0,0:27:05.04,0:27:06.64,Default,,0000,0000,0000,,called outputs here. Right? So I'm going to say
Dialogue: 0,0:27:06.64,0:27:09.68,Default,,0000,0000,0000,,sudo vim outputs.conf.
Dialogue: 0,0:27:09.84,0:27:11.84,Default,,0000,0000,0000,,And really, the only thing that is
Dialogue: 0,0:27:11.84,0:27:14.29,Default,,0000,0000,0000,,required here is,
Dialogue: 0,0:27:14.29,0:27:16.16,Default,,0000,0000,0000,,of course, just leave the default
Dialogue: 0,0:27:16.16,0:27:18.32,Default,,0000,0000,0000,,configuration as is. The default group is
Dialogue: 0,0:27:18.32,0:27:21.76,Default,,0000,0000,0000,,fine. So tcpout:default-autolb-group,
Dialogue: 0,0:27:21.76,0:27:23.28,Default,,0000,0000,0000,,that's fine. So make sure that the
Dialogue: 0,0:27:23.28,0:27:25.84,Default,,0000,0000,0000,,server option here is configured--that's
Dialogue: 0,0:27:25.84,0:27:29.10,Default,,0000,0000,0000,,the most important. And the tcpout-server
Dialogue: 0,0:27:29.10,0:27:30.32,Default,,0000,0000,0000,,address is also configured in
Dialogue: 0,0:27:30.32,0:27:32.00,Default,,0000,0000,0000,,this format. So we don't need to make any
Dialogue: 0,0:27:32.00,0:27:34.67,Default,,0000,0000,0000,,changes there. So I'll just say quit and exit.
Dialogue: 0,0:27:35.12,0:27:38.64,Default,,0000,0000,0000,,Once that is done, we also need to check
Dialogue: 0,0:27:38.64,0:27:41.28,Default,,0000,0000,0000,,the actual inputs configuration file.
Dialogue: 0,0:27:41.28,0:27:43.20,Default,,0000,0000,0000,,But before we do that,
Dialogue: 0,0:27:43.20,0:27:45.28,Default,,0000,0000,0000,,let's take a look. So if you revisit the
Dialogue: 0,0:27:45.28,0:27:46.88,Default,,0000,0000,0000,,Snort video,
Dialogue: 0,0:27:46.88,0:27:48.88,Default,,0000,0000,0000,,you know that all the logs are stored
Dialogue: 0,0:27:48.88,0:27:53.11,Default,,0000,0000,0000,,under /var/log/snort.
Dialogue: 0,0:27:53.11,0:27:55.76,Default,,0000,0000,0000,,Right? So we have the alert log,
Dialogue: 0,0:27:55.76,0:27:59.28,Default,,0000,0000,0000,,and we also have--so again, based on
Dialogue: 0,0:27:59.28,0:28:02.00,Default,,0000,0000,0000,,the type of alerts
Dialogue: 0,0:28:02.00,0:28:03.20,Default,,0000,0000,0000,,you want generated--so, you know,
Dialogue: 0,0:28:03.20,0:28:05.44,Default,,0000,0000,0000,,if I say man snort here,
Dialogue: 0,0:28:05.44,0:28:08.09,Default,,0000,0000,0000,,you can see that we have the alert mode.
Dialogue: 0,0:28:08.09,0:28:09.44,Default,,0000,0000,0000,,So you can use the fast mode or the
Dialogue: 0,0:28:09.44,0:28:11.36,Default,,0000,0000,0000,,full mode. In this case, I'll be using the
Dialogue: 0,0:28:11.36,0:28:12.56,Default,,0000,0000,0000,,fast mode,
Dialogue: 0,0:28:13.76,0:28:15.28,Default,,0000,0000,0000,,and I'll give you a description of what's
Dialogue: 0,0:28:15.28,0:28:17.28,Default,,0000,0000,0000,,going on here. Right? So
Dialogue: 0,0:28:17.28,0:28:19.92,Default,,0000,0000,0000,,full writes the alert to the alert
Dialogue: 0,0:28:19.92,0:28:21.92,Default,,0000,0000,0000,,file with the full decoded header as
Dialogue: 0,0:28:21.92,0:28:24.72,Default,,0000,0000,0000,,well as the alert message, which might be
Dialogue: 0,0:28:24.72,0:28:27.28,Default,,0000,0000,0000,,important. So we can also do that as well.
Dialogue: 0,0:28:27.28,0:28:29.60,Default,,0000,0000,0000,,So this was from the previous--from
Dialogue: 0,0:28:29.60,0:28:31.76,Default,,0000,0000,0000,,the Snort video where we
Dialogue: 0,0:28:31.76,0:28:33.36,Default,,0000,0000,0000,,had run...
Dialogue: 0,0:28:33.36,0:28:35.84,Default,,0000,0000,0000,,essentially run Snort and, you know,
Dialogue: 0,0:28:35.84,0:28:38.48,Default,,0000,0000,0000,,where we were identifying various alerts.
Dialogue: 0,0:28:38.48,0:28:41.92,Default,,0000,0000,0000,,So, what we can do is, again, we'll
Dialogue: 0,0:28:41.92,0:28:43.76,Default,,0000,0000,0000,,go through what needs to be created, but
Dialogue: 0,0:28:43.76,0:28:45.60,Default,,0000,0000,0000,,we can run a quick test command just to
Dialogue: 0,0:28:45.60,0:28:46.88,Default,,0000,0000,0000,,see whether
Dialogue: 0,0:28:46.88,0:28:48.80,Default,,0000,0000,0000,,the actual alerts are being logged
Dialogue: 0,0:28:48.80,0:28:50.32,Default,,0000,0000,0000,,within the alert file, because we have
Dialogue: 0,0:28:50.32,0:28:53.04,Default,,0000,0000,0000,,alert.1. Ideally, we would only want
Dialogue: 0,0:28:53.04,0:28:55.76,Default,,0000,0000,0000,,to forward this file into Splunk.
Dialogue: 0,0:28:55.76,0:28:58.08,Default,,0000,0000,0000,,So, in order to do this, what I'm going
Dialogue: 0,0:28:58.08,0:29:00.08,Default,,0000,0000,0000,,to do now is I'm just gonna run Snort
Dialogue: 0,0:29:00.08,0:29:03.59,Default,,0000,0000,0000,,really quickly. So I'm going to say sudo snort -q,
Dialogue: 0,0:29:03.92,0:29:06.00,Default,,0000,0000,0000,,for quiet, and then
Dialogue: 0,0:29:06.00,0:29:10.50,Default,,0000,0000,0000,,the actual directory for the logs is /var/log/snort.
Dialogue: 0,0:29:11.36,0:29:14.64,Default,,0000,0000,0000,,And then we can say the interface is enp0s3.
Dialogue: 0,0:29:14.64,0:29:16.24,Default,,0000,0000,0000,,Again, make sure to replace that with
Dialogue: 0,0:29:16.24,0:29:19.04,Default,,0000,0000,0000,,your own interface. The alert, we can
Dialogue: 0,0:29:19.04,0:29:20.32,Default,,0000,0000,0000,,say full,
Dialogue: 0,0:29:20.32,0:29:26.19,Default,,0000,0000,0000,,and the configuration is /etc/snort/snort.conf.
Dialogue: 0,0:29:26.40,0:29:28.32,Default,,0000,0000,0000,,I believe we had another configuration
Dialogue: 0,0:29:28.32,0:29:30.72,Default,,0000,0000,0000,,file. Yeah. We had used the snort.conf file.
Dialogue: 0,0:29:30.72,0:29:32.40,Default,,0000,0000,0000,,So I'll hit enter.
Dialogue: 0,0:29:32.40,0:29:35.56,Default,,0000,0000,0000,,And now let me open up my file explorer here.
Dialogue: 0,0:29:35.84,0:29:38.72,Default,,0000,0000,0000,,We take a look at the var directory
Dialogue: 0,0:29:38.72,0:29:42.24,Default,,0000,0000,0000,,under log. And under snort,
Dialogue: 0,0:29:42.24,0:29:44.96,Default,,0000,0000,0000,,we have alert. There we are. So,
Dialogue: 0,0:29:44.96,0:29:47.96,Default,,0000,0000,0000,,that has been modified. The last was
Dialogue: 0,0:29:47.96,0:29:50.05,Default,,0000,0000,0000,,modified
Dialogue: 0,0:29:51.20,0:29:53.92,Default,,0000,0000,0000,,right over there. Okay. So that's 19. Yeah.
Dialogue: 0,0:29:53.92,0:29:55.68,Default,,0000,0000,0000,,So this is the last modified. So I know
Dialogue: 0,0:29:55.68,0:29:58.00,Default,,0000,0000,0000,,this file is not human-readable. We
Dialogue: 0,0:29:58.00,0:30:00.98,Default,,0000,0000,0000,,are not going to be forwarding this .log file.
Dialogue: 0,0:30:00.98,0:30:02.96,Default,,0000,0000,0000,,So I'll just close that there.
Dialogue: 0,0:30:02.96,0:30:07.44,Default,,0000,0000,0000,,So I'm just going to try and perform a few
Dialogue: 0,0:30:07.44,0:30:09.68,Default,,0000,0000,0000,,checks on the network, like a few pings,
Dialogue: 0,0:30:09.68,0:30:11.76,Default,,0000,0000,0000,,just to see if that's detected.
Dialogue: 0,0:30:11.76,0:30:15.68,Default,,0000,0000,0000,,So I'll just, you know, perform a ping really quickly.
Dialogue: 0,0:30:15.68,0:30:17.52,Default,,0000,0000,0000,,Again, the alerts will not be logged on
Dialogue: 0,0:30:17.52,0:30:18.96,Default,,0000,0000,0000,,our terminal because they're being
Dialogue: 0,0:30:18.96,0:30:21.20,Default,,0000,0000,0000,,logged, you know, into the respective
Dialogue: 0,0:30:21.20,0:30:24.16,Default,,0000,0000,0000,,alert file or the alert log file. So I'll
Dialogue: 0,0:30:24.16,0:30:26.08,Default,,0000,0000,0000,,just perform, you know, a few pings, as
Dialogue: 0,0:30:26.08,0:30:27.68,Default,,0000,0000,0000,,I was saying, which I'm doing right now
Dialogue: 0,0:30:27.68,0:30:29.52,Default,,0000,0000,0000,,on the attacker system.
Dialogue: 0,0:30:29.52,0:30:31.76,Default,,0000,0000,0000,,Once that is done, let's see whether
Dialogue: 0,0:30:31.76,0:30:33.76,Default,,0000,0000,0000,,those changes are being highlighted in
Dialogue: 0,0:30:33.76,0:30:37.60,Default,,0000,0000,0000,,alert. Indeed, they are. Okay. So now,
Dialogue: 0,0:30:40.16,0:30:42.40,Default,,0000,0000,0000,,as you can see here,
Dialogue: 0,0:30:42.40,0:30:45.28,Default,,0000,0000,0000,,this is the full--
Dialogue: 0,0:30:45.36,0:30:48.00,Default,,0000,0000,0000,,these are... So to begin with, we had used
Dialogue: 0,0:30:48.00,0:30:52.73,Default,,0000,0000,0000,,the fast alert output mode.
Dialogue: 0,0:30:54.00,0:30:56.08,Default,,0000,0000,0000,,And right over here, we then have the
Dialogue: 0,0:30:56.08,0:31:00.16,Default,,0000,0000,0000,,full alert mode, which I'm not really sure how
Dialogue: 0,0:31:00.16,0:31:01.92,Default,,0000,0000,0000,,we want to
Dialogue: 0,0:31:01.92,0:31:05.36,Default,,0000,0000,0000,,go about doing this. But you can see,
Dialogue: 0,0:31:05.36,0:31:07.36,Default,,0000,0000,0000,,we can actually make a few changes.
Dialogue: 0,0:31:07.36,0:31:11.11,Default,,0000,0000,0000,,What we can do is we can get rid of this traffic here.
Dialogue: 0,0:31:11.44,0:31:13.52,Default,,0000,0000,0000,,But you can see the message is actually
Dialogue: 0,0:31:13.52,0:31:15.28,Default,,0000,0000,0000,,being logged. So
Dialogue: 0,0:31:15.28,0:31:17.76,Default,,0000,0000,0000,,we can get rid of this here
Dialogue: 0,0:31:17.76,0:31:25.75,Default,,0000,0000,0000,,because we don't want to mix fast alerts
Dialogue: 0,0:31:26.08,0:31:31.52,Default,,0000,0000,0000,,with the full mode. So we can just get rid of that
Dialogue: 0,0:31:31.52,0:31:33.61,Default,,0000,0000,0000,,there and save that.
Dialogue: 0,0:31:34.16,0:31:37.84,Default,,0000,0000,0000,,Once that is done, I'll just say--
Dialogue: 0,0:31:37.84,0:31:41.29,Default,,0000,0000,0000,,we actually need permissions to modify that file.
Dialogue: 0,0:31:42.00,0:31:45.60,Default,,0000,0000,0000,,But, you know, what we can do is--what I am
Dialogue: 0,0:31:45.60,0:31:47.28,Default,,0000,0000,0000,,going to do actually is close without
Dialogue: 0,0:31:47.28,0:31:50.16,Default,,0000,0000,0000,,saving. I'm just going to stop Snort there.
Dialogue: 0,0:31:50.40,0:31:52.08,Default,,0000,0000,0000,,And I'm just going to say
Dialogue: 0,0:31:52.08,0:31:58.15,Default,,0000,0000,0000,,sudo rm /var/log/snort.
Dialogue: 0,0:31:58.15,0:32:00.52,Default,,0000,0000,0000,,And we're going to remove alert.
Dialogue: 0,0:32:01.36,0:32:04.24,Default,,0000,0000,0000,,Alright. And we're also going to remove alert.1.
Dialogue: 0,0:32:04.24,0:32:05.44,Default,,0000,0000,0000,,Alright. So I'm just going to run this
Dialogue: 0,0:32:05.44,0:32:08.24,Default,,0000,0000,0000,,again, just to see that the file is generated.
Dialogue: 0,0:32:08.24,0:32:11.12,Default,,0000,0000,0000,,So there we are. We have alert there.
Dialogue: 0,0:32:11.12,0:32:12.56,Default,,0000,0000,0000,,So now it's much cleaner. I'll just
Dialogue: 0,0:32:12.56,0:32:14.24,Default,,0000,0000,0000,,run a few pings, just to make sure that
Dialogue: 0,0:32:14.24,0:32:16.48,Default,,0000,0000,0000,,the traffic is being logged--all those
Dialogue: 0,0:32:16.48,0:32:18.48,Default,,0000,0000,0000,,alerts are being logged.
Dialogue: 0,0:32:18.48,0:32:21.52,Default,,0000,0000,0000,,So there we are. We have a few pings there.
Dialogue: 0,0:32:21.52,0:32:24.64,Default,,0000,0000,0000,,And we can also, you know, just run a few
Dialogue: 0,0:32:24.64,0:32:26.96,Default,,0000,0000,0000,,checks there. Okay. So there we are. We can
Dialogue: 0,0:32:26.96,0:32:29.36,Default,,0000,0000,0000,,see that those are now being logged. And
Dialogue: 0,0:32:29.36,0:32:32.03,Default,,0000,0000,0000,,of course, we can change the format based on--
Dialogue: 0,0:32:32.32,0:32:33.52,Default,,0000,0000,0000,,well, you can change it based on your
Dialogue: 0,0:32:33.52,0:32:35.04,Default,,0000,0000,0000,,requirements. Right?
Dialogue: 0,0:32:35.04,0:32:35.94,Default,,0000,0000,0000,,So
Dialogue: 0,0:32:38.00,0:32:39.92,Default,,0000,0000,0000,,now that that is done,
Dialogue: 0,0:32:39.92,0:32:42.00,Default,,0000,0000,0000,,what we can do is we can close that up,
Dialogue: 0,0:32:42.00,0:32:45.88,Default,,0000,0000,0000,,and we can actually leave Snort running as is.
Dialogue: 0,0:32:46.32,0:32:48.96,Default,,0000,0000,0000,,So what I'll do is I'm just going to
Dialogue: 0,0:32:48.96,0:32:51.12,Default,,0000,0000,0000,,open up another tab.
Dialogue: 0,0:32:51.12,0:32:54.20,Default,,0000,0000,0000,,So just, you know--I can say Ctrl+Shift+T.
Dialogue: 0,0:32:54.20,0:32:56.80,Default,,0000,0000,0000,,There we are. And we're currently within the following
Dialogue: 0,0:32:56.80,0:33:01.52,Default,,0000,0000,0000,,directory: /opt/splunkforwarder/etc/system/local.
Dialogue: 0,0:33:01.52,0:33:03.12,Default,,0000,0000,0000,,So,
Dialogue: 0,0:33:03.12,0:33:06.00,Default,,0000,0000,0000,,once that is done, we now need to add
Dialogue: 0,0:33:06.00,0:33:09.39,Default,,0000,0000,0000,,the files that we would like to monitor
Dialogue: 0,0:33:09.39,0:33:12.24,Default,,0000,0000,0000,,or that we would like to forward. Right?
Dialogue: 0,0:33:12.24,0:33:15.36,Default,,0000,0000,0000,,So, the log files. I'll go back into the bin directory.
Dialogue: 0,0:33:15.36,0:33:17.68,Default,,0000,0000,0000,,So there we are--cd bin--because that's
Dialogue: 0,0:33:17.68,0:33:19.36,Default,,0000,0000,0000,,where we have the Splunk binary. So I'll
Dialogue: 0,0:33:19.36,0:33:23.04,Default,,0000,0000,0000,,say sudo splunk.
Dialogue: 0,0:33:24.40,0:33:26.98,Default,,0000,0000,0000,,And we can say add monitor.
Dialogue: 0,0:33:28.32,0:33:30.72,Default,,0000,0000,0000,,And the file that we want to forward is
Dialogue: 0,0:33:30.72,0:33:34.40,Default,,0000,0000,0000,,under /var/log/snort, and it is just alert.
Dialogue: 0,0:33:34.40,0:33:36.56,Default,,0000,0000,0000,,Right? So that's all. That's really all
Dialogue: 0,0:33:36.56,0:33:38.72,Default,,0000,0000,0000,,that we want to do. Right?
Dialogue: 0,0:33:38.72,0:33:41.60,Default,,0000,0000,0000,,And we can also utilize the fast alerts,
Dialogue: 0,0:33:41.60,0:33:44.40,Default,,0000,0000,0000,,but let's just do this for now.
Dialogue: 0,0:33:44.40,0:33:46.40,Default,,0000,0000,0000,,We only want the alerts--we don't
Dialogue: 0,0:33:46.40,0:33:48.32,Default,,0000,0000,0000,,want the actual log files that contain
Dialogue: 0,0:33:48.32,0:33:53.84,Default,,0000,0000,0000,,the packets themselves. So I'll hit Enter.
Dialogue: 0,0:33:54.48,0:33:56.40,Default,,0000,0000,0000,,Alright. So it's now going to forward
Dialogue: 0,0:33:56.40,0:33:58.96,Default,,0000,0000,0000,,those alerts into Splunk, which pretty
Dialogue: 0,0:33:58.96,0:34:02.16,Default,,0000,0000,0000,,much means that on our end, we are done.
Dialogue: 0,0:34:02.16,0:34:04.00,Default,,0000,0000,0000,,However, we still need to check one more
Dialogue: 0,0:34:04.00,0:34:05.84,Default,,0000,0000,0000,,configuration file. So I'll just take a
Dialogue: 0,0:34:05.84,0:34:08.00,Default,,0000,0000,0000,,step back here, and we'll head over into
Dialogue: 0,0:34:08.00,0:34:12.17,Default,,0000,0000,0000,,the /etc directory under apps/search,
Dialogue: 0,0:34:13.12,0:34:15.52,Default,,0000,0000,0000,,and then into local.
Dialogue: 0,0:34:15.52,0:34:16.72,Default,,0000,0000,0000,,I think we'll need root
Dialogue: 0,0:34:16.72,0:34:18.32,Default,,0000,0000,0000,,permissions to access this. So I'll just
Dialogue: 0,0:34:18.32,0:34:20.08,Default,,0000,0000,0000,,switch to the root user and head over
Dialogue: 0,0:34:20.08,0:34:21.52,Default,,0000,0000,0000,,into local.
Dialogue: 0,0:34:21.52,0:34:27.34,Default,,0000,0000,0000,,And we're looking for the inputs.conf file. Right?
Dialogue: 0,0:34:27.34,0:34:28.08,Default,,0000,0000,0000,,We need to actually
Dialogue: 0,0:34:28.08,0:34:29.76,Default,,0000,0000,0000,,configure this because this is very
Dialogue: 0,0:34:29.76,0:34:31.04,Default,,0000,0000,0000,,important.
Dialogue: 0,0:34:31.04,0:34:35.92,Default,,0000,0000,0000,,The first thing we want to do is--let us
Dialogue: 0,0:34:35.92,0:34:38.64,Default,,0000,0000,0000,,add a new line here. And within the
Dialogue: 0,0:34:38.64,0:34:43.53,Default,,0000,0000,0000,,square brackets, I'll just say [splunk-tcp].
Dialogue: 0,0:34:44.24,0:34:46.40,Default,,0000,0000,0000,,And we then want to specify the port--so
Dialogue: 0,0:34:46.40,0:34:47.65,Default,,0000,0000,0000,,9997.
Dialogue: 0,0:34:48.40,0:34:51.52,Default,,0000,0000,0000,,Let me make sure I type that in correctly.
Dialogue: 0,0:34:51.52,0:34:55.25,Default,,0000,0000,0000,,We then need to actually put in the connection.
Dialogue: 0,0:34:56.96,0:35:01.77,Default,,0000,0000,0000,,So the connection_host
Dialogue: 0,0:35:01.77,0:35:03.44,Default,,0000,0000,0000,,is going to be equal to the IP
Dialogue: 0,0:35:03.44,0:35:06.10,Default,,0000,0000,0000,,address of the Splunk server.
Dialogue: 0,0:35:06.56,0:35:10.08,Default,,0000,0000,0000,,So I'll just copy that there and paste that in there.
Dialogue: 0,0:35:11.28,0:35:14.00,Default,,0000,0000,0000,,Once that is done,
Dialogue: 0,0:35:14.00,0:35:16.95,Default,,0000,0000,0000,,this is fine here--disabled is set to false.
Dialogue: 0,0:35:16.95,0:35:20.32,Default,,0000,0000,0000,,We want index to be equal to main.
Dialogue: 0,0:35:20.32,0:35:23.68,Default,,0000,0000,0000,,And then the sourcetype
Dialogue: 0,0:35:23.68,0:35:28.33,Default,,0000,0000,0000,,is going to be equal to snort_alert_full.
Dialogue: 0,0:35:28.96,0:35:31.28,Default,,0000,0000,0000,,And we can then say the source is equal
Dialogue: 0,0:35:31.28,0:35:33.04,Default,,0000,0000,0000,,to snort. Alright? So this is a very
Dialogue: 0,0:35:33.04,0:35:35.28,Default,,0000,0000,0000,,important configuration. Let me just
Dialogue: 0,0:35:35.28,0:35:36.64,Default,,0000,0000,0000,,go through those options or
Dialogue: 0,0:35:36.64,0:35:40.08,Default,,0000,0000,0000,,configurations again. We have the splunk-tcp option.
Dialogue: 0,0:35:40.32,0:35:43.53,Default,,0000,0000,0000,,We then have the actual connection_host.
Dialogue: 0,0:35:43.53,0:35:46.64,Default,,0000,0000,0000,,The monitor is set correctly to that file.
Dialogue: 0,0:35:46.64,0:35:52.50,Default,,0000,0000,0000,,It's enabled, index=main, sourcetype=snort_alert_full, source=snort.
Dialogue: 0,0:35:52.50,0:35:53.48,Default,,0000,0000,0000,,Fantastic.
Dialogue: 0,0:35:53.48,0:35:54.72,Default,,0000,0000,0000,,So we'll write and quit.
Dialogue: 0,0:35:54.72,0:35:57.04,Default,,0000,0000,0000,,Once this is done,
Dialogue: 0,0:35:57.04,0:35:58.72,Default,,0000,0000,0000,,we'll need to restart Splunk. So I'll
Dialogue: 0,0:35:58.72,0:36:00.80,Default,,0000,0000,0000,,switch back to my user, Lexus, here, and
Dialogue: 0,0:36:00.80,0:36:04.56,Default,,0000,0000,0000,,we'll navigate back to the bin directory.
Dialogue: 0,0:36:04.56,0:36:06.40,Default,,0000,0000,0000,,So I'll say cd bin,
Dialogue: 0,0:36:06.40,0:36:15.68,Default,,0000,0000,0000,,and we'll say sudo splunk restart. Alright, hit Enter.
Dialogue: 0,0:36:15.68,0:36:18.32,Default,,0000,0000,0000,,It's going to stop the Splunk daemon,
Dialogue: 0,0:36:18.32,0:36:19.68,Default,,0000,0000,0000,,shut it down,
Dialogue: 0,0:36:19.68,0:36:22.16,Default,,0000,0000,0000,,restart it--and it's done successfully. So
Dialogue: 0,0:36:22.16,0:36:24.56,Default,,0000,0000,0000,,all the checks were completed without
Dialogue: 0,0:36:24.56,0:36:27.12,Default,,0000,0000,0000,,any issue. Alright, so
Dialogue: 0,0:36:27.12,0:36:29.04,Default,,0000,0000,0000,,now that this is done, we can actually go
Dialogue: 0,0:36:29.04,0:36:31.44,Default,,0000,0000,0000,,back into Splunk here, and we'll navigate
Dialogue: 0,0:36:31.44,0:36:33.28,Default,,0000,0000,0000,,to the dashboard.
Dialogue: 0,0:36:33.28,0:36:35.84,Default,,0000,0000,0000,,This is your Splunk server. Right?
Dialogue: 0,0:36:35.84,0:36:37.44,Default,,0000,0000,0000,,And let's take a look at the messages
Dialogue: 0,0:36:37.44,0:36:39.92,Default,,0000,0000,0000,,here. That's just a few updates--we
Dialogue: 0,0:36:39.92,0:36:41.92,Default,,0000,0000,0000,,don't need to do anything there. So if we
Dialogue: 0,0:36:41.92,0:36:43.12,Default,,0000,0000,0000,,click on
Dialogue: 0,0:36:43.12,0:36:45.60,Default,,0000,0000,0000,,Search & Reporting, just to verify that
Dialogue: 0,0:36:45.60,0:36:47.84,Default,,0000,0000,0000,,data has indeed been forwarded, I'll
Dialogue: 0,0:36:47.84,0:36:49.28,Default,,0000,0000,0000,,just skip through this. If we click on
Dialogue: 0,0:36:49.28,0:36:51.04,Default,,0000,0000,0000,,Data Summary,
Dialogue: 0,0:36:51.04,0:36:52.88,Default,,0000,0000,0000,,under Sources, you should see that we
Dialogue: 0,0:36:52.88,0:36:55.68,Default,,0000,0000,0000,,have the host. And in my case, the name of
Dialogue: 0,0:36:55.68,0:36:58.64,Default,,0000,0000,0000,,the system is blackbox, so that should
Dialogue: 0,0:36:58.64,0:37:01.62,Default,,0000,0000,0000,,be reflected there. So there we are--blackbox.
Dialogue: 0,0:37:01.62,0:37:03.28,Default,,0000,0000,0000,,We have 42
Dialogue: 0,0:37:03.28,0:37:06.80,Default,,0000,0000,0000,,logs or alerts, if you will. Sources: 42. We
Dialogue: 0,0:37:06.80,0:37:08.64,Default,,0000,0000,0000,,can click on that there to just see the
Dialogue: 0,0:37:08.64,0:37:11.28,Default,,0000,0000,0000,,data that has been logged. Indeed, we can
Dialogue: 0,0:37:11.28,0:37:13.04,Default,,0000,0000,0000,,see that has been done correctly. So
Dialogue: 0,0:37:13.04,0:37:14.88,Default,,0000,0000,0000,,sourcetype is alert.
Dialogue: 0,0:37:14.88,0:37:17.28,Default,,0000,0000,0000,,We can see that it's imported, you
Dialogue: 0,0:37:17.28,0:37:19.44,Default,,0000,0000,0000,,know, pretty much all the data--or, you
Dialogue: 0,0:37:19.44,0:37:21.12,Default,,0000,0000,0000,,know, these are the... this is the full log
Dialogue: 0,0:37:21.12,0:37:24.35,Default,,0000,0000,0000,,whereby we have the reference to that there.
Dialogue: 0,0:37:24.88,0:37:26.80,Default,,0000,0000,0000,,That's weird--I didn’t actually run
Dialogue: 0,0:37:26.80,0:37:30.24,Default,,0000,0000,0000,,anything weird, but there you go.
Dialogue: 0,0:37:30.24,0:37:32.72,Default,,0000,0000,0000,,So now that this is done, you can
Dialogue: 0,0:37:32.72,0:37:34.88,Default,,0000,0000,0000,,use Splunk to essentially visualize this
Dialogue: 0,0:37:34.88,0:37:36.80,Default,,0000,0000,0000,,data however you want. So, you
Dialogue: 0,0:37:36.80,0:37:39.36,Default,,0000,0000,0000,,know, I can go into Visualization,
Dialogue: 0,0:37:39.36,0:37:42.24,Default,,0000,0000,0000,,and we can click on--maybe we can
Dialogue: 0,0:37:42.24,0:37:44.72,Default,,0000,0000,0000,,create a...
Dialogue: 0,0:37:44.72,0:37:46.88,Default,,0000,0000,0000,,we can select a few fields. So if I go
Dialogue: 0,0:37:46.88,0:37:50.24,Default,,0000,0000,0000,,back into the Events here, I can select a
Dialogue: 0,0:37:50.24,0:37:52.24,Default,,0000,0000,0000,,few fields that I want displayed here,
Dialogue: 0,0:37:52.24,0:37:54.32,Default,,0000,0000,0000,,and I can, you know, essentially extract
Dialogue: 0,0:37:54.32,0:37:57.04,Default,,0000,0000,0000,,the fields that I want with regex.
Dialogue: 0,0:37:57.04,0:37:59.68,Default,,0000,0000,0000,,But I don't think this is necessary at this
Dialogue: 0,0:37:59.68,0:38:01.52,Default,,0000,0000,0000,,point, because if we actually go back to
Dialogue: 0,0:38:01.52,0:38:03.60,Default,,0000,0000,0000,,the dashboard
Dialogue: 0,0:38:03.60,0:38:06.16,Default,,0000,0000,0000,,and we click on--
Dialogue: 0,0:38:06.16,0:38:10.08,Default,,0000,0000,0000,,let's see--Snort Alerts for Splunk,
Dialogue: 0,0:38:10.08,0:38:11.44,Default,,0000,0000,0000,,let's see if this is actually whether
Dialogue: 0,0:38:11.44,0:38:15.20,Default,,0000,0000,0000,,this automates that process for us.
Dialogue: 0,0:38:15.20,0:38:17.28,Default,,0000,0000,0000,,There we are. Actually, it looks like
Dialogue: 0,0:38:17.28,0:38:21.60,Default,,0000,0000,0000,,it does. So, classification: bad-traffic.
Dialogue: 0,0:38:21.60,0:38:24.16,Default,,0000,0000,0000,,So it looks like that is working.
Dialogue: 0,0:38:24.16,0:38:26.40,Default,,0000,0000,0000,,What we can do now
Dialogue: 0,0:38:26.40,0:38:28.72,Default,,0000,0000,0000,,is run a few--
Dialogue: 0,0:38:28.72,0:38:32.08,Default,,0000,0000,0000,,we can actually utilize this script here,
Dialogue: 0,0:38:33.52,0:38:37.12,Default,,0000,0000,0000,,the TestMyNIDS script here. So all
Dialogue: 0,0:38:37.12,0:38:39.44,Default,,0000,0000,0000,,you need to do to run it is just copy
Dialogue: 0,0:38:39.44,0:38:41.52,Default,,0000,0000,0000,,this one-liner script here--or this
Dialogue: 0,0:38:41.52,0:38:43.20,Default,,0000,0000,0000,,command--that will download it into your
Dialogue: 0,0:38:43.20,0:38:46.00,Default,,0000,0000,0000,,/tmp directory and will then execute it.
Dialogue: 0,0:38:46.00,0:38:49.20,Default,,0000,0000,0000,,So, you know, to execute it within your
Dialogue: 0,0:38:49.20,0:38:51.60,Default,,0000,0000,0000,,temp directory, you can just execute
Dialogue: 0,0:38:51.60,0:38:53.04,Default,,0000,0000,0000,,the actual,
Dialogue: 0,0:38:54.40,0:38:56.24,Default,,0000,0000,0000,,you know, the actual binary there. It is a
Dialogue: 0,0:38:56.24,0:38:58.80,Default,,0000,0000,0000,,binary, not a script.
Dialogue: 0,0:38:58.80,0:39:01.28,Default,,0000,0000,0000,,And once that is done, you can then
Dialogue: 0,0:39:01.28,0:39:03.52,Default,,0000,0000,0000,,select the option here. So let me just do
Dialogue: 0,0:39:03.52,0:39:05.92,Default,,0000,0000,0000,,that on my attacker system.
Dialogue: 0,0:39:05.92,0:39:08.88,Default,,0000,0000,0000,,I'm just going to run it one more time. So
Dialogue: 0,0:39:08.88,0:39:14.36,Default,,0000,0000,0000,,I'm just going to say ls here. And
Dialogue: 0,0:39:16.16,0:39:18.96,Default,,0000,0000,0000,,if I open up the documentation--so
Dialogue: 0,0:39:18.96,0:39:22.81,Default,,0000,0000,0000,,firstly, I will run
Dialogue: 0,0:39:23.44,0:39:26.64,Default,,0000,0000,0000,,a quick Linux UID check. So
Dialogue: 0,0:39:26.64,0:39:28.46,Default,,0000,0000,0000,,I'll just hit Enter.
Dialogue: 0,0:39:28.96,0:39:31.28,Default,,0000,0000,0000,,Okay. That is done. I'll then perform an
Dialogue: 0,0:39:31.28,0:39:35.12,Default,,0000,0000,0000,,HTTP basic authentication
Dialogue: 0,0:39:35.12,0:39:37.84,Default,,0000,0000,0000,,and a malware user-agent. So I'm doing
Dialogue: 0,0:39:37.84,0:39:40.64,Default,,0000,0000,0000,,that right now.
Dialogue: 0,0:39:40.84,0:39:46.00,Default,,0000,0000,0000,,Okay. And we can run one more here. So,
Dialogue: 0,0:39:46.00,0:39:48.72,Default,,0000,0000,0000,,let's see. Let's see. Let's see. We
Dialogue: 0,0:39:48.72,0:39:51.52,Default,,0000,0000,0000,,can try EXE or DLL download over HTTP.
Dialogue: 0,0:39:51.52,0:39:55.94,Default,,0000,0000,0000,,That is surely going to be logged,
Dialogue: 0,0:39:57.04,0:39:59.84,Default,,0000,0000,0000,,or that's going to trigger an alert.
Dialogue: 0,0:39:59.84,0:40:00.64,Default,,0000,0000,0000,,So,
Dialogue: 0,0:40:00.64,0:40:03.04,Default,,0000,0000,0000,,do we have--that is running.
Dialogue: 0,0:40:03.04,0:40:05.28,Default,,0000,0000,0000,,Alright. So Snort is running. That's great.
Dialogue: 0,0:40:05.28,0:40:08.08,Default,,0000,0000,0000,,So we know that the log is being--
Dialogue: 0,0:40:08.08,0:40:10.24,Default,,0000,0000,0000,,the actual alerts are being forwarded.
Dialogue: 0,0:40:10.24,0:40:12.96,Default,,0000,0000,0000,,Absolutely fantastic. So let's go back in
Dialogue: 0,0:40:12.96,0:40:15.04,Default,,0000,0000,0000,,here. I've already run those
Dialogue: 0,0:40:15.04,0:40:16.100,Default,,0000,0000,0000,,particular checks.
Dialogue: 0,0:40:18.40,0:40:20.16,Default,,0000,0000,0000,,So let me just refresh this. I know it
Dialogue: 0,0:40:20.16,0:40:22.16,Default,,0000,0000,0000,,usually takes a couple of seconds to a
Dialogue: 0,0:40:22.16,0:40:24.40,Default,,0000,0000,0000,,couple of minutes, but that data should
Dialogue: 0,0:40:24.40,0:40:26.24,Default,,0000,0000,0000,,start--should actually be reflected. There
Dialogue: 0,0:40:26.24,0:40:28.16,Default,,0000,0000,0000,,we are. Fantastic. So
Dialogue: 0,0:40:28.16,0:40:31.12,Default,,0000,0000,0000,,we can see that--firstly,
Dialogue: 0,0:40:31.12,0:40:32.88,Default,,0000,0000,0000,,I'll just explain the dashboard here
Dialogue: 0,0:40:32.88,0:40:33.76,Default,,0000,0000,0000,,because
Dialogue: 0,0:40:33.76,0:40:36.16,Default,,0000,0000,0000,,this dashboard is automatically, you
Dialogue: 0,0:40:36.16,0:40:38.00,Default,,0000,0000,0000,,know, set up for you by the Snort app,
Dialogue: 0,0:40:38.00,0:40:39.92,Default,,0000,0000,0000,,which is really awesome. As I said, you
Dialogue: 0,0:40:39.92,0:40:42.34,Default,,0000,0000,0000,,don't need to go through that process yourself.
Dialogue: 0,0:40:42.56,0:40:44.56,Default,,0000,0000,0000,,So the first graph here essentially
Dialogue: 0,0:40:44.56,0:40:46.40,Default,,0000,0000,0000,,tells you your events,
Dialogue: 0,0:40:46.40,0:40:48.56,Default,,0000,0000,0000,,and it also displays the, you know,
Dialogue: 0,0:40:48.56,0:40:50.40,Default,,0000,0000,0000,,the total number of sources. So you can
Dialogue: 0,0:40:50.40,0:40:52.56,Default,,0000,0000,0000,,see that there. You also have the time.
Dialogue: 0,0:40:52.56,0:40:54.48,Default,,0000,0000,0000,,So you have your events and
Dialogue: 0,0:40:54.48,0:40:56.08,Default,,0000,0000,0000,,then the timeline here. And you can
Dialogue: 0,0:40:56.08,0:40:58.88,Default,,0000,0000,0000,,essentially, you know, view a trend--or the
Dialogue: 0,0:40:58.88,0:41:01.68,Default,,0000,0000,0000,,trend--of events there. You then
Dialogue: 0,0:41:01.68,0:41:04.88,Default,,0000,0000,0000,,have the top source countries
Dialogue: 0,0:41:04.88,0:41:07.04,Default,,0000,0000,0000,,right over here. And if I just run
Dialogue: 0,0:41:07.04,0:41:08.72,Default,,0000,0000,0000,,another check really quickly here
Dialogue: 0,0:41:08.72,0:41:11.12,Default,,0000,0000,0000,,through the NIDS website--
Dialogue: 0,0:41:11.12,0:41:14.72,Default,,0000,0000,0000,,so let me just run the curl command--
Dialogue: 0,0:41:14.72,0:41:16.64,Default,,0000,0000,0000,,you should actually see that because
Dialogue: 0,0:41:16.64,0:41:19.28,Default,,0000,0000,0000,,we are reaching out to, you know, there's a
Dialogue: 0,0:41:19.28,0:41:21.28,Default,,0000,0000,0000,,connection made to an external server,
Dialogue: 0,0:41:21.28,0:41:23.68,Default,,0000,0000,0000,,that it should reflect that info under
Dialogue: 0,0:41:23.68,0:41:26.74,Default,,0000,0000,0000,,the top countries--the top source countries.
Dialogue: 0,0:41:26.80,0:41:28.80,Default,,0000,0000,0000,,So we then have the events here, which,
Dialogue: 0,0:41:28.80,0:41:31.28,Default,,0000,0000,0000,,you know, you can click on. And then,
Dialogue: 0,0:41:31.28,0:41:33.12,Default,,0000,0000,0000,,of course, you have the sources.
Dialogue: 0,0:41:33.12,0:41:36.08,Default,,0000,0000,0000,,So these are the Snort event types,
Dialogue: 0,0:41:36.08,0:41:37.76,Default,,0000,0000,0000,,and these are actually the
Dialogue: 0,0:41:37.76,0:41:39.68,Default,,0000,0000,0000,,classifications. So we can see potentially
Dialogue: 0,0:41:39.68,0:41:42.64,Default,,0000,0000,0000,,bad traffic, attempted information leak,
Dialogue: 0,0:41:42.64,0:41:44.72,Default,,0000,0000,0000,,and, you know, you can just refresh your
Dialogue: 0,0:41:44.72,0:41:47.44,Default,,0000,0000,0000,,dashboard to get the latest.
Dialogue: 0,0:41:47.44,0:41:49.36,Default,,0000,0000,0000,,So we'll give that a couple of seconds.
Dialogue: 0,0:41:49.36,0:41:53.11,Default,,0000,0000,0000,,And you can also specify the actual interval period.
Dialogue: 0,0:41:53.60,0:41:56.40,Default,,0000,0000,0000,,So I'll just wait for this. Let's
Dialogue: 0,0:41:56.40,0:41:58.88,Default,,0000,0000,0000,,see if it's actually being logged or
Dialogue: 0,0:41:58.88,0:42:00.32,Default,,0000,0000,0000,,whether we can see all of that. So I'll
Dialogue: 0,0:42:00.32,0:42:04.00,Default,,0000,0000,0000,,just go back into the dashboard here,
Dialogue: 0,0:42:04.00,0:42:07.36,Default,,0000,0000,0000,,and we'll go into Search and Reporting.
Dialogue: 0,0:42:07.36,0:42:09.92,Default,,0000,0000,0000,,And we click on the actual
Dialogue: 0,0:42:09.92,0:42:13.04,Default,,0000,0000,0000,,Data Summary and the Sources. We can
Dialogue: 0,0:42:13.04,0:42:16.40,Default,,0000,0000,0000,,see we have Snort there, and then /var/snort/alert.
Dialogue: 0,0:42:16.40,0:42:20.06,Default,,0000,0000,0000,,So we click on Snort there. Okay.
Dialogue: 0,0:42:20.06,0:42:22.00,Default,,0000,0000,0000,,So this is bad traffic. That's
Dialogue: 0,0:42:22.00,0:42:25.44,Default,,0000,0000,0000,,really weird because
Dialogue: 0,0:42:26.08,0:42:27.92,Default,,0000,0000,0000,,the source is Snort. We had added two
Dialogue: 0,0:42:27.92,0:42:29.52,Default,,0000,0000,0000,,sources there.
Dialogue: 0,0:42:29.52,0:42:32.72,Default,,0000,0000,0000,,So Data Summary--
Dialogue: 0,0:42:32.72,0:42:34.80,Default,,0000,0000,0000,,let me just click on that there. And if
Dialogue: 0,0:42:34.80,0:42:36.96,Default,,0000,0000,0000,,we click on the sources there, this is
Dialogue: 0,0:42:36.96,0:42:40.80,Default,,0000,0000,0000,,the one that we want, ideally.
Dialogue: 0,0:42:43.20,0:42:47.05,Default,,0000,0000,0000,,Yeah. So that looks like the correct one there.
Dialogue: 0,0:42:49.60,0:42:51.68,Default,,0000,0000,0000,,Yeah. That's the correct traffic. I
Dialogue: 0,0:42:51.68,0:42:55.12,Default,,0000,0000,0000,,think that's why the actual--let me
Dialogue: 0,0:42:55.12,0:42:56.96,Default,,0000,0000,0000,,see if I can find it. So Snort Alerts for
Dialogue: 0,0:42:56.96,0:43:00.64,Default,,0000,0000,0000,,Splunk--let me click on the app there.
Dialogue: 0,0:43:02.48,0:43:04.16,Default,,0000,0000,0000,,Show Filters. It should be displaying
Dialogue: 0,0:43:04.16,0:43:06.40,Default,,0000,0000,0000,,much more than that because I know--yeah,
Dialogue: 0,0:43:06.40,0:43:08.32,Default,,0000,0000,0000,,there are not just four.
Dialogue: 0,0:43:08.32,0:43:09.92,Default,,0000,0000,0000,,So
Dialogue: 0,0:43:09.92,0:43:12.64,Default,,0000,0000,0000,,if we actually head over into the
Dialogue: 0,0:43:12.64,0:43:16.56,Default,,0000,0000,0000,,Snort Event Search here,
Dialogue: 0,0:43:18.48,0:43:20.80,Default,,0000,0000,0000,,we can actually search for--you know,
Dialogue: 0,0:43:20.80,0:43:25.36,Default,,0000,0000,0000,,we can utilize--yeah. So these are only--
Dialogue: 0,0:43:25.36,0:43:28.40,Default,,0000,0000,0000,,this is only monitoring the pings. So
Dialogue: 0,0:43:28.40,0:43:30.24,Default,,0000,0000,0000,,that's weird. I'm not really sure why we
Dialogue: 0,0:43:30.24,0:43:32.32,Default,,0000,0000,0000,,have two data sources. I think it's to do
Dialogue: 0,0:43:32.32,0:43:33.84,Default,,0000,0000,0000,,with the fact
Dialogue: 0,0:43:33.84,0:43:37.04,Default,,0000,0000,0000,,that, you know, we had--so let me
Dialogue: 0,0:43:37.04,0:43:39.52,Default,,0000,0000,0000,,just go back here.
Dialogue: 0,0:43:39.52,0:43:42.64,Default,,0000,0000,0000,,Apps > Search, and sudo root.
Dialogue: 0,0:43:42.64,0:43:46.72,Default,,0000,0000,0000,,Let me just check that here. So cd local,
Dialogue: 0,0:43:46.72,0:43:47.84,Default,,0000,0000,0000,,vim
Dialogue: 0,0:43:47.84,0:43:50.64,Default,,0000,0000,0000,,inputs.conf. So there we are. So the
Dialogue: 0,0:43:50.64,0:43:52.28,Default,,0000,0000,0000,,source is Snort.
Dialogue: 0,0:43:53.28,0:43:56.08,Default,,0000,0000,0000,,We already specified the source as Snort
Dialogue: 0,0:43:56.08,0:43:57.60,Default,,0000,0000,0000,,there,
Dialogue: 0,0:43:57.60,0:43:59.52,Default,,0000,0000,0000,,but it's also adding
Dialogue: 0,0:43:59.52,0:44:02.32,Default,,0000,0000,0000,,this particular, you know, the alert,
Dialogue: 0,0:44:02.32,0:44:04.16,Default,,0000,0000,0000,,as a source as well.
Dialogue: 0,0:44:04.16,0:44:08.15,Default,,0000,0000,0000,,And then the source type is snort_alert_full, index main.
Dialogue: 0,0:44:08.15,0:44:09.04,Default,,0000,0000,0000,,Yeah. That
Dialogue: 0,0:44:09.04,0:44:10.56,Default,,0000,0000,0000,,should be working. That should be working
Dialogue: 0,0:44:10.56,0:44:12.32,Default,,0000,0000,0000,,without any issues. I'm not really sure
Dialogue: 0,0:44:12.32,0:44:14.08,Default,,0000,0000,0000,,why that is the case, but
Dialogue: 0,0:44:14.08,0:44:16.48,Default,,0000,0000,0000,,we can actually customize what dataset
Dialogue: 0,0:44:16.48,0:44:18.00,Default,,0000,0000,0000,,we want to use.
Dialogue: 0,0:44:18.00,0:44:19.36,Default,,0000,0000,0000,,So
Dialogue: 0,0:44:19.36,0:44:21.52,Default,,0000,0000,0000,,I think--let me actually showcase how to
Dialogue: 0,0:44:21.52,0:44:23.36,Default,,0000,0000,0000,,do that right now.
Dialogue: 0,0:44:23.36,0:44:25.84,Default,,0000,0000,0000,,So apologies about that. I actually
Dialogue: 0,0:44:25.84,0:44:27.60,Default,,0000,0000,0000,,figured out what the issue was. It was
Dialogue: 0,0:44:27.60,0:44:30.32,Default,,0000,0000,0000,,because the system I was running
Dialogue: 0,0:44:30.32,0:44:32.08,Default,,0000,0000,0000,,these particular
Dialogue: 0,0:44:32.08,0:44:34.56,Default,,0000,0000,0000,,attacks from wasn't even connected to
Dialogue: 0,0:44:34.56,0:44:36.80,Default,,0000,0000,0000,,the local network.
Dialogue: 0,0:44:36.80,0:44:38.88,Default,,0000,0000,0000,,And even though I was running
Dialogue: 0,0:44:38.88,0:44:41.04,Default,,0000,0000,0000,,these attacks, I did realize that, of
Dialogue: 0,0:44:41.04,0:44:44.53,Default,,0000,0000,0000,,course, they weren't working. So I've just reconnected it.
Dialogue: 0,0:44:44.53,0:44:47.36,Default,,0000,0000,0000,,And what I'm going to do is I'm just going to
Dialogue: 0,0:44:47.36,0:44:49.60,Default,,0000,0000,0000,,run this one more time.
Dialogue: 0,0:44:49.60,0:44:53.36,Default,,0000,0000,0000,,So just give me a second here, and I'll
Dialogue: 0,0:44:53.36,0:44:56.32,Default,,0000,0000,0000,,be able to do that one more time. So
Dialogue: 0,0:44:56.32,0:44:58.56,Default,,0000,0000,0000,,let me just navigate to that particular
Dialogue: 0,0:44:58.56,0:45:00.08,Default,,0000,0000,0000,,directory,
Dialogue: 0,0:45:00.08,0:45:03.12,Default,,0000,0000,0000,,and we'll actually see whether this will work.
Dialogue: 0,0:45:03.12,0:45:04.40,Default,,0000,0000,0000,,So
Dialogue: 0,0:45:04.40,0:45:06.00,Default,,0000,0000,0000,,you can actually see there's much more
Dialogue: 0,0:45:06.00,0:45:07.92,Default,,0000,0000,0000,,that has been captured in regards to
Dialogue: 0,0:45:07.92,0:45:10.16,Default,,0000,0000,0000,,events, and I'll be explaining this
Dialogue: 0,0:45:10.16,0:45:12.48,Default,,0000,0000,0000,,dashboard in a couple of seconds.
Dialogue: 0,0:45:12.48,0:45:14.96,Default,,0000,0000,0000,,So let me just
Dialogue: 0,0:45:14.96,0:45:17.36,Default,,0000,0000,0000,,launch that first attack there--so that
Dialogue: 0,0:45:17.36,0:45:19.44,Default,,0000,0000,0000,,you know--let me just launch that first
Dialogue: 0,0:45:19.44,0:45:22.24,Default,,0000,0000,0000,,type of check. And of course, I'm using
Dialogue: 0,0:45:22.24,0:45:26.40,Default,,0000,0000,0000,,TestMyNIDS here. So, unfortunately,
Dialogue: 0,0:45:26.40,0:45:28.00,Default,,0000,0000,0000,,that wasn't even being logged, which is
Dialogue: 0,0:45:28.00,0:45:30.00,Default,,0000,0000,0000,,why I was a bit confused as to why those
Dialogue: 0,0:45:30.00,0:45:32.80,Default,,0000,0000,0000,,logs are not being displayed here.
Dialogue: 0,0:45:32.80,0:45:35.52,Default,,0000,0000,0000,,So I'll give that a couple of seconds,
Dialogue: 0,0:45:35.52,0:45:38.88,Default,,0000,0000,0000,,and we'll be able to see this happen
Dialogue: 0,0:45:38.88,0:45:41.26,Default,,0000,0000,0000,,in real time as well.
Dialogue: 0,0:45:41.92,0:45:44.56,Default,,0000,0000,0000,,Alright. So that is done. So I've
Dialogue: 0,0:45:44.56,0:45:46.32,Default,,0000,0000,0000,,essentially launched a couple of those
Dialogue: 0,0:45:46.32,0:45:48.32,Default,,0000,0000,0000,,tests. And, as I said,
Dialogue: 0,0:45:48.32,0:45:50.64,Default,,0000,0000,0000,,this is your default
Dialogue: 0,0:45:50.64,0:45:52.56,Default,,0000,0000,0000,,dashboard that you're provided with here.
Dialogue: 0,0:45:52.56,0:45:53.52,Default,,0000,0000,0000,,So,
Dialogue: 0,0:45:53.52,0:45:55.76,Default,,0000,0000,0000,,you know, you can actually refresh
Dialogue: 0,0:45:55.76,0:45:59.55,Default,,0000,0000,0000,,all of these panels here, if you will.
Dialogue: 0,0:45:59.55,0:46:00.80,Default,,0000,0000,0000,,So that'll display the
Dialogue: 0,0:46:00.80,0:46:03.92,Default,,0000,0000,0000,,latest. And, as I said here, because I'd
Dialogue: 0,0:46:03.92,0:46:07.68,Default,,0000,0000,0000,,performed the actual check
Dialogue: 0,0:46:07.68,0:46:09.52,Default,,0000,0000,0000,,and it connected to an external server,
Dialogue: 0,0:46:09.52,0:46:11.68,Default,,0000,0000,0000,,you can see that the top source
Dialogue: 0,0:46:11.68,0:46:13.68,Default,,0000,0000,0000,,countries are highlighted there.
Dialogue: 0,0:46:13.68,0:46:15.84,Default,,0000,0000,0000,,You can also refresh the number of
Dialogue: 0,0:46:15.84,0:46:18.16,Default,,0000,0000,0000,,events, as you can see here,
Dialogue: 0,0:46:18.16,0:46:20.32,Default,,0000,0000,0000,,and the number of sources. So
Dialogue: 0,0:46:20.32,0:46:22.32,Default,,0000,0000,0000,,you can also do that for the rest of
Dialogue: 0,0:46:22.32,0:46:24.48,Default,,0000,0000,0000,,the panels. These are the top 10
Dialogue: 0,0:46:24.48,0:46:26.80,Default,,0000,0000,0000,,classifications
Dialogue: 0,0:46:26.80,0:46:28.96,Default,,0000,0000,0000,,in terms of events, if you will, and then
Dialogue: 0,0:46:28.96,0:46:32.32,Default,,0000,0000,0000,,these Snort event types, as you can see here.
Dialogue: 0,0:46:32.32,0:46:33.84,Default,,0000,0000,0000,,So, for example, in this case, we have the
Dialogue: 0,0:46:33.84,0:46:36.16,Default,,0000,0000,0000,,Attack-Response ID Check, which, if we
Dialogue: 0,0:46:36.16,0:46:37.52,Default,,0000,0000,0000,,click on
Dialogue: 0,0:46:37.52,0:46:40.32,Default,,0000,0000,0000,,right over here,
Dialogue: 0,0:46:41.12,0:46:42.64,Default,,0000,0000,0000,,you can see that it actually displays
Dialogue: 0,0:46:42.64,0:46:44.40,Default,,0000,0000,0000,,that, and you can then
Dialogue: 0,0:46:44.40,0:46:46.40,Default,,0000,0000,0000,,click on the signature itself. And this
Dialogue: 0,0:46:46.40,0:46:48.88,Default,,0000,0000,0000,,is for statistics. Now, if you click on
Dialogue: 0,0:46:48.88,0:46:53.04,Default,,0000,0000,0000,,the Snort Event Search tab right over here,
Dialogue: 0,0:46:53.04,0:46:54.88,Default,,0000,0000,0000,,you can see that this allows you to
Dialogue: 0,0:46:54.88,0:46:57.12,Default,,0000,0000,0000,,search based on the source IP, the source
Dialogue: 0,0:46:57.12,0:46:59.68,Default,,0000,0000,0000,,port, the destination IP, destination port,
Dialogue: 0,0:46:59.68,0:47:02.24,Default,,0000,0000,0000,,and the event type. So I can check for
Dialogue: 0,0:47:02.24,0:47:04.40,Default,,0000,0000,0000,,attack responses based on the rule set
Dialogue: 0,0:47:04.40,0:47:06.48,Default,,0000,0000,0000,,that we had used previously.
Dialogue: 0,0:47:06.48,0:47:09.36,Default,,0000,0000,0000,,And I can also specify the timing. Right?
Dialogue: 0,0:47:09.36,0:47:12.08,Default,,0000,0000,0000,,So that's really fantastic there.
Dialogue: 0,0:47:12.08,0:47:14.64,Default,,0000,0000,0000,,So you can see that right over here, we
Dialogue: 0,0:47:14.64,0:47:16.24,Default,,0000,0000,0000,,have that logged,
Dialogue: 0,0:47:16.24,0:47:19.04,Default,,0000,0000,0000,,which is fantastic. And
Dialogue: 0,0:47:19.04,0:47:21.92,Default,,0000,0000,0000,,if we click on the Snort World Map,
Dialogue: 0,0:47:21.92,0:47:24.00,Default,,0000,0000,0000,,that'll essentially--as you'll see in a
Dialogue: 0,0:47:24.00,0:47:26.16,Default,,0000,0000,0000,,couple of seconds--this will essentially
Dialogue: 0,0:47:26.16,0:47:28.56,Default,,0000,0000,0000,,display the countries by the source IPs.
Dialogue: 0,0:47:28.56,0:47:29.84,Default,,0000,0000,0000,,In this case, it should display the
Dialogue: 0,0:47:29.84,0:47:32.08,Default,,0000,0000,0000,,United States, which makes sense.
Dialogue: 0,0:47:32.08,0:47:34.80,Default,,0000,0000,0000,,And there we are. So, again, this is
Dialogue: 0,0:47:34.80,0:47:37.12,Default,,0000,0000,0000,,extremely helpful, especially if you work
Dialogue: 0,0:47:37.12,0:47:39.84,Default,,0000,0000,0000,,in a SOC. And as I said, there's multiple,
Dialogue: 0,0:47:39.84,0:47:41.92,Default,,0000,0000,0000,,you know, security tools you can
Dialogue: 0,0:47:41.92,0:47:45.04,Default,,0000,0000,0000,,integrate with Splunk.
Dialogue: 0,0:47:45.04,0:47:46.88,Default,,0000,0000,0000,,Now, one thing that I wanted to highlight
Dialogue: 0,0:47:46.88,0:47:49.44,Default,,0000,0000,0000,,is--you can, if you click on Edit--and I'll
Dialogue: 0,0:47:49.44,0:47:51.20,Default,,0000,0000,0000,,just go back to the
Dialogue: 0,0:47:51.20,0:47:53.20,Default,,0000,0000,0000,,Event Summary here because this is very
Dialogue: 0,0:47:53.20,0:47:55.12,Default,,0000,0000,0000,,important--
Dialogue: 0,0:47:55.12,0:47:57.28,Default,,0000,0000,0000,,you can set this as your main dashboard.
Dialogue: 0,0:47:57.28,0:47:58.96,Default,,0000,0000,0000,,So if you right-click here, you can set
Dialogue: 0,0:47:58.96,0:48:01.52,Default,,0000,0000,0000,,this as your home dashboard.
Dialogue: 0,0:48:01.52,0:48:03.60,Default,,0000,0000,0000,,So I'll just click on that there.
Dialogue: 0,0:48:03.60,0:48:05.44,Default,,0000,0000,0000,,And now you'll see on your dashboard
Dialogue: 0,0:48:05.44,0:48:08.24,Default,,0000,0000,0000,,here, if I just close that top menu,
Dialogue: 0,0:48:08.24,0:48:10.24,Default,,0000,0000,0000,,that'll actually be displayed there. So
Dialogue: 0,0:48:10.24,0:48:12.32,Default,,0000,0000,0000,,give it a couple of seconds.
Dialogue: 0,0:48:12.32,0:48:15.28,Default,,0000,0000,0000,,And, of course, you can click on the cogwheel here
Dialogue: 0,0:48:16.24,0:48:19.28,Default,,0000,0000,0000,,and essentially display--whatever--
Dialogue: 0,0:48:19.28,0:48:21.52,Default,,0000,0000,0000,,you know, you can specify your default
Dialogue: 0,0:48:21.52,0:48:23.20,Default,,0000,0000,0000,,dashboard. Now, there are a couple of
Dialogue: 0,0:48:23.20,0:48:25.60,Default,,0000,0000,0000,,other ones that are created by default.
Dialogue: 0,0:48:25.60,0:48:28.06,Default,,0000,0000,0000,,But yeah, you can have that on your dashboard.
Dialogue: 0,0:48:28.40,0:48:31.04,Default,,0000,0000,0000,,And, you know, if you actually click
Dialogue: 0,0:48:31.04,0:48:33.84,Default,,0000,0000,0000,,on the SNORT--the SNORT alert for Splunk here--
Dialogue: 0,0:48:33.84,0:48:36.24,Default,,0000,0000,0000,,and we'll just go back into that SNORT
Dialogue: 0,0:48:36.24,0:48:38.24,Default,,0000,0000,0000,,event summary tab,
Dialogue: 0,0:48:38.24,0:48:40.88,Default,,0000,0000,0000,,you can actually edit the way these
Dialogue: 0,0:48:40.88,0:48:44.24,Default,,0000,0000,0000,,particular panels are tiled. So,
Dialogue: 0,0:48:44.24,0:48:46.08,Default,,0000,0000,0000,,you know, you can convert it to a
Dialogue: 0,0:48:46.08,0:48:48.88,Default,,0000,0000,0000,,prebuilt panel or, you know,
Dialogue: 0,0:48:48.88,0:48:50.40,Default,,0000,0000,0000,,you can--you can actually convert it to a
Dialogue: 0,0:48:50.40,0:48:52.96,Default,,0000,0000,0000,,prebuilt panel. You can get rid of it.
Dialogue: 0,0:48:52.96,0:48:54.72,Default,,0000,0000,0000,,You can also move them around based
Dialogue: 0,0:48:54.72,0:48:57.44,Default,,0000,0000,0000,,on your own requirements. And, in this
Dialogue: 0,0:48:57.44,0:48:59.68,Default,,0000,0000,0000,,case, you can actually--let's see if I can
Dialogue: 0,0:48:59.68,0:49:02.27,Default,,0000,0000,0000,,show you. You can actually select the visualization.
Dialogue: 0,0:49:02.48,0:49:04.24,Default,,0000,0000,0000,,So, in this case, I think the default
Dialogue: 0,0:49:04.24,0:49:06.08,Default,,0000,0000,0000,,one is fine, and you can then view the
Dialogue: 0,0:49:06.08,0:49:07.92,Default,,0000,0000,0000,,report here. So
Dialogue: 0,0:49:08.96,0:49:11.36,Default,,0000,0000,0000,,if we click on this one here, for example,
Dialogue: 0,0:49:11.36,0:49:13.28,Default,,0000,0000,0000,,we could actually use the bar graph to
Dialogue: 0,0:49:13.28,0:49:17.20,Default,,0000,0000,0000,,display the--you know--the number of--the actual--
Dialogue: 0,0:49:17.20,0:49:19.44,Default,,0000,0000,0000,,the top source countries, and have
Dialogue: 0,0:49:19.44,0:49:21.60,Default,,0000,0000,0000,,them displayed in a bar graph style. But
Dialogue: 0,0:49:21.60,0:49:23.28,Default,,0000,0000,0000,,we can just take it back into the pie
Dialogue: 0,0:49:23.28,0:49:25.60,Default,,0000,0000,0000,,chart there. And you can also change this
Dialogue: 0,0:49:25.60,0:49:27.44,Default,,0000,0000,0000,,for the events as well.
Dialogue: 0,0:49:27.44,0:49:29.36,Default,,0000,0000,0000,,So, you know, if we wanted to view a
Dialogue: 0,0:49:29.36,0:49:32.24,Default,,0000,0000,0000,,trend, we can click on the bar graph there.
Dialogue: 0,0:49:32.24,0:49:34.00,Default,,0000,0000,0000,,In this case, I don't think that's
Dialogue: 0,0:49:34.00,0:49:37.04,Default,,0000,0000,0000,,formatted correctly. So if we just use
Dialogue: 0,0:49:37.04,0:49:39.44,Default,,0000,0000,0000,,the default one,
Dialogue: 0,0:49:39.44,0:49:42.88,Default,,0000,0000,0000,,which I believe was--I think it was--no,
Dialogue: 0,0:49:42.88,0:49:46.16,Default,,0000,0000,0000,,that wasn't the one. I believe it was--
Dialogue: 0,0:49:46.16,0:49:47.92,Default,,0000,0000,0000,,let's see if I can identify it here. It
Dialogue: 0,0:49:47.92,0:49:50.80,Default,,0000,0000,0000,,was the number. There we are. So,
Dialogue: 0,0:49:50.80,0:49:53.92,Default,,0000,0000,0000,,as I said, you can customize this based on your own--
Dialogue: 0,0:49:53.92,0:49:57.44,Default,,0000,0000,0000,,you know--your own requirements. So, for example,
Dialogue: 0,0:49:57.44,0:49:59.84,Default,,0000,0000,0000,,this one might do well if it was in the
Dialogue: 0,0:49:59.84,0:50:02.24,Default,,0000,0000,0000,,form of a bar graph. So, you know,
Dialogue: 0,0:50:02.24,0:50:04.24,Default,,0000,0000,0000,,you can utilize that if you feel that
Dialogue: 0,0:50:04.24,0:50:06.32,Default,,0000,0000,0000,,that is appropriate.
Dialogue: 0,0:50:06.32,0:50:08.32,Default,,0000,0000,0000,,In this case, you know, we can also
Dialogue: 0,0:50:08.32,0:50:11.92,Default,,0000,0000,0000,,specify the actual--you know--we can
Dialogue: 0,0:50:11.92,0:50:14.56,Default,,0000,0000,0000,,actually list the events themselves.
Dialogue: 0,0:50:14.56,0:50:16.08,Default,,0000,0000,0000,,Let's see which other ones look
Dialogue: 0,0:50:16.08,0:50:17.92,Default,,0000,0000,0000,,really good here.
Dialogue: 0,0:50:17.92,0:50:19.76,Default,,0000,0000,0000,,And yeah, once you're done with the
Dialogue: 0,0:50:19.76,0:50:22.08,Default,,0000,0000,0000,,customization, you can then cancel or
Dialogue: 0,0:50:22.08,0:50:24.56,Default,,0000,0000,0000,,save based on your requirements. And you
Dialogue: 0,0:50:24.56,0:50:27.20,Default,,0000,0000,0000,,can also filter on this particular tab
Dialogue: 0,0:50:27.20,0:50:30.76,Default,,0000,0000,0000,,here, you know, through the source IP, destination IP, etc.
Dialogue: 0,0:50:31.28,0:50:35.34,Default,,0000,0000,0000,,Let's see, what else did I want to highlight?
Dialogue: 0,0:50:35.34,0:50:38.00,Default,,0000,0000,0000,,Let me just refresh this once more
Dialogue: 0,0:50:38.00,0:50:41.31,Default,,0000,0000,0000,,and, you know, to essentially get the latest data.
Dialogue: 0,0:50:42.48,0:50:46.28,Default,,0000,0000,0000,,And you can see, in terms of the panels,
Dialogue: 0,0:50:46.28,0:50:49.52,Default,,0000,0000,0000,,this will display the last 100 attempts.
Dialogue: 0,0:50:49.52,0:50:52.96,Default,,0000,0000,0000,,And you can go through them like so.
Dialogue: 0,0:50:53.60,0:50:55.84,Default,,0000,0000,0000,,You can also view--I think we've gone
Dialogue: 0,0:50:55.84,0:50:57.12,Default,,0000,0000,0000,,through all of them--but you have the
Dialogue: 0,0:50:57.12,0:50:59.44,Default,,0000,0000,0000,,persistent sources. So, two or more days
Dialogue: 0,0:50:59.44,0:51:01.36,Default,,0000,0000,0000,,of activity in the last 30 days. So you
Dialogue: 0,0:51:01.36,0:51:03.04,Default,,0000,0000,0000,,actually need a lot of data for that to
Dialogue: 0,0:51:03.04,0:51:06.24,Default,,0000,0000,0000,,be displayed or to give you anything useful.
Dialogue: 0,0:51:07.52,0:51:09.76,Default,,0000,0000,0000,,Yep. So that is
Dialogue: 0,0:51:09.76,0:51:11.68,Default,,0000,0000,0000,,what I wanted to highlight in regards to
Dialogue: 0,0:51:11.68,0:51:14.08,Default,,0000,0000,0000,,the SNORT alert for Splunk app and the
Dialogue: 0,0:51:14.08,0:51:15.84,Default,,0000,0000,0000,,actual dashboards, which, as I said, it
Dialogue: 0,0:51:15.84,0:51:17.36,Default,,0000,0000,0000,,already does for you.
Dialogue: 0,0:51:17.36,0:51:19.12,Default,,0000,0000,0000,,Now, you can create your own dashboard, as
Dialogue: 0,0:51:19.12,0:51:22.72,Default,,0000,0000,0000,,I said, if I go back into Apps > Search and Reporting,
Dialogue: 0,0:51:22.72,0:51:25.20,Default,,0000,0000,0000,,based on your own sources. So I'll just
Dialogue: 0,0:51:25.20,0:51:27.28,Default,,0000,0000,0000,,click on Data Summary there. And if I
Dialogue: 0,0:51:27.28,0:51:29.28,Default,,0000,0000,0000,,click on Sources,
Dialogue: 0,0:51:29.28,0:51:30.96,Default,,0000,0000,0000,,you can click on
Dialogue: 0,0:51:30.96,0:51:33.84,Default,,0000,0000,0000,,this source here, for example. And,
Dialogue: 0,0:51:33.84,0:51:36.64,Default,,0000,0000,0000,,you know, in this case, we can actually
Dialogue: 0,0:51:36.64,0:51:39.68,Default,,0000,0000,0000,,just click on that there. And I can click
Dialogue: 0,0:51:39.68,0:51:41.92,Default,,0000,0000,0000,,on Extract Fields,
Dialogue: 0,0:51:41.92,0:51:43.36,Default,,0000,0000,0000,,and you can extract the fields with
Dialogue: 0,0:51:43.36,0:51:46.32,Default,,0000,0000,0000,,regex. So I'll click on Next there.
Dialogue: 0,0:51:46.32,0:51:47.76,Default,,0000,0000,0000,,And you can then select the fields that
Dialogue: 0,0:51:47.76,0:51:50.40,Default,,0000,0000,0000,,you want. So, for example, in this case, we
Dialogue: 0,0:51:50.40,0:51:52.72,Default,,0000,0000,0000,,would want the date and time.
Dialogue: 0,0:51:52.72,0:51:55.28,Default,,0000,0000,0000,,So I can just highlight that there. So I
Dialogue: 0,0:51:55.28,0:51:56.32,Default,,0000,0000,0000,,can say
Dialogue: 0,0:51:56.32,0:51:59.52,Default,,0000,0000,0000,,time, for example, add the extraction.
Dialogue: 0,0:51:59.52,0:52:02.00,Default,,0000,0000,0000,,And then, of course, we have the source IP
Dialogue: 0,0:52:02.00,0:52:03.84,Default,,0000,0000,0000,,and the port. But I'll just highlight
Dialogue: 0,0:52:03.84,0:52:05.68,Default,,0000,0000,0000,,them together. But I think it's actually
Dialogue: 0,0:52:05.68,0:52:08.63,Default,,0000,0000,0000,,recommended just to highlight the source IP there.
Dialogue: 0,0:52:08.88,0:52:15.28,Default,,0000,0000,0000,,So source—we can say src underscore port, IP.
Dialogue: 0,0:52:15.52,0:52:18.48,Default,,0000,0000,0000,,Add that extraction, and we then have the
Dialogue: 0,0:52:18.48,0:52:20.80,Default,,0000,0000,0000,,destination IP, which, in this case,
Dialogue: 0,0:52:20.80,0:52:22.56,Default,,0000,0000,0000,,because this is
Dialogue: 0,0:52:22.56,0:52:25.52,Default,,0000,0000,0000,,an SNMP broadcast
Dialogue: 0,0:52:25.52,0:52:27.52,Default,,0000,0000,0000,,request, we can--we know that that's the
Dialogue: 0,0:52:27.52,0:52:34.45,Default,,0000,0000,0000,,destination IP. So I'll say dst underscore IP, add the extraction.
Dialogue: 0,0:52:34.45,0:52:38.04,Default,,0000,0000,0000,,Let's see what else we can do.
Dialogue: 0,0:52:40.08,0:52:41.44,Default,,0000,0000,0000,,In this case, it's saying the extraction
Dialogue: 0,0:52:41.44,0:52:42.96,Default,,0000,0000,0000,,field you're extracting--if you're
Dialogue: 0,0:52:42.96,0:52:45.04,Default,,0000,0000,0000,,extracting multiple fields, try removing
Dialogue: 0,0:52:45.04,0:52:47.04,Default,,0000,0000,0000,,one or more fields. Start with the
Dialogue: 0,0:52:47.04,0:52:48.72,Default,,0000,0000,0000,,extractions that are embedded within
Dialogue: 0,0:52:48.72,0:52:51.68,Default,,0000,0000,0000,,longer strings. Okay. So let's try and use
Dialogue: 0,0:52:51.68,0:52:54.40,Default,,0000,0000,0000,,another alert here
Dialogue: 0,0:52:54.40,0:52:58.12,Default,,0000,0000,0000,,that was kind of interesting. Let's see.
Dialogue: 0,0:52:58.32,0:53:00.48,Default,,0000,0000,0000,,It's not displaying all of them here, but
Dialogue: 0,0:53:00.48,0:53:02.80,Default,,0000,0000,0000,,you get the idea. Once you're done--
Dialogue: 0,0:53:02.80,0:53:04.48,Default,,0000,0000,0000,,you know, for example, I can remove
Dialogue: 0,0:53:04.48,0:53:06.08,Default,,0000,0000,0000,,that field here. I'm just giving you an
Dialogue: 0,0:53:06.08,0:53:08.72,Default,,0000,0000,0000,,example of that. So remove that field.
Dialogue: 0,0:53:08.72,0:53:12.00,Default,,0000,0000,0000,,There we are. I can then say Next, and
Dialogue: 0,0:53:12.00,0:53:15.44,Default,,0000,0000,0000,,I can click on Validate and Save based
Dialogue: 0,0:53:15.44,0:53:18.24,Default,,0000,0000,0000,,on those fields there. Hit Finish.
Dialogue: 0,0:53:18.24,0:53:20.80,Default,,0000,0000,0000,,And then, you know, I can go back,
Dialogue: 0,0:53:20.80,0:53:23.36,Default,,0000,0000,0000,,you know, to Search and Reporting.
Dialogue: 0,0:53:23.36,0:53:25.28,Default,,0000,0000,0000,,And if I wanted to create a very simple
Dialogue: 0,0:53:25.28,0:53:27.84,Default,,0000,0000,0000,,visualization, which I'll show you right now--
Dialogue: 0,0:53:27.84,0:53:30.00,Default,,0000,0000,0000,,even though I don't really need those
Dialogue: 0,0:53:30.00,0:53:31.92,Default,,0000,0000,0000,,extracted fields, although they might be
Dialogue: 0,0:53:31.92,0:53:33.28,Default,,0000,0000,0000,,useful--so
Dialogue: 0,0:53:33.28,0:53:36.08,Default,,0000,0000,0000,,I can click on those extracted fields
Dialogue: 0,0:53:36.08,0:53:39.76,Default,,0000,0000,0000,,now. I believe they should have been added.
Dialogue: 0,0:53:39.76,0:53:41.20,Default,,0000,0000,0000,,I'm not really sure why they aren't
Dialogue: 0,0:53:41.20,0:53:43.44,Default,,0000,0000,0000,,being highlighted here. There we are.
Dialogue: 0,0:53:43.44,0:53:45.20,Default,,0000,0000,0000,,So source IP.
Dialogue: 0,0:53:45.20,0:53:47.76,Default,,0000,0000,0000,,We can also, say, specify the source port.
Dialogue: 0,0:53:47.76,0:53:50.24,Default,,0000,0000,0000,,We--oh, there they are. So
Dialogue: 0,0:53:50.24,0:53:51.76,Default,,0000,0000,0000,,actually, they took a while to be
Dialogue: 0,0:53:51.76,0:53:53.60,Default,,0000,0000,0000,,displayed there. So,
Dialogue: 0,0:53:53.60,0:53:56.56,Default,,0000,0000,0000,,source port--that--why not? We can--
Dialogue: 0,0:53:56.56,0:53:59.92,Default,,0000,0000,0000,,yeah, I think that's pretty much it. So
Dialogue: 0,0:53:59.92,0:54:02.08,Default,,0000,0000,0000,,based on those, we can actually build
Dialogue: 0,0:54:02.08,0:54:04.48,Default,,0000,0000,0000,,an event type. However, if we go to
Dialogue: 0,0:54:04.48,0:54:07.52,Default,,0000,0000,0000,,Visualization and click on Pivot here--
Dialogue: 0,0:54:07.52,0:54:10.64,Default,,0000,0000,0000,,selected fields is five--hit OK.
Dialogue: 0,0:54:10.64,0:54:12.56,Default,,0000,0000,0000,,We can actually, you know, visualize this
Dialogue: 0,0:54:12.56,0:54:14.32,Default,,0000,0000,0000,,however we want. So, for example, if I
Dialogue: 0,0:54:14.32,0:54:17.12,Default,,0000,0000,0000,,wanted a column chart here--
Dialogue: 0,0:54:17.12,0:54:19.68,Default,,0000,0000,0000,,so number one will display the count--
Dialogue: 0,0:54:19.68,0:54:22.91,Default,,0000,0000,0000,,I can just add the events
Dialogue: 0,0:54:24.08,0:54:26.32,Default,,0000,0000,0000,,because that's the count. And we should
Dialogue: 0,0:54:26.32,0:54:28.72,Default,,0000,0000,0000,,have, at the bottom, the time, which I did
Dialogue: 0,0:54:28.72,0:54:33.09,Default,,0000,0000,0000,,specify--I believe within that range there--
Dialogue: 0,0:54:34.00,0:54:36.72,Default,,0000,0000,0000,,but that's not being highlighted here. So
Dialogue: 0,0:54:36.72,0:54:39.28,Default,,0000,0000,0000,,the number of events--and, you know, you
Dialogue: 0,0:54:39.28,0:54:41.84,Default,,0000,0000,0000,,can go ahead and click as--you can
Dialogue: 0,0:54:41.84,0:54:43.44,Default,,0000,0000,0000,,essentially save it.
Dialogue: 0,0:54:43.44,0:54:45.28,Default,,0000,0000,0000,,So you get the idea. You don't really
Dialogue: 0,0:54:45.28,0:54:46.88,Default,,0000,0000,0000,,need to do this because we have the
Dialogue: 0,0:54:46.88,0:54:48.48,Default,,0000,0000,0000,,SNORT app here,
Dialogue: 0,0:54:48.48,0:54:50.08,Default,,0000,0000,0000,,which pretty much gives you the
Dialogue: 0,0:54:50.08,0:54:52.88,Default,,0000,0000,0000,,summaries that are useful to you or for you.
Dialogue: 0,0:54:53.84,0:54:56.56,Default,,0000,0000,0000,,And there we are. So fantastic. So that's
Dialogue: 0,0:54:56.56,0:54:57.92,Default,,0000,0000,0000,,going to conclude the practical
Dialogue: 0,0:54:57.92,0:55:01.12,Default,,0000,0000,0000,,demonstration side of this video.
Dialogue: 0,0:55:01.12,0:55:02.80,Default,,0000,0000,0000,,So, thank you very much for watching
Dialogue: 0,0:55:02.80,0:55:04.56,Default,,0000,0000,0000,,this video. If you have any questions or
Dialogue: 0,0:55:04.56,0:55:06.88,Default,,0000,0000,0000,,suggestions, leave them in the comment section.
Dialogue: 0,0:55:07.20,0:55:08.56,Default,,0000,0000,0000,,If you want to reach out to me, you can
Dialogue: 0,0:55:08.56,0:55:10.16,Default,,0000,0000,0000,,do so via
Dialogue: 0,0:55:10.16,0:55:12.32,Default,,0000,0000,0000,,Twitter or the Discord server. The links
Dialogue: 0,0:55:12.32,0:55:14.24,Default,,0000,0000,0000,,to both of those are in the description
Dialogue: 0,0:55:14.24,0:55:16.72,Default,,0000,0000,0000,,section. Furthermore, we are now moving on
Dialogue: 0,0:55:16.72,0:55:18.72,Default,,0000,0000,0000,,to part two. So this will conclude part
Dialogue: 0,0:55:18.72,0:55:21.04,Default,,0000,0000,0000,,one. Part two will be available on the
Dialogue: 0,0:55:21.04,0:55:24.56,Default,,0000,0000,0000,,Linode’s ON24 platform. So, the videos
Dialogue: 0,0:55:24.56,0:55:26.56,Default,,0000,0000,0000,,are available on-demand. So all you
Dialogue: 0,0:55:26.56,0:55:28.56,Default,,0000,0000,0000,,need to do is just click the link
Dialogue: 0,0:55:28.56,0:55:31.60,Default,,0000,0000,0000,,in the description, register for part two,
Dialogue: 0,0:55:31.60,0:55:33.52,Default,,0000,0000,0000,,after which an email will be sent to you,
Dialogue: 0,0:55:33.52,0:55:34.72,Default,,0000,0000,0000,,and you'll be given--you know--
Dialogue: 0,0:55:34.72,0:55:37.20,Default,,0000,0000,0000,,immediate access to the videos
Dialogue: 0,0:55:37.20,0:55:40.00,Default,,0000,0000,0000,,within part two. So, thank you very
Dialogue: 0,0:55:40.00,0:55:42.80,Default,,0000,0000,0000,,much for watching part one. In the
Dialogue: 0,0:55:42.80,0:55:45.04,Default,,0000,0000,0000,,next video, in part two, we'll get started--
Dialogue: 0,0:55:45.04,0:55:46.64,Default,,0000,0000,0000,,or we'll take a look--at host intrusion
Dialogue: 0,0:55:46.64,0:55:49.52,Default,,0000,0000,0000,,detection with OSSEC. So I'll be seeing
Dialogue: 0,0:55:49.52,0:55:51.38,Default,,0000,0000,0000,,you in the next video.
Dialogue: 0,0:55:51.38,0:56:12.43,Default,,0000,0000,0000,,[Music].