Hello, everyone. Welcome back to the Blue Team training series brought to you by Linode and Hackersploit. In this video, we're going to be taking a look at how to set up or how to perform security event monitoring with Splunk, more specifically, Splunk Enterprise Security. Right? So the objective here will be to monitor intrusions and threats with Splunk. And you might be asking yourself, well, how are we going to do this? What setup are we using? Well, the scenario that I've set up for this video is we are essentially going to take all the knowledge that we've learned during the Snort video, and we are going to essentially forward all of the Snort logs into Splunk or have that done automatically through the Splunk Universal Forwarder so that we get the latest logs when Snort is running on our Ubuntu virtual machine. And the objective here is to use Splunk in conjunction with the Splunk's Snort app to essentially visualize and identify or monitor network intrusions and any malicious network traffic, you know, within the network that I'm monitoring. [Music]. At a very high level, what will we be covering? Well, firstly, we'll get an introduction to Splunk. Now before we move any further or we actually carry on, I do want to note that this video is not going to be focused on Splunk fundamentals. I'm going to assume that you already know what Splunk is and how it can be used, you know, and how it's used generally speaking. Because Splunk is not really a tool that is specific to security, for example. That's why they have the Splunk Enterprise Security version or edition. And I'm just going to assume that you know how to use Splunk at a very basic level. So once we get an introduction to Splunk, we'll go over Splunk Enterprise Security--the Enterprise Security edition--and how it can be used for security event monitoring, especially in our case because we want to essentially monitor the intrusion detection logs generated by Snort. So we'll then move on to deploying Splunk Enterprise Security on Linode, which is absolutely fantastic because they have a cloud image available for it that allows you to spin it up without going through the process of installing it and configuring it. So that'll set it up for us. We'll then take a look at how to configure Splunk, and how to set up the Splunk Universal Forwarder on the Ubuntu virtual machine that is running Snort so that we can forward those logs into Splunk. And then, of course, we'll take a look at the Splunk Snort event dashboard that will be provided to us by the Splunk Snort app. So if this sounds like gibberish to you, don't worry. It will make sense in a couple of minutes. With that being said, given the fact that we're going to be using, you know, we're going to be using Snort to generate alerts and monitor those alerts, if you have not gone through the actual Snort video, please do that as it'll help you set up Snort, and you can then run through this demo. With that being said, this is not a holistic video that will cover everything you can do with Splunk Enterprise Security. We are just focused on the intrusion detection logs produced by Snort and how they can be imported or forwarded to Splunk for, you know, analysis and monitoring. So the prerequisites are the same as the previous videos. The only difference is, you know, that you need to have a basic familiarity with Splunk and how to navigate around the various menu elements and, yeah, essentially just how to use it at a very basic level. If you're not familiar with Splunk, I'll give you a few resources at the end of these slides that'll help you out or help you get started. Alright. So let's get an introduction to Splunk. So what is Splunk? That's the main question. If you've never heard of Splunk, Splunk is an extremely powerful platform that is used to analyze data and logs produced by systems or machines, as Splunk likes to call them. So what problem is Splunk trying to solve here? Well, let's look at this from the perspective of Web 2.0 or, you know, the interconnected world we live in today. And we're going to be looking at it from the context of or from the perspective of security. So if we take a simple system--let's say we have a Windows operating system or a system running Windows--well, that Windows system produces a lot of data or logs that, you know, contain information that, you know, at first glance might not seem that important. But once you start getting into specific sectors like security, those logs start, you know, those logs have, you know, very important value to organizations. Now multiply that by a thousand systems. So let's say we have an organization. They have a thousand computers within their network or, you know, distributed worldwide. And all of these systems, you know, need to be secured. Their security needs to be monitored. So how do we monitor all of this? Well, this is where Splunk comes into play. So Splunk allows you to essentially funnel all of this data produced by systems or machines into Splunk. And then Splunk allows you to monitor, search, and analyze this machine-generated data and the logs through a web interface. So in order to use Splunk, you'll need to import your own data or logs. Alternatively, you can utilize the Splunk Universal Forwarder to forward logs and data to Splunk for analysis and, of course, visualization, etc. Now, Splunk does so much more that I really can't go over all of the features here. But as I said, we're looking at this from the lens of a security engineer. Alright. So Splunk collates all the data and logs from various sources and provides you with a central index that you can search through. Splunk also provides you with robust visualization and reporting tools that allow you to identify the data that interests you, transform the data into results, and visualize the answers in the form of a report, chart, graph, etc. Alright. So what I'm saying here is that Splunk allows you to take all of this security-related logs and data and make sense of them and essentially get the answers that you're looking for. So, for example, from the perspective of a security engineer, what do you want from all of this data? Well, at a very high level, you want to know whether something is going wrong and what could go wrong. In the context of security, a network could be compromised. There could be some malicious network traffic or activity going on. A system could be compromised, etc., etc. You get the idea. So we need that data to be displayed to us as a security engineer. And Splunk is really one of the best tools, you know, when it comes down to, you know, taking a lot of data and then identifying the data that interests you, transforming that data into results, and then visualizing that data in the form of a report, chart, or graph. Right. So that's really what we're going to be doing. And as I said, going back to the scenario, we're going to be focusing on how to, you know, essentially get in or how to forward the logs created--or the logs and alerts created--by Snort into Splunk for analysis. And luckily for us, Splunk has a Snort app or plug-in, if you will, that will essentially simplify this process. So, let's get an idea as to, you know, how we can use Splunk for security event monitoring. So Splunk Enterprise Security, also known as Splunk ES, is a security information and event management solution, also known as a SIEM. It is used by security teams to quickly detect and respond to internal and external attacks or threats or intrusions. So Splunk ES can be used for security event monitoring, incident response, and running a SOC or Security Operations Center. In this video, we'll be using Splunk ES to monitor and visualize the Snort intrusion alerts. This will be facilitated through the help of the Snort app for Splunk and the Splunk Universal Forwarder. Now, the Splunk Universal Forwarder is pretty much the most important element of what we'll be exploring because what it does--and this is really cool--is it automatically forwards the latest logs, even when Snort is running. It forwards those alerts and logs into Splunk, and you can see them in real time, which is absolutely fantastic. So as I said, if you're new to Splunk, then these resources are really helpful for you. Splunk offers really great tutorials and courses designed for absolute beginners. You can check that out by clicking on the link within this slide. And you can learn more about the Splunk Enterprise Security edition from that particular link. Now, as I said, we are going to be deploying Splunk on Linode, more specifically Splunk ES. And this is the lab environment. So we're going to spin up, you know, Splunk ES on Linode. Now, again, to follow through with this, you know, Linode has been absolutely fantastic with, you know, by providing all of you guys with a way to get $100 in free Linode credit. All you need to do is just click the link in the description section and sign up, and $100 will be added to your account so that you can follow along with this series. So we're going to set up Splunk ES on Linode. And then within my internal network, we're just going to have a very basic infrastructure. We're going to have the Ubuntu virtual machine that is running Snort. This is the same virtual machine that we had set up and used to set up Snort and set up Suricata and the one we had used with Wazuh. And, yeah, that's essentially it. We're going to have a very basic infrastructure where we have an attacker system that I'm going to be using to perform a bit of network intrusion detection emulation, whereby I will essentially perform or run a couple of commands or scripts to essentially emulate malicious network activity so that these logs are essentially--so this traffic is essentially logged--and that'll provide us with a good idea as to how helpful Splunk is for security event monitoring, especially in the context of network intrusions. So as I said, you don't really need to have a Windows workstation. You simply need to have the Ubuntu VM, and you can pretty much run everything from it. And, of course, you can set up the Splunk Enterprise Security server on Linode without any issues. So that's the lab environment. We can now get started with the practical demonstration. So I'm going to switch over to my Ubuntu virtual machine. Alright. So I'm back on my Ubuntu virtual machine, and you can see I have Linode opened up here. I haven't set anything up yet because we're going to be walking through the process together. I then have the Splunk.com website here. So if you're new to Splunk, then you need to create a new account in order to follow along. So just head over to Splunk.com and, you know, register for an account. It's free. Once that is done, you'll need to activate your account or verify your account through the verification email they'll send you. Once that is done, we can then move forward. Because in order to access the actual Splunk Universal Forwarder, you'll need to have an account. And of course, you know, in this case, I'll be going through everything as we move along in a structured manner. And then to perform the actual NIDS tests, we are going to be using the testmyNIDS.org project, which is on GitHub. So this is essentially a bash script that allows you to--as you can see here-- it allows you to essentially emulate or simulate malicious network traffic. So, previously, we had used the website technique to essentially get a Linux UID, and that traffic would be logged as malicious, or it could be logged as a potential intrusion. And we can run a few other checks like HTTP basic authentication, bad certificate authorities, an EXE or DLL download over HTTP. So, you know, we can run tests that, you know, will just make our intrusion detection system blow up in terms of alerts. And that's what we want because we want to see how that data is presented to us as a security engineer on Splunk. With that being said, the first step, of course, is to set up Splunk ES on Linode. So just click on “Create a Linode” and click on “Marketplace.” And they already have Splunk here. So there we are. You can click on that there. And if you click on this little info button here, it'll give you an idea as to how to deploy it on Linode. And, of course, you have more information regarding Splunk. So you have the documentation link there. So I'll just click on Splunk. Once that is clicked, we can then head over here. You'll need to specify the Splunk admin user. I recommend using “admin” to begin with and then specify a password. If you're setting up, you know, Splunk on a domain, then you can specify the Linode API token to essentially create the DNS records--that's if you're using Linode's DNS service. And then, of course, you need to add the admin email for the server. So in this case, I can just say, for example, hackersploit@gmail.com. Don't spam me on this email because I don't respond anyway. So we can create another user. This is the username for the Linode admin's SSH user. Please ensure that the username does not contain any... so we can just call this “admin.” And then for the admin user, we'll just say provide that there. So the image--we're going to set it up on Ubuntu 20.04. The region--I’ll say London because that's closest to me. As for the actual Linode plan, Linode ES doesn't require that many resources, especially because, you know, the amount of data that we're processing or the logs that are being forwarded to Splunk are relatively few--so less than 100--which, if you've used Splunk before for security event monitoring, you know that that is really, really small. In fact, Splunk will actually tell you, you know, that the amount of data to begin with that you have imported or forwarded is too little to make any sense of. But that's where the Snort app for Splunk comes into play. So I'll just say “Splunk,” and I'll provide my root password for the server. And we can click on “Create.” Alright. Now, once this is set up and provisioned, the actual installer is going to begin. So it's going to set up because there is an auto-installer setup that will set up Splunk. Yes. For you. So, let it provision. After that's done, you can launch the Lish console to avoid logging in via SSH. And of course, one thing that I don't need to tell you is, if you're setting this up for production, then you need to make sure you're securing your server. So do only use SSH keys for authentication with the server. If you're new to hardening and securing a Linux server, you can check out the previous series that we did with Linux--the Linux Server Security series. They'll give you, you know, all the information you need to secure a Linux server for production. With that being said, I'm just going to let it provision, after which we can launch the Lish console to see what's going on in the background. And we can then get started, you know, officially with how to set up Splunk. We then need to set up the Universal Forwarder. So, this is booting now. Alright. So the server is booted, and you can see I've just opened up the Lish console here to essentially view what's going on. As you can see, it's begun setting up Splunk ES. So just give this a couple of minutes to essentially begin. And once it's done, it'll actually tell you that, and it'll provide you with the login prompt. But it's probably logged in as the root user already. So just let this complete. I'm just going to wait for this to actually conclude. Alright. So once Splunk ES is done, or the actual Linode is done here with the setup, you can see it's going to tell you "installation complete," and you can then log in. Keep this window open because this is going to be very important, as we'll need to configure a few firewall rules. By default, this Linode comes with UFW, which is the uncomplicated firewall for Debian, or it typically comes prepackaged with Debian-based distributions like Ubuntu. In this case, it's already added the firewall rule for the port that we wanted, but just keep it open because we'll need to run a few checks. So you can log in there. So I'm just going to log in with the credentials that I specified as the root user. And I can just say sudo ufw status. And you can see these are all the allowed rules or the actual rules configured for the firewall, which is looking good so far. So we can access the Splunk ES instance that we set up by pasting in the IP of the server and opening up port 8000. That's going to open up Splunk ES for you. So just give this a couple of seconds. There we are. And the credentials that we had used were "admin" and the password that I created--that, you know, of course, you'll be able to specify yourself. So just sign in. And once that is done, you'll be brought to Splunk Enterprise Security here. So there we are--explore Splunk Enterprise. And in this case, what we're going to be doing--what we're going to start off with-- is we need to go through a few configuration changes with Splunk itself. So the idea, firstly, is to configure the actual receiving of data. So if you head over into "Settings," you can click on "Data," then just click on "Forwarding and Receiving." And once that is done--once that is loaded up-- under "Receive Data," we need to configure this instance to receive data forwarded from other instances. So we want to configure receiving, and we just want to set the default receiving port. So we can say "New Receiving Port," and the port is, of course, going to be the default, which is 9997--which is why that firewall rule was added. So I'll click on Save. Alright. So once that is done, we can now install the Snort app for Splunk. So click on "Apps" and head over into "Find More Apps." And because the Ubuntu server is running-- or the Ubuntu VM that I'm currently working on is running--Snort 2, we'll need the appropriate app here. So I'll just search for "Snort" there. And we're not looking for the Snort 3 JSON alerts, although that, you know, could be quite useful, but we want the Snort alert for Splunk. Alright. So this app provides field extraction. So that's really great because performing your own field extractions using regex can be quite difficult if you're a beginner. So fast and full, as well as dashboards, saved searches, reports, event types, tags, and event search interfaces. So we'll install that. Now you'll need to log in with your Splunk account credentials that you, you know, actually created on splunk.com. So I'll just fill in my information really quickly. Alright. So I've put in my username and password. So I'll just say I'll accept the terms and conditions there. So log in and install. That's going to install it. There we are. So we'll just hit "Done." Now that that is done, if we head back over into our dashboard--so I'll just click on Splunk Enterprise there-- you can now see we have Snort Alert for Splunk. So that already comes preconfigured with a dashboard. So we'll just let this load up here. And you can see that we don't have any data yet. So this will display your events and sources, top source countries, the events. This is very important--these sources, top 10 classification. So that'll classify your alerts in terms of the type, which again will make sense in a couple of seconds. So now that that is done, we actually need to configure the actual Splunk Universal Forwarder. So I'll just open that up in a new tab. It's absolutely free to download the Debian client or the Splunk Universal Forwarder Debian package. So Universal Forwarders provide reliable, secure data collection from remote sources and forward that data into Splunk software for indexing and consolidation. They can scale to tens of thousands of remote systems, collecting terabytes of data. So again, you can actually see why Splunk is so powerful and why it's widely used and deployed--because of the fact that you can literally be... literally forward a ton of data from a ton of systems into Splunk. So because Snort is running on this Ubuntu VM, we need the Debian package. So I'll click on Linux, and we want the 64-bit version. Again, you can choose one based on your requirements. So if you're running on Red Hat, Fedora, or CentOS, you can use the RPM package. So I'll just download the Debian package here. Give that a couple of seconds. It's then going to begin downloading it, and then I'll walk you through the setup process. So there we are. It's begun the setup. And once that is done, I'll open up my terminal. So that's saved in the Downloads directory. So if we check--if we head over into the Downloads directory--you can see we have the Splunk Forwarder Debian package there. So what we want to do, firstly, is we want to move this package into the actual /opt directory on Linux, which will essentially allow us to, you know, to set it up as optional software. And it's really good to have all that optional software stored in the directory. So, once that is done and once that's downloaded, we can say, move Splunk forward into opt, and we'll need sudo privileges. So I'll say sudo move. There we are. And I'll just type in my password. Fantastic. So now navigate to the opt directory. And to install this, we can say sudo apt, and then we can specify install. So we can say sudo apt install, and then we specify the package itself. So Splunk forwarder, and we're just going to hit enter. That's going to install it for you. Give that a couple of seconds. Alright. So once that is installed, if you list out the contents of this directory, you're gonna have a Splunk forwarder directory here. So I'll say cd splunkforwarder. And under the binary directory, we can navigate to that here. We'll need to start-- we'll need to start Splunk. So we will say sudo, and the binary we want to run is called splunk, and we'll accept the license. The reason we're doing this is because we need to configure it. So we need to specify the username and password, or, you know, create a username and password. And once that is done, you'll actually see what that looks like. So I'll just say accept the license. And, you can see in this case, let's see if I typed that incorrectly. That should actually start. So splunk start. I did not specify start there. There we are. So please enter an administrator name. I'll just say admin. So again, Splunk software must create an administrator account during startup. Otherwise, you cannot log in. So create credentials for the administrator account. So in this case, you can create whatever you want. I'm just going to fill in my credentials here. Alright, so I've just entered my administrator username and then, of course, my password. So that is done. So it'll go through-- it'll essentially go through and check the prerequisites. New certs have been generated in the following directory, and all the preliminary checks have passed. So starting the Splunk server daemon--so that started. You can also enable it to run on system startup. So if I say, you know, for example, sudo systemctl status splunk, let me type that correctly here. So splunk-- sorry, systemctl, and we can say splunkd. Sorry. So we can say splunk. I'm not really sure why that's not loading here. But I do know that the daemon is running, and there should be an init daemon for that. But in any case, you can always start it that way. Once that is done, we will need to add our forward server. So we need to add the address of the server--the Splunk server that we're forwarding our logs to. We'll move on to what logs we want to forward in a second. But let's do that first. So again, we're going to use the Splunk binary, and we're going to say forward-server. And we'll just copy the IP address of your Splunk server here. So there we are. And I'll paste that in there. And then you need to type in the port--so 9997, that's the port to connect to. Hit enter. So splunk forward-- yeah, we need to add it. I keep forgetting the preliminary command. So add forward-server, Splunk username. So in this case, let me just put in my credentials here. Alright. And it's going to then add the forwarding to that particular address. Alright. Now that that is done, we actually need to configure a particular file, and that is going to be the outputs.conf directory. If it's already set up for us, which it should be, then we do not need to go through the initial setup. So, if we head over into the following directory--so I'll just take a step back-- we're still in the Splunk forwarder directory. We'll head over into the etc directory. And under system, we have a file under local, I think. It is called outputs here. Right? So I'm going to say sudo vim outputs.conf. And really, the only thing that is required here is, of course, just leave the default configuration as is. The default group is fine. So tcpout:default-autolb-group, that's fine. So make sure that the server option here is configured--that's the most important. And the tcpout-server address is also configured in this format. So we don't need to make any changes there. So I'll just say quit and exit. Once that is done, we also need to check the actual inputs configuration file. But before we do that, let's take a look. So if you revisit the Snort video, you know that all the logs are stored under /var/log/snort. Right? So we have the alert log, and we also have--so again, based on the type of alerts you want generated--so, you know, if I say man snort here, you can see that we have the alert mode. So you can use the fast mode or the full mode. In this case, I'll be using the fast mode, and I'll give you a description of what's going on here. Right? So full writes the alert to the alert file with the full decoded header as well as the alert message, which might be important. So we can also do that as well. So this was from the previous--from the Snort video where we had run... essentially run Snort and, you know, where we were identifying various alerts. So, what we can do is, again, we'll go through what needs to be created, but we can run a quick test command just to see whether the actual alerts are being logged within the alert file, because we have alert.1. Ideally, we would only want to forward this file into Splunk. So, in order to do this, what I'm going to do now is I'm just gonna run Snort really quickly. So I'm going to say sudo snort -q, for quiet, and then the actual directory for the logs is /var/log/snort. And then we can say the interface is enp0s3. Again, make sure to replace that with your own interface. The alert, we can say full, and the configuration is /etc/snort/snort.conf. I believe we had another configuration file. Yeah. We had used the snort.conf file. So I'll hit enter. And now let me open up my file explorer here. We take a look at the var directory under log. And under snort, we have alert. There we are. So, that has been modified. The last was modified right over there. Okay. So that's 19. Yeah. So this is the last modified. So I know this file is not human-readable. We are not going to be forwarding this .log file. So I'll just close that there. So I'm just going to try and perform a few checks on the network, like a few pings, just to see if that's detected. So I'll just, you know, perform a ping really quickly. Again, the alerts will not be logged on our terminal because they're being logged, you know, into the respective alert file or the alert log file. So I'll just perform, you know, a few pings, as I was saying, which I'm doing right now on the attacker system. Once that is done, let's see whether those changes are being highlighted in alert. Indeed, they are. Okay. So now, as you can see here, this is the full-- these are... So to begin with, we had used the fast alert output mode. And right over here, we then have the full alert mode, which I'm not really sure how we want to go about doing this. But you can see, we can actually make a few changes. What we can do is we can get rid of this traffic here. But you can see the message is actually being logged. So we can get rid of this here because we don't want to mix fast alerts with the full mode. So we can just get rid of that there and save that. Once that is done, I'll just say-- we actually need permissions to modify that file. But, you know, what we can do is--what I am going to do actually is close without saving. I'm just going to stop Snort there. And I'm just going to say sudo rm /var/log/snort. And we're going to remove alert. Alright. And we're also going to remove alert.1. Alright. So I'm just going to run this again, just to see that the file is generated. So there we are. We have alert there. So now it's much cleaner. I'll just run a few pings, just to make sure that the traffic is being logged--all those alerts are being logged. So there we are. We have a few pings there. And we can also, you know, just run a few checks there. Okay. So there we are. We can see that those are now being logged. And of course, we can change the format based on-- well, you can change it based on your requirements. Right? So now that that is done, what we can do is we can close that up, and we can actually leave Snort running as is. So what I'll do is I'm just going to open up another tab. So just, you know--I can say Ctrl+Shift+T. There we are. And we're currently within the following directory: /opt/splunkforwarder/etc/system/local. So, once that is done, we now need to add the files that we would like to monitor or that we would like to forward. Right? So, the log files. I'll go back into the bin directory. So there we are--cd bin--because that's where we have the Splunk binary. So I'll say sudo splunk. And we can say add monitor. And the file that we want to forward is under /var/log/snort, and it is just alert. Right? So that's all. That's really all that we want to do. Right? And we can also utilize the fast alerts, but let's just do this for now. We only want the alerts--we don't want the actual log files that contain the packets themselves. So I'll hit Enter. Alright. So it's now going to forward those alerts into Splunk, which pretty much means that on our end, we are done. However, we still need to check one more configuration file. So I'll just take a step back here, and we'll head over into the /etc directory under apps/search, and then into local. I think we'll need root permissions to access this. So I'll just switch to the root user and head over into local. And we're looking for the inputs.conf file. Right? We need to actually configure this because this is very important. The first thing we want to do is--let us add a new line here. And within the square brackets, I'll just say [splunk-tcp]. And we then want to specify the port--so 9997. Let me make sure I type that in correctly. We then need to actually put in the connection. So the connection_host is going to be equal to the IP address of the Splunk server. So I'll just copy that there and paste that in there. Once that is done, this is fine here--disabled is set to false. We want index to be equal to main. And then the sourcetype is going to be equal to snort_alert_full. And we can then say the source is equal to snort. Alright? So this is a very important configuration. Let me just go through those options or configurations again. We have the splunk-tcp option. We then have the actual connection_host. The monitor is set correctly to that file. It's enabled, index=main, sourcetype=snort_alert_full, source=snort. Fantastic. So we'll write and quit. Once this is done, we'll need to restart Splunk. So I'll switch back to my user, Lexus, here, and we'll navigate back to the bin directory. So I'll say cd bin, and we'll say sudo splunk restart. Alright, hit Enter. It's going to stop the Splunk daemon, shut it down, restart it--and it's done successfully. So all the checks were completed without any issue. Alright, so now that this is done, we can actually go back into Splunk here, and we'll navigate to the dashboard. This is your Splunk server. Right? And let's take a look at the messages here. That's just a few updates--we don't need to do anything there. So if we click on Search & Reporting, just to verify that data has indeed been forwarded, I'll just skip through this. If we click on Data Summary, under Sources, you should see that we have the host. And in my case, the name of the system is blackbox, so that should be reflected there. So there we are--blackbox. We have 42 logs or alerts, if you will. Sources: 42. We can click on that there to just see the data that has been logged. Indeed, we can see that has been done correctly. So sourcetype is alert. We can see that it's imported, you know, pretty much all the data--or, you know, these are the... this is the full log whereby we have the reference to that there. That's weird--I didn’t actually run anything weird, but there you go. So now that this is done, you can use Splunk to essentially visualize this data however you want. So, you know, I can go into Visualization, and we can click on--maybe we can create a... we can select a few fields. So if I go back into the Events here, I can select a few fields that I want displayed here, and I can, you know, essentially extract the fields that I want with regex. But I don't think this is necessary at this point, because if we actually go back to the dashboard and we click on-- let's see--Snort Alerts for Splunk, let's see if this is actually whether this automates that process for us. There we are. Actually, it looks like it does. So, classification: bad-traffic. So it looks like that is working. What we can do now is run a few-- we can actually utilize this script here, the TestMyNIDS script here. So all you need to do to run it is just copy this one-liner script here--or this command--that will download it into your /tmp directory and will then execute it. So, you know, to execute it within your temp directory, you can just execute the actual, you know, the actual binary there. It is a binary, not a script. And once that is done, you can then select the option here. So let me just do that on my attacker system. I'm just going to run it one more time. So I'm just going to say ls here. And if I open up the documentation--so firstly, I will run a quick Linux UID check. So I'll just hit Enter. Okay. That is done. I'll then perform an HTTP basic authentication and a malware user-agent. So I'm doing that right now. Okay. And we can run one more here. So, let's see. Let's see. Let's see. We can try EXE or DLL download over HTTP. That is surely going to be logged, or that's going to trigger an alert. So, do we have--that is running. Alright. So Snort is running. That's great. So we know that the log is being-- the actual alerts are being forwarded. Absolutely fantastic. So let's go back in here. I've already run those particular checks. So let me just refresh this. I know it usually takes a couple of seconds to a couple of minutes, but that data should start--should actually be reflected. There we are. Fantastic. So we can see that--firstly, I'll just explain the dashboard here because this dashboard is automatically, you know, set up for you by the Snort app, which is really awesome. As I said, you don't need to go through that process yourself. So the first graph here essentially tells you your events, and it also displays the, you know, the total number of sources. So you can see that there. You also have the time. So you have your events and then the timeline here. And you can essentially, you know, view a trend--or the trend--of events there. You then have the top source countries right over here. And if I just run another check really quickly here through the NIDS website-- so let me just run the curl command-- you should actually see that because we are reaching out to, you know, there's a connection made to an external server, that it should reflect that info under the top countries--the top source countries. So we then have the events here, which, you know, you can click on. And then, of course, you have the sources. So these are the Snort event types, and these are actually the classifications. So we can see potentially bad traffic, attempted information leak, and, you know, you can just refresh your dashboard to get the latest. So we'll give that a couple of seconds. And you can also specify the actual interval period. So I'll just wait for this. Let's see if it's actually being logged or whether we can see all of that. So I'll just go back into the dashboard here, and we'll go into Search and Reporting. And we click on the actual Data Summary and the Sources. We can see we have Snort there, and then /var/snort/alert. So we click on Snort there. Okay. So this is bad traffic. That's really weird because the source is Snort. We had added two sources there. So Data Summary-- let me just click on that there. And if we click on the sources there, this is the one that we want, ideally. Yeah. So that looks like the correct one there. Yeah. That's the correct traffic. I think that's why the actual--let me see if I can find it. So Snort Alerts for Splunk--let me click on the app there. Show Filters. It should be displaying much more than that because I know--yeah, there are not just four. So if we actually head over into the Snort Event Search here, we can actually search for--you know, we can utilize--yeah. So these are only-- this is only monitoring the pings. So that's weird. I'm not really sure why we have two data sources. I think it's to do with the fact that, you know, we had--so let me just go back here. Apps > Search, and sudo root. Let me just check that here. So cd local, vim inputs.conf. So there we are. So the source is Snort. We already specified the source as Snort there, but it's also adding this particular, you know, the alert, as a source as well. And then the source type is snort_alert_full, index main. Yeah. That should be working. That should be working without any issues. I'm not really sure why that is the case, but we can actually customize what dataset we want to use. So I think--let me actually showcase how to do that right now. So apologies about that. I actually figured out what the issue was. It was because the system I was running these particular attacks from wasn't even connected to the local network. And even though I was running these attacks, I did realize that, of course, they weren't working. So I've just reconnected it. And what I'm going to do is I'm just going to run this one more time. So just give me a second here, and I'll be able to do that one more time. So let me just navigate to that particular directory, and we'll actually see whether this will work. So you can actually see there's much more that has been captured in regards to events, and I'll be explaining this dashboard in a couple of seconds. So let me just launch that first attack there--so that you know--let me just launch that first type of check. And of course, I'm using TestMyNIDS here. So, unfortunately, that wasn't even being logged, which is why I was a bit confused as to why those logs are not being displayed here. So I'll give that a couple of seconds, and we'll be able to see this happen in real time as well. Alright. So that is done. So I've essentially launched a couple of those tests. And, as I said, this is your default dashboard that you're provided with here. So, you know, you can actually refresh all of these panels here, if you will. So that'll display the latest. And, as I said here, because I'd performed the actual check and it connected to an external server, you can see that the top source countries are highlighted there. You can also refresh the number of events, as you can see here, and the number of sources. So you can also do that for the rest of the panels. These are the top 10 classifications in terms of events, if you will, and then these Snort event types, as you can see here. So, for example, in this case, we have the Attack-Response ID Check, which, if we click on right over here, you can see that it actually displays that, and you can then click on the signature itself. And this is for statistics. Now, if you click on the Snort Event Search tab right over here, you can see that this allows you to search based on the source IP, the source port, the destination IP, destination port, and the event type. So I can check for attack responses based on the rule set that we had used previously. And I can also specify the timing. Right? So that's really fantastic there. So you can see that right over here, we have that logged, which is fantastic. And if we click on the Snort World Map, that'll essentially--as you'll see in a couple of seconds--this will essentially display the countries by the source IPs. In this case, it should display the United States, which makes sense. And there we are. So, again, this is extremely helpful, especially if you work in a SOC. And as I said, there's multiple, you know, security tools you can integrate with Splunk. Now, one thing that I wanted to highlight is--you can, if you click on Edit--and I'll just go back to the Event Summary here because this is very important-- you can set this as your main dashboard. So if you right-click here, you can set this as your home dashboard. So I'll just click on that there. And now you'll see on your dashboard here, if I just close that top menu, that'll actually be displayed there. So give it a couple of seconds. And, of course, you can click on the cogwheel here and essentially display--whatever-- you know, you can specify your default dashboard. Now, there are a couple of other ones that are created by default. But yeah, you can have that on your dashboard. And, you know, if you actually click on the SNORT--the SNORT alert for Splunk here-- and we'll just go back into that SNORT event summary tab, you can actually edit the way these particular panels are tiled. So, you know, you can convert it to a prebuilt panel or, you know, you can--you can actually convert it to a prebuilt panel. You can get rid of it. You can also move them around based on your own requirements. And, in this case, you can actually--let's see if I can show you. You can actually select the visualization. So, in this case, I think the default one is fine, and you can then view the report here. So if we click on this one here, for example, we could actually use the bar graph to display the--you know--the number of--the actual-- the top source countries, and have them displayed in a bar graph style. But we can just take it back into the pie chart there. And you can also change this for the events as well. So, you know, if we wanted to view a trend, we can click on the bar graph there. In this case, I don't think that's formatted correctly. So if we just use the default one, which I believe was--I think it was--no, that wasn't the one. I believe it was-- let's see if I can identify it here. It was the number. There we are. So, as I said, you can customize this based on your own-- you know--your own requirements. So, for example, this one might do well if it was in the form of a bar graph. So, you know, you can utilize that if you feel that that is appropriate. In this case, you know, we can also specify the actual--you know--we can actually list the events themselves. Let's see which other ones look really good here. And yeah, once you're done with the customization, you can then cancel or save based on your requirements. And you can also filter on this particular tab here, you know, through the source IP, destination IP, etc. Let's see, what else did I want to highlight? Let me just refresh this once more and, you know, to essentially get the latest data. And you can see, in terms of the panels, this will display the last 100 attempts. And you can go through them like so. You can also view--I think we've gone through all of them--but you have the persistent sources. So, two or more days of activity in the last 30 days. So you actually need a lot of data for that to be displayed or to give you anything useful. Yep. So that is what I wanted to highlight in regards to the SNORT alert for Splunk app and the actual dashboards, which, as I said, it already does for you. Now, you can create your own dashboard, as I said, if I go back into Apps > Search and Reporting, based on your own sources. So I'll just click on Data Summary there. And if I click on Sources, you can click on this source here, for example. And, you know, in this case, we can actually just click on that there. And I can click on Extract Fields, and you can extract the fields with regex. So I'll click on Next there. And you can then select the fields that you want. So, for example, in this case, we would want the date and time. So I can just highlight that there. So I can say time, for example, add the extraction. And then, of course, we have the source IP and the port. But I'll just highlight them together. But I think it's actually recommended just to highlight the source IP there. So source—we can say src underscore port, IP. Add that extraction, and we then have the destination IP, which, in this case, because this is an SNMP broadcast request, we can--we know that that's the destination IP. So I'll say dst underscore IP, add the extraction. Let's see what else we can do. In this case, it's saying the extraction field you're extracting--if you're extracting multiple fields, try removing one or more fields. Start with the extractions that are embedded within longer strings. Okay. So let's try and use another alert here that was kind of interesting. Let's see. It's not displaying all of them here, but you get the idea. Once you're done-- you know, for example, I can remove that field here. I'm just giving you an example of that. So remove that field. There we are. I can then say Next, and I can click on Validate and Save based on those fields there. Hit Finish. And then, you know, I can go back, you know, to Search and Reporting. And if I wanted to create a very simple visualization, which I'll show you right now-- even though I don't really need those extracted fields, although they might be useful--so I can click on those extracted fields now. I believe they should have been added. I'm not really sure why they aren't being highlighted here. There we are. So source IP. We can also, say, specify the source port. We--oh, there they are. So actually, they took a while to be displayed there. So, source port--that--why not? We can-- yeah, I think that's pretty much it. So based on those, we can actually build an event type. However, if we go to Visualization and click on Pivot here-- selected fields is five--hit OK. We can actually, you know, visualize this however we want. So, for example, if I wanted a column chart here-- so number one will display the count-- I can just add the events because that's the count. And we should have, at the bottom, the time, which I did specify--I believe within that range there-- but that's not being highlighted here. So the number of events--and, you know, you can go ahead and click as--you can essentially save it. So you get the idea. You don't really need to do this because we have the SNORT app here, which pretty much gives you the summaries that are useful to you or for you. And there we are. So fantastic. So that's going to conclude the practical demonstration side of this video. So, thank you very much for watching this video. If you have any questions or suggestions, leave them in the comment section. If you want to reach out to me, you can do so via Twitter or the Discord server. The links to both of those are in the description section. Furthermore, we are now moving on to part two. So this will conclude part one. Part two will be available on the Linode’s ON24 platform. So, the videos are available on-demand. So all you need to do is just click the link in the description, register for part two, after which an email will be sent to you, and you'll be given--you know-- immediate access to the videos within part two. So, thank you very much for watching part one. In the next video, in part two, we'll get started-- or we'll take a look--at host intrusion detection with OSSEC. So I'll be seeing you in the next video. [Music].