WEBVTT 00:00:01.120 --> 00:00:03.520 Hello, everyone. Welcome back to the Blue 00:00:03.520 --> 00:00:05.440 Team training series brought to you by 00:00:05.440 --> 00:00:08.160 Linode and Hackersploit. In this video, 00:00:08.160 --> 00:00:10.160 we're going to be taking a look at how 00:00:10.160 --> 00:00:12.160 to set up or how to perform security 00:00:12.160 --> 00:00:14.400 event monitoring with Splunk, more 00:00:14.400 --> 00:00:16.800 specifically, Splunk Enterprise 00:00:16.800 --> 00:00:18.640 Security. Right? So the objective here 00:00:18.640 --> 00:00:21.439 will be to monitor intrusions and 00:00:21.439 --> 00:00:23.519 threats with Splunk. And you might be 00:00:23.519 --> 00:00:25.119 asking yourself, well, how are we going to 00:00:25.119 --> 00:00:28.400 do this? What setup are we using? Well, the 00:00:28.400 --> 00:00:30.480 scenario that I've set up for this video 00:00:30.480 --> 00:00:32.559 is we are essentially going to 00:00:32.559 --> 00:00:34.320 take all the knowledge that we've 00:00:34.320 --> 00:00:37.680 learned during the Snort video, and we 00:00:37.680 --> 00:00:39.360 are going to essentially forward all of 00:00:39.360 --> 00:00:42.719 the Snort logs into Splunk or have 00:00:42.719 --> 00:00:44.480 that done automatically through the 00:00:44.480 --> 00:00:47.680 Splunk Universal Forwarder so that we get 00:00:47.680 --> 00:00:50.320 the latest logs when Snort is running on 00:00:50.320 --> 00:00:52.399 our Ubuntu virtual machine. 00:00:52.399 --> 00:00:55.039 And the objective here is to use Splunk 00:00:55.039 --> 00:00:58.000 in conjunction with the Splunk's Snort app 00:00:58.000 --> 00:01:01.039 to essentially visualize and identify or 00:01:01.039 --> 00:01:03.359 monitor network intrusions and any 00:01:03.359 --> 00:01:06.720 malicious network traffic, you know, within the 00:01:06.720 --> 00:01:08.980 network that I'm monitoring. 00:01:08.980 --> 00:01:18.782 [Music]. 00:01:19.360 --> 00:01:21.680 At a very high level, what will we be 00:01:21.680 --> 00:01:23.280 covering? Well, firstly, we'll get an 00:01:23.280 --> 00:01:25.439 introduction to Splunk. Now before we 00:01:25.439 --> 00:01:28.400 move any further or we actually carry on, 00:01:28.400 --> 00:01:30.720 I do want to note that this video is not 00:01:30.720 --> 00:01:32.400 going to be focused on Splunk 00:01:32.400 --> 00:01:34.640 fundamentals. I'm going 00:01:34.640 --> 00:01:36.400 to assume that you already know what 00:01:36.400 --> 00:01:40.400 Splunk is and how it can be used, you know, 00:01:40.400 --> 00:01:42.079 and how it's used generally speaking. 00:01:42.079 --> 00:01:44.720 Because Splunk is not really a tool 00:01:44.720 --> 00:01:48.320 that is specific to security, for example. 00:01:48.320 --> 00:01:49.759 That's why they have the Splunk 00:01:49.759 --> 00:01:52.720 Enterprise Security version or edition. 00:01:52.720 --> 00:01:54.320 And I'm just going to assume that you 00:01:54.320 --> 00:01:56.079 know how to use Splunk at a very basic 00:01:56.079 --> 00:01:58.320 level. So once we get an introduction to 00:01:58.320 --> 00:02:00.960 Splunk, we'll go over Splunk Enterprise 00:02:00.960 --> 00:02:05.119 Security--the Enterprise Security edition--and how it 00:02:05.119 --> 00:02:06.640 can be used for security event 00:02:06.640 --> 00:02:08.399 monitoring, especially in our case 00:02:08.399 --> 00:02:10.879 because we want to essentially monitor 00:02:10.879 --> 00:02:13.280 the intrusion detection logs 00:02:13.280 --> 00:02:15.360 generated by Snort. 00:02:15.360 --> 00:02:16.800 So we'll then move on to deploying 00:02:16.800 --> 00:02:18.720 Splunk Enterprise Security on Linode, 00:02:18.720 --> 00:02:20.640 which is absolutely fantastic because 00:02:20.640 --> 00:02:22.560 they have a cloud image 00:02:22.560 --> 00:02:24.560 available for it that allows you to spin 00:02:24.560 --> 00:02:26.400 it up without going through the process 00:02:26.400 --> 00:02:28.720 of installing it and configuring it. So 00:02:28.720 --> 00:02:30.720 that'll set it up for us. 00:02:30.720 --> 00:02:32.800 We'll then take a look at how to 00:02:32.800 --> 00:02:35.280 configure Splunk, and how to set up the 00:02:35.280 --> 00:02:38.239 Splunk Universal Forwarder on the Ubuntu 00:02:38.239 --> 00:02:40.480 virtual machine that is running Snort so 00:02:40.480 --> 00:02:42.319 that we can forward those logs into 00:02:42.319 --> 00:02:44.560 Splunk. And then, of course, we'll take 00:02:44.560 --> 00:02:46.720 a look at the Splunk Snort event 00:02:46.720 --> 00:02:49.519 dashboard that will be provided to us by 00:02:49.519 --> 00:02:52.879 the Splunk Snort app. So if this sounds like 00:02:52.879 --> 00:02:55.360 gibberish to you, don't worry. It will make 00:02:55.360 --> 00:02:58.139 sense in a couple of minutes. 00:02:58.879 --> 00:03:00.959 With that being said, given the fact 00:03:00.959 --> 00:03:02.800 that we're going to be using, you know, 00:03:02.800 --> 00:03:04.400 we're going to be using Snort to 00:03:04.400 --> 00:03:06.959 generate alerts and monitor those alerts, 00:03:06.959 --> 00:03:09.040 if you have not gone through 00:03:09.040 --> 00:03:11.519 the actual Snort video, please do that as 00:03:11.519 --> 00:03:14.239 it'll help you set up Snort, and you can 00:03:14.239 --> 00:03:16.400 then run through this demo. With that 00:03:16.400 --> 00:03:19.280 being said, this is not a holistic video 00:03:19.280 --> 00:03:20.800 that will cover everything you can do 00:03:20.800 --> 00:03:23.440 with Splunk Enterprise Security. We are 00:03:23.440 --> 00:03:26.010 just focused on the intrusion 00:03:26.010 --> 00:03:27.760 detection logs produced 00:03:27.760 --> 00:03:30.000 by Snort and how they can be 00:03:30.000 --> 00:03:32.879 imported or forwarded to Splunk for, 00:03:32.879 --> 00:03:35.680 you know, analysis and monitoring. 00:03:35.680 --> 00:03:38.159 So the prerequisites are the same as 00:03:38.159 --> 00:03:39.760 the previous videos. The only difference 00:03:39.760 --> 00:03:41.680 is, you know, that you need to have a 00:03:41.680 --> 00:03:43.840 basic familiarity with Splunk and how to 00:03:43.840 --> 00:03:46.080 navigate around the various menu 00:03:46.080 --> 00:03:47.760 elements and, yeah, 00:03:47.760 --> 00:03:49.680 essentially just how to use it at a very 00:03:49.680 --> 00:03:51.360 basic level. If you're not familiar with 00:03:51.360 --> 00:03:54.239 Splunk, I'll give you a few resources at 00:03:54.239 --> 00:03:56.780 the end of these slides 00:03:56.780 --> 00:03:58.159 that'll help you out or help 00:03:58.159 --> 00:04:00.769 you get started. Alright. 00:04:00.769 --> 00:04:01.760 So let's get an introduction 00:04:01.760 --> 00:04:04.239 to Splunk. So what is Splunk? That's the 00:04:04.239 --> 00:04:05.680 main question. If you've never heard of 00:04:05.680 --> 00:04:08.480 Splunk, Splunk is an extremely powerful 00:04:08.480 --> 00:04:10.400 platform that is used to analyze data 00:04:10.400 --> 00:04:13.360 and logs produced by systems or machines, 00:04:13.360 --> 00:04:15.920 as Splunk likes to call them. So 00:04:15.920 --> 00:04:18.639 what problem is Splunk trying to solve 00:04:18.639 --> 00:04:20.880 here? Well, let's look at this from the 00:04:20.880 --> 00:04:24.880 perspective of Web 2.0 or, you know, the 00:04:24.880 --> 00:04:26.720 interconnected world we live in 00:04:26.720 --> 00:04:29.199 today. And we're going to be looking at 00:04:29.199 --> 00:04:31.199 it from the context of or from the 00:04:31.199 --> 00:04:33.360 perspective of security. 00:04:33.360 --> 00:04:35.759 So if we take a simple system--let's say 00:04:35.759 --> 00:04:38.720 we have a Windows operating system or a 00:04:38.720 --> 00:04:41.360 system running Windows--well, that Windows 00:04:41.360 --> 00:04:44.880 system produces a lot of data or logs 00:04:44.880 --> 00:04:47.040 that, you know, contain 00:04:47.040 --> 00:04:48.800 information that, you know, at first 00:04:48.800 --> 00:04:51.600 glance might not seem that important. But 00:04:51.600 --> 00:04:53.919 once you start getting into specific 00:04:53.919 --> 00:04:57.360 sectors like security, those logs start, 00:04:57.360 --> 00:04:59.680 you know, those logs have, you know, 00:04:59.680 --> 00:05:02.080 very important value to organizations. 00:05:02.080 --> 00:05:04.880 Now multiply that by a thousand systems. 00:05:04.880 --> 00:05:06.800 So let's say we have an organization. 00:05:06.800 --> 00:05:08.560 They have a thousand computers within 00:05:08.560 --> 00:05:10.479 their network or, you know, distributed 00:05:10.479 --> 00:05:13.520 worldwide. And all of these systems, 00:05:13.520 --> 00:05:14.960 you know, need to be secured. Their 00:05:14.960 --> 00:05:17.919 security needs to be monitored. So how do 00:05:17.919 --> 00:05:20.560 we monitor all of this? Well, this is 00:05:20.560 --> 00:05:22.639 where Splunk comes into play. So Splunk 00:05:22.639 --> 00:05:25.280 allows you to essentially funnel all of 00:05:25.280 --> 00:05:27.800 this data produced by systems or 00:05:27.800 --> 00:05:30.720 machines into Splunk. And then Splunk allows you 00:05:30.720 --> 00:05:32.560 to monitor, search, and analyze this 00:05:32.560 --> 00:05:35.280 machine-generated data and the logs 00:05:35.280 --> 00:05:37.840 through a web interface. So in order to 00:05:37.840 --> 00:05:39.680 use Splunk, you'll need to import your 00:05:39.680 --> 00:05:42.479 own data or logs. Alternatively, you can 00:05:42.479 --> 00:05:45.280 utilize the Splunk Universal Forwarder to 00:05:45.280 --> 00:05:47.759 forward logs and data to Splunk for 00:05:47.759 --> 00:05:51.360 analysis and, of course, visualization, etc. 00:05:51.360 --> 00:05:53.280 Now, Splunk does so much more that I 00:05:53.280 --> 00:05:55.199 really can't go over all of the features 00:05:55.199 --> 00:05:56.880 here. But as I said, we're looking at this 00:05:56.880 --> 00:06:00.400 from the lens of a security engineer. 00:06:00.400 --> 00:06:02.240 Alright. So Splunk collates all the 00:06:02.240 --> 00:06:04.800 data and logs from various sources and 00:06:04.800 --> 00:06:06.720 provides you with a central index that 00:06:06.720 --> 00:06:08.800 you can search through. Splunk also 00:06:08.800 --> 00:06:11.039 provides you with robust visualization 00:06:11.039 --> 00:06:12.720 and reporting tools that allow you to 00:06:12.720 --> 00:06:15.360 identify the data that interests you, 00:06:15.360 --> 00:06:17.440 transform the data into results, and 00:06:17.440 --> 00:06:19.840 visualize the answers in the form of a 00:06:19.840 --> 00:06:23.280 report, chart, graph, etc. Alright. So what 00:06:23.280 --> 00:06:25.360 I'm saying here is that Splunk allows 00:06:25.360 --> 00:06:28.080 you to take all of this security-related 00:06:28.080 --> 00:06:31.600 logs and data and make sense of them and 00:06:31.600 --> 00:06:33.520 essentially get the answers that you're 00:06:33.520 --> 00:06:35.520 looking for. So, for example, from the 00:06:35.520 --> 00:06:37.680 perspective of a security engineer, what 00:06:37.680 --> 00:06:40.240 do you want from all of this data? Well, 00:06:40.240 --> 00:06:42.160 at a very high level, you want to know 00:06:42.160 --> 00:06:44.080 whether something is going wrong and 00:06:44.080 --> 00:06:46.400 what could go wrong. In the context of 00:06:46.400 --> 00:06:48.800 security, a network could be compromised. 00:06:48.800 --> 00:06:50.560 There could be some malicious network 00:06:50.560 --> 00:06:53.120 traffic or activity going on. A system 00:06:53.120 --> 00:06:55.919 could be compromised, etc., etc. You get the 00:06:55.919 --> 00:06:58.160 idea. So we need that data to be 00:06:58.160 --> 00:07:00.560 displayed to us as a security engineer. 00:07:00.560 --> 00:07:02.560 And Splunk is really one of the best 00:07:02.560 --> 00:07:04.960 tools, you know, when it comes down to, 00:07:04.960 --> 00:07:08.000 you know, taking a lot of data 00:07:08.000 --> 00:07:09.840 and then identifying the data that 00:07:09.840 --> 00:07:11.840 interests you, transforming that data 00:07:11.840 --> 00:07:14.960 into results, and then visualizing that 00:07:14.960 --> 00:07:17.360 data in the form of a report, chart, or 00:07:17.360 --> 00:07:19.759 graph. Right. So that's really what we're 00:07:19.759 --> 00:07:21.599 going to be doing. And as I said, going 00:07:21.599 --> 00:07:23.520 back to the scenario, we're going to be 00:07:23.520 --> 00:07:26.080 focusing on how to, you know, essentially 00:07:26.080 --> 00:07:28.800 get in or how to forward 00:07:28.800 --> 00:07:33.360 the logs created--or the logs and alerts created--by 00:07:33.360 --> 00:07:36.000 Snort into Splunk for analysis. And 00:07:36.000 --> 00:07:39.280 luckily for us, Splunk has a Snort app or 00:07:39.280 --> 00:07:40.960 plug-in, if you will, that will 00:07:40.960 --> 00:07:43.680 essentially simplify this process. 00:07:44.100 --> 00:07:47.360 So, let's get an idea as to, you know, how we 00:07:47.360 --> 00:07:49.120 can use Splunk for security event 00:07:49.120 --> 00:07:51.759 monitoring. So Splunk Enterprise Security, 00:07:51.759 --> 00:07:54.800 also known as Splunk ES, is a security 00:07:54.800 --> 00:07:56.800 information and event management 00:07:56.800 --> 00:07:59.199 solution, also known as a SIEM. 00:07:59.199 --> 00:08:01.360 It is used by security 00:08:01.360 --> 00:08:03.680 teams to quickly detect and respond to 00:08:03.680 --> 00:08:06.160 internal and external attacks or threats 00:08:06.160 --> 00:08:09.680 or intrusions. So Splunk ES can be used 00:08:09.680 --> 00:08:11.759 for security event monitoring, incident 00:08:11.759 --> 00:08:15.919 response, and running a SOC or Security Operations Center. 00:08:15.919 --> 00:08:18.080 In this video, we'll be using Splunk ES 00:08:18.080 --> 00:08:20.000 to monitor and visualize the Snort 00:08:20.000 --> 00:08:22.240 intrusion alerts. This will be 00:08:22.240 --> 00:08:24.400 facilitated through the help of the Snort 00:08:24.400 --> 00:08:26.639 app for Splunk and the Splunk Universal 00:08:26.639 --> 00:08:29.280 Forwarder. Now, the Splunk Universal Forwarder 00:08:29.280 --> 00:08:31.199 is pretty much the most important 00:08:31.199 --> 00:08:33.039 element of what we'll be exploring 00:08:33.039 --> 00:08:35.200 because what it does--and this is really 00:08:35.200 --> 00:08:37.200 cool--is it automatically 00:08:37.200 --> 00:08:39.279 forwards the latest logs, 00:08:39.279 --> 00:08:42.479 even when Snort is running. It forwards those 00:08:42.479 --> 00:08:45.040 alerts and logs into Splunk, and you can 00:08:45.040 --> 00:08:46.560 see them in real time, which is 00:08:46.560 --> 00:08:49.440 absolutely fantastic. 00:08:49.440 --> 00:08:52.320 So as I said, if you're new to Splunk, 00:08:52.320 --> 00:08:54.800 then these resources are really helpful 00:08:54.800 --> 00:08:57.120 for you. Splunk offers really great 00:08:57.120 --> 00:08:59.040 tutorials and courses designed for 00:08:59.040 --> 00:09:00.720 absolute beginners. You can check that 00:09:00.720 --> 00:09:02.959 out by clicking on the link within this 00:09:02.959 --> 00:09:05.600 slide. And you can learn more about the 00:09:05.600 --> 00:09:08.160 Splunk Enterprise Security edition from 00:09:08.160 --> 00:09:09.760 that particular link. 00:09:09.760 --> 00:09:12.240 Now, as I said, we are going to be deploying 00:09:12.240 --> 00:09:15.200 Splunk on Linode, more specifically 00:09:15.200 --> 00:09:17.120 Splunk ES. And this is the lab 00:09:17.120 --> 00:09:19.200 environment. So we're going to spin up, 00:09:19.200 --> 00:09:21.519 you know, Splunk ES on Linode. Now, again, 00:09:21.519 --> 00:09:23.279 to follow through with this, you 00:09:23.279 --> 00:09:25.760 know, Linode has been absolutely fantastic 00:09:25.760 --> 00:09:28.320 with, you know, by providing all of 00:09:28.320 --> 00:09:31.189 you guys with a way to get $100 00:09:31.189 --> 00:09:33.279 in free Linode credit. All you 00:09:33.279 --> 00:09:35.120 need to do is just click the link in the 00:09:35.120 --> 00:09:37.440 description section and sign up, and 00:09:37.440 --> 00:09:39.040 $100 will be added to your 00:09:39.040 --> 00:09:40.959 account so that you can follow along 00:09:40.959 --> 00:09:43.279 with this series. So we're going to 00:09:43.279 --> 00:09:45.200 set up Splunk ES on Linode. And then 00:09:45.200 --> 00:09:47.279 within my internal network, we're just 00:09:47.279 --> 00:09:49.040 going to have a very basic infrastructure. 00:09:49.040 --> 00:09:50.399 We're going to have the Ubuntu virtual 00:09:50.399 --> 00:09:52.880 machine that is running Snort. This is the 00:09:52.880 --> 00:09:54.880 same virtual machine that we had set up 00:09:54.880 --> 00:09:57.680 and used to set up Snort and set up 00:09:57.680 --> 00:10:00.309 Suricata and the one we had used with Wazuh. 00:10:01.360 --> 00:10:03.519 And, yeah, that's essentially it. We're 00:10:03.519 --> 00:10:04.720 going to have a very basic 00:10:04.720 --> 00:10:06.399 infrastructure where we have an attacker 00:10:06.399 --> 00:10:09.519 system that I'm going to be using to perform 00:10:09.519 --> 00:10:11.600 a bit of network 00:10:11.600 --> 00:10:15.040 intrusion detection emulation, whereby 00:10:15.040 --> 00:10:17.519 I will essentially perform or run a 00:10:17.519 --> 00:10:20.880 couple of commands or scripts to 00:10:20.880 --> 00:10:23.279 essentially emulate malicious network 00:10:23.279 --> 00:10:26.160 activity so that these logs are 00:10:26.160 --> 00:10:28.320 essentially--so this traffic is 00:10:28.320 --> 00:10:29.839 essentially logged--and that'll provide 00:10:29.839 --> 00:10:32.800 us with a good idea as to how helpful 00:10:32.800 --> 00:10:35.279 Splunk is for security event monitoring, 00:10:35.279 --> 00:10:38.880 especially in the context of network intrusions. 00:10:40.320 --> 00:10:41.920 So as I said, you don't really need to 00:10:41.920 --> 00:10:44.240 have a Windows workstation. You simply 00:10:44.240 --> 00:10:46.000 need to have the Ubuntu VM, and you can 00:10:46.000 --> 00:10:48.800 pretty much run everything from it. And, 00:10:48.800 --> 00:10:50.560 of course, you can set up the Splunk 00:10:50.560 --> 00:10:54.240 Enterprise Security server on Linode 00:10:54.240 --> 00:10:56.480 without any issues. 00:10:56.480 --> 00:10:58.399 So that's the lab environment. We can now 00:10:58.399 --> 00:11:00.000 get started with the practical 00:11:00.000 --> 00:11:01.440 demonstration. So I'm going to switch 00:11:01.440 --> 00:11:05.040 over to my Ubuntu virtual machine. 00:11:05.040 --> 00:11:07.600 Alright. So I'm back on my Ubuntu 00:11:07.600 --> 00:11:09.360 virtual machine, and you can see I have 00:11:09.360 --> 00:11:11.279 Linode opened up here. 00:11:11.279 --> 00:11:13.279 I haven't set anything up yet because 00:11:13.279 --> 00:11:14.640 we're going to be walking through the 00:11:14.640 --> 00:11:16.079 process together. 00:11:16.079 --> 00:11:18.959 I then have the Splunk.com website here. 00:11:18.959 --> 00:11:21.040 So if you're new to Splunk, then you need 00:11:21.040 --> 00:11:22.640 to create a new account in order to 00:11:22.640 --> 00:11:25.740 follow along. So just head over to 00:11:25.740 --> 00:11:27.279 Splunk.com and, you know, 00:11:27.279 --> 00:11:29.519 register for an account. It's free. 00:11:29.519 --> 00:11:31.120 Once that is done, 00:11:31.120 --> 00:11:33.120 you'll need to activate your account or 00:11:33.120 --> 00:11:35.120 verify your account through 00:11:35.120 --> 00:11:36.880 the verification email 00:11:36.880 --> 00:11:39.680 they'll send you. Once that is done, 00:11:39.680 --> 00:11:41.279 we can then move forward. Because in 00:11:41.279 --> 00:11:44.320 order to access the actual 00:11:44.320 --> 00:11:46.800 Splunk Universal Forwarder, you'll need to 00:11:46.800 --> 00:11:48.720 have an account. And of course, you 00:11:48.720 --> 00:11:50.639 know, in this case, I'll be going through 00:11:50.639 --> 00:11:52.800 everything as we move along in a 00:11:52.800 --> 00:11:55.519 structured manner. And 00:11:55.519 --> 00:11:59.120 then to perform the actual NIDS tests, 00:12:00.160 --> 00:12:01.780 we are going to be using the 00:12:01.780 --> 00:12:03.839 testmyNIDS.org project, 00:12:03.839 --> 00:12:06.480 which is on GitHub. So this is 00:12:06.480 --> 00:12:08.880 essentially a bash script 00:12:08.880 --> 00:12:11.440 that allows you to--as you can see here-- 00:12:11.440 --> 00:12:13.279 it allows you to essentially emulate or 00:12:13.279 --> 00:12:16.800 simulate malicious network traffic. So, 00:12:16.800 --> 00:12:19.440 previously, we had used 00:12:19.440 --> 00:12:21.279 the website technique to essentially get 00:12:21.279 --> 00:12:23.760 a Linux UID, and that traffic would be 00:12:23.760 --> 00:12:26.240 logged as malicious, or 00:12:26.240 --> 00:12:27.760 it could be logged as a potential 00:12:27.760 --> 00:12:30.000 intrusion. And we can run a few other 00:12:30.000 --> 00:12:33.360 checks like HTTP basic authentication, 00:12:33.360 --> 00:12:35.519 bad certificate authorities, 00:12:35.519 --> 00:12:38.639 an EXE or DLL download over HTTP. So, 00:12:38.639 --> 00:12:40.720 you know, we can run tests that, 00:12:40.720 --> 00:12:42.959 you know, will just make our 00:12:42.959 --> 00:12:45.440 intrusion detection system blow up in 00:12:45.440 --> 00:12:47.600 terms of alerts. And that's what we want 00:12:47.600 --> 00:12:49.519 because we want to see how that data is 00:12:49.519 --> 00:12:52.160 presented to us as a security engineer 00:12:52.160 --> 00:12:55.040 on Splunk. With that being said, the first 00:12:55.040 --> 00:12:58.030 step, of course, is to set up Splunk ES on Linode. 00:12:58.330 --> 00:13:04.079 So just click on “Create a Linode” and click on “Marketplace.” 00:13:04.079 --> 00:13:06.399 And they already have Splunk here. So 00:13:06.399 --> 00:13:08.480 there we are. You can click on that there. 00:13:08.480 --> 00:13:10.240 And if you click on this little info 00:13:10.240 --> 00:13:12.399 button here, it'll give you an idea as to 00:13:12.399 --> 00:13:14.320 how to deploy it on 00:13:14.320 --> 00:13:16.480 Linode. And, of course, you have more 00:13:16.480 --> 00:13:18.399 information regarding Splunk. So you have 00:13:18.399 --> 00:13:20.480 the documentation link there. So I'll 00:13:20.480 --> 00:13:22.959 just click on Splunk. 00:13:22.959 --> 00:13:24.639 Once that is clicked, we can then head 00:13:24.639 --> 00:13:26.720 over here. You'll need to specify the 00:13:26.720 --> 00:13:28.959 Splunk admin user. I recommend using 00:13:28.959 --> 00:13:32.510 “admin” to begin with and then specify a password. 00:13:33.440 --> 00:13:35.519 If you're setting up, you know, Splunk on 00:13:35.519 --> 00:13:37.600 a domain, then you can specify the 00:13:37.600 --> 00:13:39.839 Linode API token to essentially create 00:13:39.839 --> 00:13:42.320 the DNS records--that's if you're using 00:13:42.320 --> 00:13:44.320 Linode's DNS service. 00:13:45.839 --> 00:13:47.519 And then, of course, you need to add 00:13:47.519 --> 00:13:49.519 the admin email for the server. So in 00:13:49.519 --> 00:13:52.000 this case, I can just say, for example, 00:13:52.000 --> 00:13:55.080 hackersploit@gmail.com. 00:13:55.519 --> 00:13:57.360 Don't spam me on this email because I 00:13:57.360 --> 00:13:59.519 don't respond anyway. So we can create 00:13:59.519 --> 00:14:01.040 another user. 00:14:01.040 --> 00:14:02.480 This is the username for the 00:14:02.480 --> 00:14:04.720 Linode admin's SSH user. Please ensure 00:14:04.720 --> 00:14:06.480 that the username does not contain any... 00:14:06.480 --> 00:14:08.880 so we can just call this “admin.” And then 00:14:08.880 --> 00:14:11.360 for the admin user, we'll just say 00:14:11.360 --> 00:14:13.199 provide that there. 00:14:13.199 --> 00:14:14.800 So the image--we're going to set it up on 00:14:14.800 --> 00:14:18.079 Ubuntu 20.04. The region--I’ll say London 00:14:18.079 --> 00:14:19.920 because that's closest to me. 00:14:19.920 --> 00:14:22.240 As for the actual Linode plan, 00:14:22.240 --> 00:14:24.720 Linode ES doesn't require that many 00:14:24.720 --> 00:14:26.480 resources, especially because, you know, 00:14:26.480 --> 00:14:28.720 the amount of data that we're processing 00:14:28.720 --> 00:14:30.959 or the logs that are being forwarded to 00:14:30.959 --> 00:14:34.320 Splunk are relatively few--so less than 00:14:34.320 --> 00:14:36.160 100--which, if you've used Splunk before 00:14:36.160 --> 00:14:37.920 for security event monitoring, you know 00:14:37.920 --> 00:14:39.040 that that is 00:14:39.040 --> 00:14:41.199 really, really small. In 00:14:41.199 --> 00:14:43.199 fact, Splunk will actually tell you, 00:14:43.199 --> 00:14:44.959 you know, that the amount of data 00:14:44.959 --> 00:14:47.519 to begin with that you have imported or 00:14:47.519 --> 00:14:50.670 forwarded is too little to make any sense of. 00:14:50.880 --> 00:14:52.480 But that's where the Snort app for 00:14:52.480 --> 00:14:54.800 Splunk comes into play. So I'll just say 00:14:54.800 --> 00:14:56.000 “Splunk,” 00:14:56.000 --> 00:14:59.360 and I'll provide my root password for the server. 00:14:59.360 --> 00:15:02.079 And we can click on “Create.” 00:15:02.079 --> 00:15:03.360 Alright. Now, 00:15:03.360 --> 00:15:06.079 once this is set up and provisioned, 00:15:06.079 --> 00:15:08.079 the actual installer is going to begin. 00:15:08.079 --> 00:15:10.079 So it's going to set up because there is 00:15:10.079 --> 00:15:13.410 an auto-installer setup that will set up Splunk. 00:15:13.410 --> 00:15:15.199 Yes. For you. So, let it 00:15:15.199 --> 00:15:16.880 provision. After that's done, you can 00:15:16.880 --> 00:15:19.199 launch the Lish console to avoid logging 00:15:19.199 --> 00:15:22.160 in via SSH. And of course, one thing that 00:15:22.160 --> 00:15:24.000 I don't need to tell you 00:15:24.000 --> 00:15:25.680 is, if you're setting this up for 00:15:25.680 --> 00:15:27.680 production, then you need to make sure 00:15:27.680 --> 00:15:29.759 you're securing your server. So do only 00:15:29.759 --> 00:15:33.420 use SSH keys for authentication with the server. 00:15:33.759 --> 00:15:35.920 If you're new to hardening and securing 00:15:35.920 --> 00:15:37.759 a Linux server, you can check out the 00:15:37.759 --> 00:15:39.360 previous series 00:15:39.360 --> 00:15:41.920 that we did with Linux--the Linux Server 00:15:41.920 --> 00:15:44.800 Security series. They'll give you, 00:15:44.800 --> 00:15:46.959 you know, all the information you need to 00:15:46.959 --> 00:15:49.759 secure a Linux server for production. 00:15:49.759 --> 00:15:50.959 With that being said, I'm just going to 00:15:50.959 --> 00:15:52.800 let it provision, after which we can 00:15:52.800 --> 00:15:54.560 launch the Lish console to see what's 00:15:54.560 --> 00:15:56.639 going on in the background. And we can 00:15:56.639 --> 00:15:59.350 then get started, you know, officially 00:15:59.350 --> 00:16:01.839 with how to set up Splunk. We then need 00:16:01.839 --> 00:16:04.720 to set up the Universal Forwarder. 00:16:04.720 --> 00:16:07.529 So, this is booting now. 00:16:08.639 --> 00:16:11.120 Alright. So the server is booted, and 00:16:11.120 --> 00:16:12.800 you can see I've just opened up the Lish 00:16:12.800 --> 00:16:14.320 console here 00:16:14.320 --> 00:16:15.920 to essentially view what's going on. As 00:16:15.920 --> 00:16:18.000 you can see, it's begun setting up 00:16:18.000 --> 00:16:20.399 Splunk ES. So just give this a couple of 00:16:20.399 --> 00:16:22.809 minutes to essentially begin. 00:16:23.279 --> 00:16:25.600 And once it's done, it'll actually 00:16:25.600 --> 00:16:27.360 tell you that, and it'll provide you with the 00:16:27.360 --> 00:16:28.800 login prompt. 00:16:28.800 --> 00:16:30.399 But it's probably logged in as the root 00:16:30.399 --> 00:16:32.000 user already. So 00:16:32.000 --> 00:16:33.759 just let this complete. I'm just going to 00:16:33.759 --> 00:16:36.880 wait for this to actually conclude. 00:16:36.880 --> 00:16:40.000 Alright. So once Splunk ES is done, 00:16:40.000 --> 00:16:42.880 or the actual Linode is done here 00:16:42.880 --> 00:16:44.320 with the setup, you can see it's going to 00:16:44.320 --> 00:16:46.240 tell you "installation complete," 00:16:46.240 --> 00:16:48.160 and you can then log in. Keep this 00:16:48.160 --> 00:16:49.519 window open because this is going to be 00:16:49.519 --> 00:16:50.880 very important, as we'll need to 00:16:50.880 --> 00:16:53.440 configure a few firewall rules. 00:16:53.440 --> 00:16:56.320 By default, this Linode comes with UFW, 00:16:56.320 --> 00:16:58.720 which is the uncomplicated firewall for 00:16:58.720 --> 00:17:00.079 Debian, or 00:17:00.079 --> 00:17:02.000 it typically comes prepackaged with 00:17:02.000 --> 00:17:04.959 Debian-based distributions like Ubuntu. 00:17:04.959 --> 00:17:06.559 In this case, it's already added the 00:17:06.559 --> 00:17:08.400 firewall rule for the port that we 00:17:08.400 --> 00:17:10.000 wanted, but just keep it open because 00:17:10.000 --> 00:17:12.559 we'll need to run a few checks. So you 00:17:12.559 --> 00:17:14.000 can log in there. So I'm just going to 00:17:14.000 --> 00:17:15.679 log in with the credentials that I 00:17:15.679 --> 00:17:18.720 specified as the root user. And I can 00:17:18.720 --> 00:17:22.160 just say sudo ufw status. 00:17:23.839 --> 00:17:25.439 And you can see these are all the 00:17:25.439 --> 00:17:28.160 allowed rules or the actual rules 00:17:28.160 --> 00:17:30.400 configured for the firewall, which is 00:17:30.400 --> 00:17:32.400 looking good so far. 00:17:32.400 --> 00:17:35.679 So we can access the Splunk ES instance 00:17:35.679 --> 00:17:37.840 that we set up by pasting in the IP of 00:17:37.840 --> 00:17:42.080 the server and opening up port 8000. 00:17:42.080 --> 00:17:44.080 That's going to open up Splunk ES for 00:17:44.080 --> 00:17:45.760 you. So just give this a couple of 00:17:45.760 --> 00:17:48.240 seconds. There we are. And the credentials 00:17:48.240 --> 00:17:50.880 that we had used were "admin" and the 00:17:50.880 --> 00:17:53.280 password that I created--that, you know, 00:17:53.280 --> 00:17:54.559 of course, you'll be able to 00:17:54.559 --> 00:17:57.200 specify yourself. So just sign in. 00:17:57.200 --> 00:17:59.919 And once that is done, you'll be 00:17:59.919 --> 00:18:04.560 brought to Splunk Enterprise Security here. 00:18:04.560 --> 00:18:05.360 So there we are--explore 00:18:05.360 --> 00:18:07.200 Splunk Enterprise. 00:18:10.000 --> 00:18:11.360 And in this case, what we're going to be 00:18:11.360 --> 00:18:14.080 doing--what we're going to start off with-- 00:18:14.080 --> 00:18:16.240 is we need to go through a few 00:18:16.240 --> 00:18:19.350 configuration changes with Splunk itself. 00:18:19.760 --> 00:18:22.880 So the idea, firstly, is to configure 00:18:22.880 --> 00:18:26.120 the actual receiving of data. 00:18:26.120 --> 00:18:27.360 So if you head over into "Settings," 00:18:27.360 --> 00:18:29.440 you can click on "Data," then just click 00:18:29.440 --> 00:18:31.840 on "Forwarding and Receiving." 00:18:31.840 --> 00:18:34.400 And once that is done--once that is 00:18:34.400 --> 00:18:35.760 loaded up-- 00:18:35.760 --> 00:18:38.080 under "Receive Data," we need to 00:18:38.080 --> 00:18:40.000 configure this instance to receive data 00:18:40.000 --> 00:18:41.600 forwarded from other instances. So we 00:18:41.600 --> 00:18:43.520 want to configure receiving, 00:18:43.520 --> 00:18:46.799 and we just want to set the default receiving port. 00:18:46.799 --> 00:18:50.400 So we can say "New Receiving Port," 00:18:50.400 --> 00:18:52.160 and the port is, of course, going to be 00:18:52.160 --> 00:18:54.799 the default, which is 9997--which is why 00:18:54.799 --> 00:18:56.640 that firewall rule was added. So I'll 00:18:56.640 --> 00:18:58.182 click on Save. 00:18:58.880 --> 00:19:01.200 Alright. So once that is done, we can 00:19:01.200 --> 00:19:04.110 now install the Snort app 00:19:04.110 --> 00:19:06.240 for Splunk. So click on "Apps" and head 00:19:06.240 --> 00:19:08.480 over into "Find More Apps." 00:19:08.480 --> 00:19:11.360 And because the Ubuntu server is running-- 00:19:11.360 --> 00:19:13.120 or the Ubuntu VM that I'm currently 00:19:13.120 --> 00:19:15.919 working on is running--Snort 2, we'll need 00:19:15.919 --> 00:19:18.160 the appropriate app here. So I'll just 00:19:18.160 --> 00:19:20.160 search for "Snort" there. And we're not 00:19:20.160 --> 00:19:22.320 looking for the Snort 3 JSON alerts, 00:19:22.320 --> 00:19:24.320 although that, you know, could be quite 00:19:24.320 --> 00:19:26.480 useful, but we want the Snort alert for 00:19:26.480 --> 00:19:28.720 Splunk. Alright. So this app provides 00:19:28.720 --> 00:19:30.880 field extraction. So that's really great 00:19:30.880 --> 00:19:32.400 because performing your own field 00:19:32.400 --> 00:19:34.960 extractions using regex 00:19:34.960 --> 00:19:36.400 can be quite difficult if you're a 00:19:36.400 --> 00:19:39.360 beginner. So fast and full, 00:19:39.360 --> 00:19:42.400 as well as dashboards, saved searches, 00:19:42.400 --> 00:19:45.600 reports, event types, tags, and event 00:19:45.600 --> 00:19:48.080 search interfaces. So we'll install that. 00:19:48.080 --> 00:19:50.240 Now you'll need to log in with 00:19:50.240 --> 00:19:52.400 your Splunk account credentials that you, 00:19:52.400 --> 00:19:55.120 you know, actually created on 00:19:55.120 --> 00:19:57.760 splunk.com. So I'll just fill in my 00:19:57.760 --> 00:20:00.400 information really quickly. 00:20:00.400 --> 00:20:02.240 Alright. So I've put in my username and 00:20:02.240 --> 00:20:04.240 password. So I'll just say I'll accept 00:20:04.240 --> 00:20:06.320 the terms and conditions there. So log in 00:20:06.320 --> 00:20:07.600 and install. 00:20:07.600 --> 00:20:09.280 That's going to install it. There we are. 00:20:09.280 --> 00:20:10.880 So we'll just hit "Done." 00:20:10.880 --> 00:20:13.360 Now that that is done, if we head back over 00:20:13.360 --> 00:20:16.400 into our dashboard--so I'll just click on 00:20:16.400 --> 00:20:18.400 Splunk Enterprise there-- 00:20:18.400 --> 00:20:20.720 you can now see we have Snort 00:20:20.720 --> 00:20:23.039 Alert for Splunk. So that already 00:20:23.039 --> 00:20:25.600 comes preconfigured with a dashboard. 00:20:25.600 --> 00:20:28.600 So we'll just let this load up here. 00:20:28.600 --> 00:20:30.000 And you can see that we don't have 00:20:30.000 --> 00:20:32.480 any data yet. So this will display 00:20:32.480 --> 00:20:34.559 your events and sources, top source 00:20:34.559 --> 00:20:36.480 countries, the events. This is very 00:20:36.480 --> 00:20:38.480 important--these sources, top 10 00:20:38.480 --> 00:20:41.039 classification. So that'll classify 00:20:41.039 --> 00:20:44.400 your alerts in terms of the 00:20:44.400 --> 00:20:46.640 type, which again will make sense in a 00:20:46.640 --> 00:20:49.280 couple of seconds. So now that that is 00:20:49.280 --> 00:20:51.600 done, we actually need to configure 00:20:51.600 --> 00:20:54.480 the actual Splunk Universal Forwarder. So 00:20:54.480 --> 00:20:56.480 I'll just open that up in a new tab. It's 00:20:56.480 --> 00:20:59.120 absolutely free to download the Debian 00:20:59.120 --> 00:21:01.840 client or the Splunk Universal 00:21:01.840 --> 00:21:04.159 Forwarder Debian package. So Universal 00:21:04.159 --> 00:21:06.960 Forwarders provide reliable, secure 00:21:06.960 --> 00:21:09.440 data collection from remote 00:21:09.440 --> 00:21:11.520 sources and forward that data into 00:21:11.520 --> 00:21:14.159 Splunk software for indexing and 00:21:14.159 --> 00:21:16.880 consolidation. They can scale to tens of 00:21:16.880 --> 00:21:18.799 thousands of remote systems, collecting 00:21:18.799 --> 00:21:20.720 terabytes of data. So 00:21:20.720 --> 00:21:23.039 again, you can actually see why Splunk is 00:21:23.039 --> 00:21:25.360 so powerful and why it's widely used 00:21:25.360 --> 00:21:27.440 and deployed--because of the fact that 00:21:27.440 --> 00:21:30.480 you can literally be... 00:21:30.480 --> 00:21:32.640 literally forward a ton of data from a 00:21:32.640 --> 00:21:35.840 ton of systems into Splunk. So because 00:21:35.840 --> 00:21:38.480 Snort is running on this 00:21:38.480 --> 00:21:40.480 Ubuntu VM, we need the Debian package. So 00:21:40.480 --> 00:21:41.919 I'll click on Linux, and we want the 00:21:41.919 --> 00:21:45.039 64-bit version. Again, you can choose one 00:21:45.039 --> 00:21:46.559 based on your requirements. So if you're 00:21:46.559 --> 00:21:49.840 running on Red Hat, Fedora, or CentOS, you 00:21:49.840 --> 00:21:51.520 can use the RPM package. So I'll just 00:21:51.520 --> 00:21:54.559 download the Debian package here. 00:21:54.559 --> 00:21:56.080 Give that a couple of seconds. It's then 00:21:56.080 --> 00:21:58.240 going to begin downloading it, and then 00:21:58.240 --> 00:22:00.000 I'll walk you through the setup process. 00:22:00.000 --> 00:22:01.840 So there we are. 00:22:01.840 --> 00:22:04.260 It's begun the setup. 00:22:07.360 --> 00:22:09.440 And once that is done, I'll open up my 00:22:09.440 --> 00:22:10.799 terminal. So that's saved in the 00:22:10.799 --> 00:22:12.960 Downloads directory. So 00:22:12.960 --> 00:22:14.320 if we check--if we head over into the 00:22:14.320 --> 00:22:15.840 Downloads directory--you can see we have 00:22:15.840 --> 00:22:18.489 the Splunk Forwarder Debian package there. 00:22:19.200 --> 00:22:21.679 So what we want to do, firstly, is we want 00:22:21.679 --> 00:22:25.680 to move this package into the actual /opt 00:22:25.680 --> 00:22:28.080 directory on Linux, which will 00:22:28.080 --> 00:22:30.880 essentially allow us to, you know, 00:22:30.880 --> 00:22:33.360 to set it up as optional software. And 00:22:33.360 --> 00:22:35.280 it's really good to have all that 00:22:35.280 --> 00:22:38.240 optional software stored in the 00:22:38.240 --> 00:22:42.240 directory. So, once that is done and 00:22:42.240 --> 00:22:44.320 once that's downloaded, we can say, 00:22:44.320 --> 00:22:45.600 move 00:22:45.600 --> 00:22:48.480 Splunk forward into opt, 00:22:48.480 --> 00:22:50.400 and we'll need sudo privileges. So I'll 00:22:50.400 --> 00:22:52.559 say sudo move. There we are. And I'll just 00:22:52.559 --> 00:22:55.120 type in my password. Fantastic. So 00:22:55.120 --> 00:22:57.360 now navigate to the opt directory. And to 00:22:57.360 --> 00:23:00.320 install this, we can say sudo apt, 00:23:00.320 --> 00:23:02.960 and then we can specify install. So we 00:23:02.960 --> 00:23:05.120 can say sudo apt install, 00:23:05.120 --> 00:23:06.960 and then we specify the package itself. 00:23:06.960 --> 00:23:09.440 So Splunk forwarder, 00:23:09.440 --> 00:23:11.440 and we're just going to hit enter. That's 00:23:11.440 --> 00:23:13.520 going to install it for you. 00:23:13.520 --> 00:23:16.880 Give that a couple of seconds. 00:23:19.440 --> 00:23:21.520 Alright. So once that is installed, if 00:23:21.520 --> 00:23:23.039 you list out the contents of this 00:23:23.039 --> 00:23:24.559 directory, you're gonna have a Splunk 00:23:24.559 --> 00:23:26.559 forwarder directory here. So I'll say cd 00:23:26.559 --> 00:23:29.200 splunkforwarder. And under the binary 00:23:29.200 --> 00:23:31.200 directory, we can navigate to that here. 00:23:31.200 --> 00:23:32.720 We'll need to start-- 00:23:32.720 --> 00:23:35.600 we'll need to start Splunk. So we will 00:23:35.600 --> 00:23:37.280 say sudo, 00:23:37.280 --> 00:23:39.039 and the binary we want to run is called 00:23:39.039 --> 00:23:41.279 splunk, and we'll accept the license. 00:23:41.279 --> 00:23:42.799 The reason we're doing this is because 00:23:42.799 --> 00:23:44.799 we need to configure it. So we need to 00:23:44.799 --> 00:23:46.799 specify the username and password, or, you 00:23:46.799 --> 00:23:49.279 know, create a username and password. 00:23:49.279 --> 00:23:52.000 And once that is done, you'll actually 00:23:52.000 --> 00:23:53.360 see what that looks like. So I'll just 00:23:53.360 --> 00:23:55.679 say accept the license. 00:23:55.679 --> 00:23:59.200 And, you can see in this case, let's see if I 00:23:59.200 --> 00:24:01.200 typed that incorrectly. That should 00:24:01.200 --> 00:24:03.600 actually start. So splunk start. I did not 00:24:03.600 --> 00:24:05.440 specify start there. 00:24:05.440 --> 00:24:06.799 There we are. So please enter an 00:24:06.799 --> 00:24:09.679 administrator name. I'll just say admin. 00:24:09.679 --> 00:24:12.000 So again, Splunk software must create an 00:24:12.000 --> 00:24:14.320 administrator account during startup. 00:24:14.320 --> 00:24:16.559 Otherwise, you cannot log in. So create 00:24:16.559 --> 00:24:18.899 credentials for the administrator account. 00:24:20.640 --> 00:24:22.320 So in this case, you can 00:24:22.320 --> 00:24:23.600 create whatever you want. I'm just going 00:24:23.600 --> 00:24:26.000 to fill in my credentials here. 00:24:26.000 --> 00:24:28.640 Alright, so I've just entered my 00:24:28.640 --> 00:24:30.320 administrator username and then, of 00:24:30.320 --> 00:24:32.400 course, my password. So 00:24:32.400 --> 00:24:33.840 that is done. 00:24:33.840 --> 00:24:36.240 So it'll go through-- 00:24:36.240 --> 00:24:37.760 it'll essentially go through and check 00:24:37.760 --> 00:24:40.400 the prerequisites. New certs have been 00:24:40.400 --> 00:24:42.960 generated in the following directory, 00:24:42.960 --> 00:24:45.200 and all the preliminary checks have 00:24:45.200 --> 00:24:47.520 passed. So starting the Splunk server 00:24:47.520 --> 00:24:49.440 daemon--so that started. You can also 00:24:49.440 --> 00:24:52.159 enable it to run on system startup. So if 00:24:52.159 --> 00:24:56.330 I say, you know, for example, sudo systemctl 00:24:56.720 --> 00:24:58.910 status splunk, 00:24:59.520 --> 00:25:01.840 let me type that correctly here. So 00:25:01.840 --> 00:25:03.360 splunk-- 00:25:03.360 --> 00:25:07.520 sorry, systemctl, 00:25:07.520 --> 00:25:10.240 and we can say splunkd. 00:25:10.240 --> 00:25:12.880 Sorry. So we can say splunk. I'm not 00:25:12.880 --> 00:25:15.039 really sure why that's not loading here. 00:25:15.039 --> 00:25:17.520 But I do know that the daemon is running, 00:25:17.520 --> 00:25:23.620 and there should be an init daemon for that. 00:25:23.620 --> 00:25:24.799 But in any case, 00:25:24.799 --> 00:25:27.360 you can always start it that way. 00:25:27.360 --> 00:25:29.840 Once that is done, we will need to add 00:25:29.840 --> 00:25:32.320 our forward server. So we need to add 00:25:32.320 --> 00:25:34.960 the address of the server--the 00:25:34.960 --> 00:25:37.039 Splunk server that we're forwarding our 00:25:37.039 --> 00:25:39.600 logs to. We'll move on to what 00:25:39.600 --> 00:25:42.480 logs we want to forward in a second. But 00:25:42.480 --> 00:25:44.159 let's do that first. So again, we're going 00:25:44.159 --> 00:25:45.799 to use the 00:25:47.520 --> 00:25:51.220 Splunk binary, and we're going to say forward-server. 00:25:51.220 --> 00:25:52.559 And we'll just copy the IP 00:25:52.559 --> 00:25:56.419 address of your Splunk server here. 00:25:56.419 --> 00:25:59.850 So there we are. And I'll paste that in there. 00:26:00.640 --> 00:26:03.320 And then you need to type in the port--so 00:26:03.320 --> 00:26:07.780 9997, that's the port to connect to. Hit enter. 00:26:08.400 --> 00:26:10.799 So splunk forward-- 00:26:11.279 --> 00:26:13.279 yeah, we need to add it. I keep forgetting 00:26:13.279 --> 00:26:16.910 the preliminary command. So add forward-server, 00:26:16.910 --> 00:26:18.260 Splunk username. 00:26:18.320 --> 00:26:21.919 So in this case, let me just put 00:26:21.919 --> 00:26:25.840 in my credentials here. 00:26:26.640 --> 00:26:29.440 Alright. And it's going to then add the 00:26:29.440 --> 00:26:31.760 forwarding to that particular address. 00:26:31.760 --> 00:26:33.760 Alright. Now that that is done, 00:26:33.760 --> 00:26:35.440 we actually need to 00:26:35.440 --> 00:26:37.919 configure a particular file, 00:26:37.919 --> 00:26:40.720 and that is going to be the outputs.conf 00:26:40.720 --> 00:26:43.039 directory. If it's already set up for us, 00:26:43.039 --> 00:26:45.039 which it should be, 00:26:45.039 --> 00:26:46.880 then we do not need to go through the 00:26:46.880 --> 00:26:49.360 initial setup. So, 00:26:49.360 --> 00:26:51.120 if we head over into the following 00:26:51.120 --> 00:26:52.640 directory--so I'll just take a step back-- 00:26:52.640 --> 00:26:55.120 we're still in the Splunk forwarder directory. 00:26:55.279 --> 00:26:59.739 We'll head over into the etc directory. 00:26:59.739 --> 00:27:01.679 And under system, 00:27:01.679 --> 00:27:05.039 we have a file under local, I think. It is 00:27:05.039 --> 00:27:06.640 called outputs here. Right? So I'm going to say 00:27:06.640 --> 00:27:09.680 sudo vim outputs.conf. 00:27:09.840 --> 00:27:11.840 And really, the only thing that is 00:27:11.840 --> 00:27:14.290 required here is, 00:27:14.290 --> 00:27:16.159 of course, just leave the default 00:27:16.159 --> 00:27:18.320 configuration as is. The default group is 00:27:18.320 --> 00:27:21.760 fine. So tcpout:default-autolb-group, 00:27:21.760 --> 00:27:23.279 that's fine. So make sure that the 00:27:23.279 --> 00:27:25.840 server option here is configured--that's 00:27:25.840 --> 00:27:29.100 the most important. And the tcpout-server 00:27:29.100 --> 00:27:30.320 address is also configured in 00:27:30.320 --> 00:27:32.000 this format. So we don't need to make any 00:27:32.000 --> 00:27:34.670 changes there. So I'll just say quit and exit. 00:27:35.120 --> 00:27:38.640 Once that is done, we also need to check 00:27:38.640 --> 00:27:41.279 the actual inputs configuration file. 00:27:41.279 --> 00:27:43.200 But before we do that, 00:27:43.200 --> 00:27:45.279 let's take a look. So if you revisit the 00:27:45.279 --> 00:27:46.880 Snort video, 00:27:46.880 --> 00:27:48.880 you know that all the logs are stored 00:27:48.880 --> 00:27:53.110 under /var/log/snort. 00:27:53.110 --> 00:27:55.760 Right? So we have the alert log, 00:27:55.760 --> 00:27:59.279 and we also have--so again, based on 00:27:59.279 --> 00:28:02.000 the type of alerts 00:28:02.000 --> 00:28:03.200 you want generated--so, you know, 00:28:03.200 --> 00:28:05.440 if I say man snort here, 00:28:05.440 --> 00:28:08.090 you can see that we have the alert mode. 00:28:08.090 --> 00:28:09.440 So you can use the fast mode or the 00:28:09.440 --> 00:28:11.360 full mode. In this case, I'll be using the 00:28:11.360 --> 00:28:12.559 fast mode, 00:28:13.760 --> 00:28:15.279 and I'll give you a description of what's 00:28:15.279 --> 00:28:17.279 going on here. Right? So 00:28:17.279 --> 00:28:19.919 full writes the alert to the alert 00:28:19.919 --> 00:28:21.919 file with the full decoded header as 00:28:21.919 --> 00:28:24.720 well as the alert message, which might be 00:28:24.720 --> 00:28:27.279 important. So we can also do that as well. 00:28:27.279 --> 00:28:29.600 So this was from the previous--from 00:28:29.600 --> 00:28:31.760 the Snort video where we 00:28:31.760 --> 00:28:33.360 had run... 00:28:33.360 --> 00:28:35.840 essentially run Snort and, you know, 00:28:35.840 --> 00:28:38.480 where we were identifying various alerts. 00:28:38.480 --> 00:28:41.919 So, what we can do is, again, we'll 00:28:41.919 --> 00:28:43.760 go through what needs to be created, but 00:28:43.760 --> 00:28:45.600 we can run a quick test command just to 00:28:45.600 --> 00:28:46.880 see whether 00:28:46.880 --> 00:28:48.799 the actual alerts are being logged 00:28:48.799 --> 00:28:50.320 within the alert file, because we have 00:28:50.320 --> 00:28:53.039 alert.1. Ideally, we would only want 00:28:53.039 --> 00:28:55.760 to forward this file into Splunk. 00:28:55.760 --> 00:28:58.080 So, in order to do this, what I'm going 00:28:58.080 --> 00:29:00.080 to do now is I'm just gonna run Snort 00:29:00.080 --> 00:29:03.590 really quickly. So I'm going to say sudo snort -q, 00:29:03.919 --> 00:29:06.000 for quiet, and then 00:29:06.000 --> 00:29:10.500 the actual directory for the logs is /var/log/snort. 00:29:11.360 --> 00:29:14.640 And then we can say the interface is enp0s3. 00:29:14.640 --> 00:29:16.240 Again, make sure to replace that with 00:29:16.240 --> 00:29:19.039 your own interface. The alert, we can 00:29:19.039 --> 00:29:20.320 say full, 00:29:20.320 --> 00:29:26.190 and the configuration is /etc/snort/snort.conf. 00:29:26.399 --> 00:29:28.320 I believe we had another configuration 00:29:28.320 --> 00:29:30.720 file. Yeah. We had used the snort.conf file. 00:29:30.720 --> 00:29:32.399 So I'll hit enter. 00:29:32.399 --> 00:29:35.560 And now let me open up my file explorer here. 00:29:35.840 --> 00:29:38.720 We take a look at the var directory 00:29:38.720 --> 00:29:42.240 under log. And under snort, 00:29:42.240 --> 00:29:44.960 we have alert. There we are. So, 00:29:44.960 --> 00:29:47.960 that has been modified. The last was 00:29:47.960 --> 00:29:50.050 modified 00:29:51.200 --> 00:29:53.919 right over there. Okay. So that's 19. Yeah. 00:29:53.919 --> 00:29:55.679 So this is the last modified. So I know 00:29:55.679 --> 00:29:58.000 this file is not human-readable. We 00:29:58.000 --> 00:30:00.979 are not going to be forwarding this .log file. 00:30:00.979 --> 00:30:02.960 So I'll just close that there. 00:30:02.960 --> 00:30:07.440 So I'm just going to try and perform a few 00:30:07.440 --> 00:30:09.679 checks on the network, like a few pings, 00:30:09.679 --> 00:30:11.760 just to see if that's detected. 00:30:11.760 --> 00:30:15.679 So I'll just, you know, perform a ping really quickly. 00:30:15.679 --> 00:30:17.520 Again, the alerts will not be logged on 00:30:17.520 --> 00:30:18.960 our terminal because they're being 00:30:18.960 --> 00:30:21.200 logged, you know, into the respective 00:30:21.200 --> 00:30:24.159 alert file or the alert log file. So I'll 00:30:24.159 --> 00:30:26.080 just perform, you know, a few pings, as 00:30:26.080 --> 00:30:27.679 I was saying, which I'm doing right now 00:30:27.679 --> 00:30:29.520 on the attacker system. 00:30:29.520 --> 00:30:31.760 Once that is done, let's see whether 00:30:31.760 --> 00:30:33.760 those changes are being highlighted in 00:30:33.760 --> 00:30:37.600 alert. Indeed, they are. Okay. So now, 00:30:40.159 --> 00:30:42.399 as you can see here, 00:30:42.399 --> 00:30:45.279 this is the full-- 00:30:45.360 --> 00:30:48.000 these are... So to begin with, we had used 00:30:48.000 --> 00:30:52.729 the fast alert output mode. 00:30:54.000 --> 00:30:56.080 And right over here, we then have the 00:30:56.080 --> 00:31:00.159 full alert mode, which I'm not really sure how 00:31:00.159 --> 00:31:01.919 we want to 00:31:01.919 --> 00:31:05.360 go about doing this. But you can see, 00:31:05.360 --> 00:31:07.360 we can actually make a few changes. 00:31:07.360 --> 00:31:11.110 What we can do is we can get rid of this traffic here. 00:31:11.440 --> 00:31:13.519 But you can see the message is actually 00:31:13.519 --> 00:31:15.279 being logged. So 00:31:15.279 --> 00:31:17.760 we can get rid of this here 00:31:17.760 --> 00:31:25.749 because we don't want to mix fast alerts 00:31:26.080 --> 00:31:31.519 with the full mode. So we can just get rid of that 00:31:31.519 --> 00:31:33.611 there and save that. 00:31:34.159 --> 00:31:37.840 Once that is done, I'll just say-- 00:31:37.840 --> 00:31:41.290 we actually need permissions to modify that file. 00:31:42.000 --> 00:31:45.600 But, you know, what we can do is--what I am 00:31:45.600 --> 00:31:47.279 going to do actually is close without 00:31:47.279 --> 00:31:50.159 saving. I'm just going to stop Snort there. 00:31:50.399 --> 00:31:52.080 And I'm just going to say 00:31:52.080 --> 00:31:58.150 sudo rm /var/log/snort. 00:31:58.150 --> 00:32:00.520 And we're going to remove alert. 00:32:01.360 --> 00:32:04.240 Alright. And we're also going to remove alert.1. 00:32:04.240 --> 00:32:05.440 Alright. So I'm just going to run this 00:32:05.440 --> 00:32:08.240 again, just to see that the file is generated. 00:32:08.240 --> 00:32:11.120 So there we are. We have alert there. 00:32:11.120 --> 00:32:12.559 So now it's much cleaner. I'll just 00:32:12.559 --> 00:32:14.240 run a few pings, just to make sure that 00:32:14.240 --> 00:32:16.480 the traffic is being logged--all those 00:32:16.480 --> 00:32:18.480 alerts are being logged. 00:32:18.480 --> 00:32:21.519 So there we are. We have a few pings there. 00:32:21.519 --> 00:32:24.640 And we can also, you know, just run a few 00:32:24.640 --> 00:32:26.960 checks there. Okay. So there we are. We can 00:32:26.960 --> 00:32:29.360 see that those are now being logged. And 00:32:29.360 --> 00:32:32.029 of course, we can change the format based on-- 00:32:32.320 --> 00:32:33.519 well, you can change it based on your 00:32:33.519 --> 00:32:35.039 requirements. Right? 00:32:35.039 --> 00:32:35.941 So 00:32:38.000 --> 00:32:39.919 now that that is done, 00:32:39.919 --> 00:32:42.000 what we can do is we can close that up, 00:32:42.000 --> 00:32:45.880 and we can actually leave Snort running as is. 00:32:46.320 --> 00:32:48.960 So what I'll do is I'm just going to 00:32:48.960 --> 00:32:51.120 open up another tab. 00:32:51.120 --> 00:32:54.200 So just, you know--I can say Ctrl+Shift+T. 00:32:54.200 --> 00:32:56.799 There we are. And we're currently within the following 00:32:56.799 --> 00:33:01.519 directory: /opt/splunkforwarder/etc/system/local. 00:33:01.519 --> 00:33:03.120 So, 00:33:03.120 --> 00:33:06.000 once that is done, we now need to add 00:33:06.000 --> 00:33:09.388 the files that we would like to monitor 00:33:09.388 --> 00:33:12.240 or that we would like to forward. Right? 00:33:12.240 --> 00:33:15.360 So, the log files. I'll go back into the bin directory. 00:33:15.360 --> 00:33:17.679 So there we are--cd bin--because that's 00:33:17.679 --> 00:33:19.360 where we have the Splunk binary. So I'll 00:33:19.360 --> 00:33:23.040 say sudo splunk. 00:33:24.399 --> 00:33:26.981 And we can say add monitor. 00:33:28.320 --> 00:33:30.720 And the file that we want to forward is 00:33:30.720 --> 00:33:34.399 under /var/log/snort, and it is just alert. 00:33:34.399 --> 00:33:36.559 Right? So that's all. That's really all 00:33:36.559 --> 00:33:38.720 that we want to do. Right? 00:33:38.720 --> 00:33:41.600 And we can also utilize the fast alerts, 00:33:41.600 --> 00:33:44.399 but let's just do this for now. 00:33:44.399 --> 00:33:46.399 We only want the alerts--we don't 00:33:46.399 --> 00:33:48.320 want the actual log files that contain 00:33:48.320 --> 00:33:53.840 the packets themselves. So I'll hit Enter. 00:33:54.480 --> 00:33:56.399 Alright. So it's now going to forward 00:33:56.399 --> 00:33:58.960 those alerts into Splunk, which pretty 00:33:58.960 --> 00:34:02.159 much means that on our end, we are done. 00:34:02.159 --> 00:34:04.000 However, we still need to check one more 00:34:04.000 --> 00:34:05.840 configuration file. So I'll just take a 00:34:05.840 --> 00:34:08.000 step back here, and we'll head over into 00:34:08.000 --> 00:34:12.169 the /etc directory under apps/search, 00:34:13.119 --> 00:34:15.520 and then into local. 00:34:15.520 --> 00:34:16.720 I think we'll need root 00:34:16.720 --> 00:34:18.320 permissions to access this. So I'll just 00:34:18.320 --> 00:34:20.079 switch to the root user and head over 00:34:20.079 --> 00:34:21.520 into local. 00:34:21.520 --> 00:34:27.341 And we're looking for the inputs.conf file. Right? 00:34:27.341 --> 00:34:28.079 We need to actually 00:34:28.079 --> 00:34:29.760 configure this because this is very 00:34:29.760 --> 00:34:31.040 important. 00:34:31.040 --> 00:34:35.919 The first thing we want to do is--let us 00:34:35.919 --> 00:34:38.639 add a new line here. And within the 00:34:38.639 --> 00:34:43.530 square brackets, I'll just say [splunk-tcp]. 00:34:44.240 --> 00:34:46.399 And we then want to specify the port--so 00:34:46.399 --> 00:34:47.653 9997. 00:34:48.399 --> 00:34:51.520 Let me make sure I type that in correctly. 00:34:51.520 --> 00:34:55.250 We then need to actually put in the connection. 00:34:56.960 --> 00:35:01.770 So the connection_host 00:35:01.770 --> 00:35:03.440 is going to be equal to the IP 00:35:03.440 --> 00:35:06.100 address of the Splunk server. 00:35:06.560 --> 00:35:10.080 So I'll just copy that there and paste that in there. 00:35:11.280 --> 00:35:14.000 Once that is done, 00:35:14.000 --> 00:35:16.950 this is fine here--disabled is set to false. 00:35:16.950 --> 00:35:20.320 We want index to be equal to main. 00:35:20.320 --> 00:35:23.680 And then the sourcetype 00:35:23.680 --> 00:35:28.330 is going to be equal to snort_alert_full. 00:35:28.960 --> 00:35:31.280 And we can then say the source is equal 00:35:31.280 --> 00:35:33.040 to snort. Alright? So this is a very 00:35:33.040 --> 00:35:35.280 important configuration. Let me just 00:35:35.280 --> 00:35:36.640 go through those options or 00:35:36.640 --> 00:35:40.080 configurations again. We have the splunk-tcp option. 00:35:40.320 --> 00:35:43.530 We then have the actual connection_host. 00:35:43.530 --> 00:35:46.640 The monitor is set correctly to that file. 00:35:46.640 --> 00:35:52.500 It's enabled, index=main, sourcetype=snort_alert_full, source=snort. 00:35:52.500 --> 00:35:53.485 Fantastic. 00:35:53.485 --> 00:35:54.720 So we'll write and quit. 00:35:54.720 --> 00:35:57.040 Once this is done, 00:35:57.040 --> 00:35:58.720 we'll need to restart Splunk. So I'll 00:35:58.720 --> 00:36:00.800 switch back to my user, Lexus, here, and 00:36:00.800 --> 00:36:04.560 we'll navigate back to the bin directory. 00:36:04.560 --> 00:36:06.400 So I'll say cd bin, 00:36:06.400 --> 00:36:15.680 and we'll say sudo splunk restart. Alright, hit Enter. 00:36:15.680 --> 00:36:18.320 It's going to stop the Splunk daemon, 00:36:18.320 --> 00:36:19.680 shut it down, 00:36:19.680 --> 00:36:22.160 restart it--and it's done successfully. So 00:36:22.160 --> 00:36:24.560 all the checks were completed without 00:36:24.560 --> 00:36:27.119 any issue. Alright, so 00:36:27.119 --> 00:36:29.040 now that this is done, we can actually go 00:36:29.040 --> 00:36:31.440 back into Splunk here, and we'll navigate 00:36:31.440 --> 00:36:33.280 to the dashboard. 00:36:33.280 --> 00:36:35.839 This is your Splunk server. Right? 00:36:35.839 --> 00:36:37.440 And let's take a look at the messages 00:36:37.440 --> 00:36:39.920 here. That's just a few updates--we 00:36:39.920 --> 00:36:41.920 don't need to do anything there. So if we 00:36:41.920 --> 00:36:43.119 click on 00:36:43.119 --> 00:36:45.599 Search & Reporting, just to verify that 00:36:45.599 --> 00:36:47.839 data has indeed been forwarded, I'll 00:36:47.839 --> 00:36:49.280 just skip through this. If we click on 00:36:49.280 --> 00:36:51.040 Data Summary, 00:36:51.040 --> 00:36:52.880 under Sources, you should see that we 00:36:52.880 --> 00:36:55.680 have the host. And in my case, the name of 00:36:55.680 --> 00:36:58.640 the system is blackbox, so that should 00:36:58.640 --> 00:37:01.625 be reflected there. So there we are--blackbox. 00:37:01.625 --> 00:37:03.280 We have 42 00:37:03.280 --> 00:37:06.800 logs or alerts, if you will. Sources: 42. We 00:37:06.800 --> 00:37:08.640 can click on that there to just see the 00:37:08.640 --> 00:37:11.280 data that has been logged. Indeed, we can 00:37:11.280 --> 00:37:13.040 see that has been done correctly. So 00:37:13.040 --> 00:37:14.880 sourcetype is alert. 00:37:14.880 --> 00:37:17.280 We can see that it's imported, you 00:37:17.280 --> 00:37:19.440 know, pretty much all the data--or, you 00:37:19.440 --> 00:37:21.119 know, these are the... this is the full log 00:37:21.119 --> 00:37:24.349 whereby we have the reference to that there. 00:37:24.880 --> 00:37:26.800 That's weird--I didn’t actually run 00:37:26.800 --> 00:37:30.240 anything weird, but there you go. 00:37:30.240 --> 00:37:32.720 So now that this is done, you can 00:37:32.720 --> 00:37:34.880 use Splunk to essentially visualize this 00:37:34.880 --> 00:37:36.800 data however you want. So, you 00:37:36.800 --> 00:37:39.359 know, I can go into Visualization, 00:37:39.359 --> 00:37:42.240 and we can click on--maybe we can 00:37:42.240 --> 00:37:44.720 create a... 00:37:44.720 --> 00:37:46.880 we can select a few fields. So if I go 00:37:46.880 --> 00:37:50.240 back into the Events here, I can select a 00:37:50.240 --> 00:37:52.240 few fields that I want displayed here, 00:37:52.240 --> 00:37:54.320 and I can, you know, essentially extract 00:37:54.320 --> 00:37:57.040 the fields that I want with regex. 00:37:57.040 --> 00:37:59.680 But I don't think this is necessary at this 00:37:59.680 --> 00:38:01.520 point, because if we actually go back to 00:38:01.520 --> 00:38:03.599 the dashboard 00:38:03.599 --> 00:38:06.160 and we click on-- 00:38:06.160 --> 00:38:10.079 let's see--Snort Alerts for Splunk, 00:38:10.079 --> 00:38:11.440 let's see if this is actually whether 00:38:11.440 --> 00:38:15.200 this automates that process for us. 00:38:15.200 --> 00:38:17.280 There we are. Actually, it looks like 00:38:17.280 --> 00:38:21.599 it does. So, classification: bad-traffic. 00:38:21.599 --> 00:38:24.160 So it looks like that is working. 00:38:24.160 --> 00:38:26.400 What we can do now 00:38:26.400 --> 00:38:28.720 is run a few-- 00:38:28.720 --> 00:38:32.080 we can actually utilize this script here, 00:38:33.520 --> 00:38:37.119 the TestMyNIDS script here. So all 00:38:37.119 --> 00:38:39.440 you need to do to run it is just copy 00:38:39.440 --> 00:38:41.520 this one-liner script here--or this 00:38:41.520 --> 00:38:43.200 command--that will download it into your 00:38:43.200 --> 00:38:46.000 /tmp directory and will then execute it. 00:38:46.000 --> 00:38:49.200 So, you know, to execute it within your 00:38:49.200 --> 00:38:51.599 temp directory, you can just execute 00:38:51.599 --> 00:38:53.040 the actual, 00:38:54.400 --> 00:38:56.240 you know, the actual binary there. It is a 00:38:56.240 --> 00:38:58.800 binary, not a script. 00:38:58.800 --> 00:39:01.280 And once that is done, you can then 00:39:01.280 --> 00:39:03.520 select the option here. So let me just do 00:39:03.520 --> 00:39:05.920 that on my attacker system. 00:39:05.920 --> 00:39:08.880 I'm just going to run it one more time. So 00:39:08.880 --> 00:39:14.359 I'm just going to say ls here. And 00:39:16.160 --> 00:39:18.960 if I open up the documentation--so 00:39:18.960 --> 00:39:22.809 firstly, I will run 00:39:23.440 --> 00:39:26.640 a quick Linux UID check. So 00:39:26.640 --> 00:39:28.461 I'll just hit Enter. 00:39:28.960 --> 00:39:31.280 Okay. That is done. I'll then perform an 00:39:31.280 --> 00:39:35.119 HTTP basic authentication 00:39:35.119 --> 00:39:37.839 and a malware user-agent. So I'm doing 00:39:37.839 --> 00:39:40.640 that right now. 00:39:40.839 --> 00:39:46.000 Okay. And we can run one more here. So, 00:39:46.000 --> 00:39:48.720 let's see. Let's see. Let's see. We 00:39:48.720 --> 00:39:51.520 can try EXE or DLL download over HTTP. 00:39:51.520 --> 00:39:55.940 That is surely going to be logged, 00:39:57.040 --> 00:39:59.839 or that's going to trigger an alert. 00:39:59.839 --> 00:40:00.640 So, 00:40:00.640 --> 00:40:03.040 do we have--that is running. 00:40:03.040 --> 00:40:05.280 Alright. So Snort is running. That's great. 00:40:05.280 --> 00:40:08.079 So we know that the log is being-- 00:40:08.079 --> 00:40:10.240 the actual alerts are being forwarded. 00:40:10.240 --> 00:40:12.960 Absolutely fantastic. So let's go back in 00:40:12.960 --> 00:40:15.040 here. I've already run those 00:40:15.040 --> 00:40:16.995 particular checks. 00:40:18.400 --> 00:40:20.160 So let me just refresh this. I know it 00:40:20.160 --> 00:40:22.160 usually takes a couple of seconds to a 00:40:22.160 --> 00:40:24.400 couple of minutes, but that data should 00:40:24.400 --> 00:40:26.240 start--should actually be reflected. There 00:40:26.240 --> 00:40:28.160 we are. Fantastic. So 00:40:28.160 --> 00:40:31.119 we can see that--firstly, 00:40:31.119 --> 00:40:32.880 I'll just explain the dashboard here 00:40:32.880 --> 00:40:33.760 because 00:40:33.760 --> 00:40:36.160 this dashboard is automatically, you 00:40:36.160 --> 00:40:38.000 know, set up for you by the Snort app, 00:40:38.000 --> 00:40:39.920 which is really awesome. As I said, you 00:40:39.920 --> 00:40:42.340 don't need to go through that process yourself. 00:40:42.560 --> 00:40:44.560 So the first graph here essentially 00:40:44.560 --> 00:40:46.400 tells you your events, 00:40:46.400 --> 00:40:48.560 and it also displays the, you know, 00:40:48.560 --> 00:40:50.400 the total number of sources. So you can 00:40:50.400 --> 00:40:52.560 see that there. You also have the time. 00:40:52.560 --> 00:40:54.480 So you have your events and 00:40:54.480 --> 00:40:56.079 then the timeline here. And you can 00:40:56.079 --> 00:40:58.880 essentially, you know, view a trend--or the 00:40:58.880 --> 00:41:01.680 trend--of events there. You then 00:41:01.680 --> 00:41:04.880 have the top source countries 00:41:04.880 --> 00:41:07.040 right over here. And if I just run 00:41:07.040 --> 00:41:08.720 another check really quickly here 00:41:08.720 --> 00:41:11.119 through the NIDS website-- 00:41:11.119 --> 00:41:14.720 so let me just run the curl command-- 00:41:14.720 --> 00:41:16.640 you should actually see that because 00:41:16.640 --> 00:41:19.280 we are reaching out to, you know, there's a 00:41:19.280 --> 00:41:21.280 connection made to an external server, 00:41:21.280 --> 00:41:23.680 that it should reflect that info under 00:41:23.680 --> 00:41:26.740 the top countries--the top source countries. 00:41:26.800 --> 00:41:28.800 So we then have the events here, which, 00:41:28.800 --> 00:41:31.280 you know, you can click on. And then, 00:41:31.280 --> 00:41:33.119 of course, you have the sources. 00:41:33.119 --> 00:41:36.079 So these are the Snort event types, 00:41:36.079 --> 00:41:37.760 and these are actually the 00:41:37.760 --> 00:41:39.680 classifications. So we can see potentially 00:41:39.680 --> 00:41:42.640 bad traffic, attempted information leak, 00:41:42.640 --> 00:41:44.720 and, you know, you can just refresh your 00:41:44.720 --> 00:41:47.440 dashboard to get the latest. 00:41:47.440 --> 00:41:49.359 So we'll give that a couple of seconds. 00:41:49.359 --> 00:41:53.110 And you can also specify the actual interval period. 00:41:53.599 --> 00:41:56.400 So I'll just wait for this. Let's 00:41:56.400 --> 00:41:58.880 see if it's actually being logged or 00:41:58.880 --> 00:42:00.319 whether we can see all of that. So I'll 00:42:00.319 --> 00:42:04.000 just go back into the dashboard here, 00:42:04.000 --> 00:42:07.359 and we'll go into Search and Reporting. 00:42:07.359 --> 00:42:09.920 And we click on the actual 00:42:09.920 --> 00:42:13.040 Data Summary and the Sources. We can 00:42:13.040 --> 00:42:16.399 see we have Snort there, and then /var/snort/alert. 00:42:16.399 --> 00:42:20.060 So we click on Snort there. Okay. 00:42:20.060 --> 00:42:22.000 So this is bad traffic. That's 00:42:22.000 --> 00:42:25.440 really weird because 00:42:26.079 --> 00:42:27.920 the source is Snort. We had added two 00:42:27.920 --> 00:42:29.520 sources there. 00:42:29.520 --> 00:42:32.720 So Data Summary-- 00:42:32.720 --> 00:42:34.800 let me just click on that there. And if 00:42:34.800 --> 00:42:36.960 we click on the sources there, this is 00:42:36.960 --> 00:42:40.800 the one that we want, ideally. 00:42:43.200 --> 00:42:47.049 Yeah. So that looks like the correct one there. 00:42:49.599 --> 00:42:51.680 Yeah. That's the correct traffic. I 00:42:51.680 --> 00:42:55.119 think that's why the actual--let me 00:42:55.119 --> 00:42:56.960 see if I can find it. So Snort Alerts for 00:42:56.960 --> 00:43:00.640 Splunk--let me click on the app there. 00:43:02.480 --> 00:43:04.160 Show Filters. It should be displaying 00:43:04.160 --> 00:43:06.400 much more than that because I know--yeah, 00:43:06.400 --> 00:43:08.319 there are not just four. 00:43:08.319 --> 00:43:09.920 So 00:43:09.920 --> 00:43:12.640 if we actually head over into the 00:43:12.640 --> 00:43:16.560 Snort Event Search here, 00:43:18.480 --> 00:43:20.800 we can actually search for--you know, 00:43:20.800 --> 00:43:25.359 we can utilize--yeah. So these are only-- 00:43:25.359 --> 00:43:28.400 this is only monitoring the pings. So 00:43:28.400 --> 00:43:30.240 that's weird. I'm not really sure why we 00:43:30.240 --> 00:43:32.319 have two data sources. I think it's to do 00:43:32.319 --> 00:43:33.839 with the fact 00:43:33.839 --> 00:43:37.040 that, you know, we had--so let me 00:43:37.040 --> 00:43:39.520 just go back here. 00:43:39.520 --> 00:43:42.640 Apps > Search, and sudo root. 00:43:42.640 --> 00:43:46.720 Let me just check that here. So cd local, 00:43:46.720 --> 00:43:47.839 vim 00:43:47.839 --> 00:43:50.640 inputs.conf. So there we are. So the 00:43:50.640 --> 00:43:52.285 source is Snort. 00:43:53.280 --> 00:43:56.079 We already specified the source as Snort 00:43:56.079 --> 00:43:57.599 there, 00:43:57.599 --> 00:43:59.520 but it's also adding 00:43:59.520 --> 00:44:02.319 this particular, you know, the alert, 00:44:02.319 --> 00:44:04.160 as a source as well. 00:44:04.160 --> 00:44:08.150 And then the source type is snort_alert_full, index main. 00:44:08.150 --> 00:44:09.040 Yeah. That 00:44:09.040 --> 00:44:10.560 should be working. That should be working 00:44:10.560 --> 00:44:12.319 without any issues. I'm not really sure 00:44:12.319 --> 00:44:14.079 why that is the case, but 00:44:14.079 --> 00:44:16.480 we can actually customize what dataset 00:44:16.480 --> 00:44:18.000 we want to use. 00:44:18.000 --> 00:44:19.359 So 00:44:19.359 --> 00:44:21.520 I think--let me actually showcase how to 00:44:21.520 --> 00:44:23.359 do that right now. 00:44:23.359 --> 00:44:25.839 So apologies about that. I actually 00:44:25.839 --> 00:44:27.599 figured out what the issue was. It was 00:44:27.599 --> 00:44:30.319 because the system I was running 00:44:30.319 --> 00:44:32.079 these particular 00:44:32.079 --> 00:44:34.560 attacks from wasn't even connected to 00:44:34.560 --> 00:44:36.800 the local network. 00:44:36.800 --> 00:44:38.880 And even though I was running 00:44:38.880 --> 00:44:41.040 these attacks, I did realize that, of 00:44:41.040 --> 00:44:44.530 course, they weren't working. So I've just reconnected it. 00:44:44.530 --> 00:44:47.359 And what I'm going to do is I'm just going to 00:44:47.359 --> 00:44:49.599 run this one more time. 00:44:49.599 --> 00:44:53.359 So just give me a second here, and I'll 00:44:53.359 --> 00:44:56.319 be able to do that one more time. So 00:44:56.319 --> 00:44:58.560 let me just navigate to that particular 00:44:58.560 --> 00:45:00.079 directory, 00:45:00.079 --> 00:45:03.120 and we'll actually see whether this will work. 00:45:03.120 --> 00:45:04.400 So 00:45:04.400 --> 00:45:06.000 you can actually see there's much more 00:45:06.000 --> 00:45:07.920 that has been captured in regards to 00:45:07.920 --> 00:45:10.160 events, and I'll be explaining this 00:45:10.160 --> 00:45:12.480 dashboard in a couple of seconds. 00:45:12.480 --> 00:45:14.960 So let me just 00:45:14.960 --> 00:45:17.359 launch that first attack there--so that 00:45:17.359 --> 00:45:19.440 you know--let me just launch that first 00:45:19.440 --> 00:45:22.240 type of check. And of course, I'm using 00:45:22.240 --> 00:45:26.400 TestMyNIDS here. So, unfortunately, 00:45:26.400 --> 00:45:28.000 that wasn't even being logged, which is 00:45:28.000 --> 00:45:30.000 why I was a bit confused as to why those 00:45:30.000 --> 00:45:32.800 logs are not being displayed here. 00:45:32.800 --> 00:45:35.520 So I'll give that a couple of seconds, 00:45:35.520 --> 00:45:38.880 and we'll be able to see this happen 00:45:38.880 --> 00:45:41.260 in real time as well. 00:45:41.920 --> 00:45:44.560 Alright. So that is done. So I've 00:45:44.560 --> 00:45:46.319 essentially launched a couple of those 00:45:46.319 --> 00:45:48.319 tests. And, as I said, 00:45:48.319 --> 00:45:50.640 this is your default 00:45:50.640 --> 00:45:52.560 dashboard that you're provided with here. 00:45:52.560 --> 00:45:53.520 So, 00:45:53.520 --> 00:45:55.760 you know, you can actually refresh 00:45:55.760 --> 00:45:59.550 all of these panels here, if you will. 00:45:59.550 --> 00:46:00.800 So that'll display the 00:46:00.800 --> 00:46:03.920 latest. And, as I said here, because I'd 00:46:03.920 --> 00:46:07.680 performed the actual check 00:46:07.680 --> 00:46:09.520 and it connected to an external server, 00:46:09.520 --> 00:46:11.680 you can see that the top source 00:46:11.680 --> 00:46:13.680 countries are highlighted there. 00:46:13.680 --> 00:46:15.839 You can also refresh the number of 00:46:15.839 --> 00:46:18.160 events, as you can see here, 00:46:18.160 --> 00:46:20.319 and the number of sources. So 00:46:20.319 --> 00:46:22.319 you can also do that for the rest of 00:46:22.319 --> 00:46:24.480 the panels. These are the top 10 00:46:24.480 --> 00:46:26.800 classifications 00:46:26.800 --> 00:46:28.960 in terms of events, if you will, and then 00:46:28.960 --> 00:46:32.319 these Snort event types, as you can see here. 00:46:32.319 --> 00:46:33.839 So, for example, in this case, we have the 00:46:33.839 --> 00:46:36.160 Attack-Response ID Check, which, if we 00:46:36.160 --> 00:46:37.520 click on 00:46:37.520 --> 00:46:40.319 right over here, 00:46:41.119 --> 00:46:42.640 you can see that it actually displays 00:46:42.640 --> 00:46:44.400 that, and you can then 00:46:44.400 --> 00:46:46.400 click on the signature itself. And this 00:46:46.400 --> 00:46:48.880 is for statistics. Now, if you click on 00:46:48.880 --> 00:46:53.040 the Snort Event Search tab right over here, 00:46:53.040 --> 00:46:54.880 you can see that this allows you to 00:46:54.880 --> 00:46:57.119 search based on the source IP, the source 00:46:57.119 --> 00:46:59.680 port, the destination IP, destination port, 00:46:59.680 --> 00:47:02.240 and the event type. So I can check for 00:47:02.240 --> 00:47:04.400 attack responses based on the rule set 00:47:04.400 --> 00:47:06.480 that we had used previously. 00:47:06.480 --> 00:47:09.359 And I can also specify the timing. Right? 00:47:09.359 --> 00:47:12.079 So that's really fantastic there. 00:47:12.079 --> 00:47:14.640 So you can see that right over here, we 00:47:14.640 --> 00:47:16.240 have that logged, 00:47:16.240 --> 00:47:19.040 which is fantastic. And 00:47:19.040 --> 00:47:21.920 if we click on the Snort World Map, 00:47:21.920 --> 00:47:24.000 that'll essentially--as you'll see in a 00:47:24.000 --> 00:47:26.160 couple of seconds--this will essentially 00:47:26.160 --> 00:47:28.559 display the countries by the source IPs. 00:47:28.559 --> 00:47:29.839 In this case, it should display the 00:47:29.839 --> 00:47:32.079 United States, which makes sense. 00:47:32.079 --> 00:47:34.800 And there we are. So, again, this is 00:47:34.800 --> 00:47:37.119 extremely helpful, especially if you work 00:47:37.119 --> 00:47:39.839 in a SOC. And as I said, there's multiple, 00:47:39.839 --> 00:47:41.920 you know, security tools you can 00:47:41.920 --> 00:47:45.040 integrate with Splunk. 00:47:45.040 --> 00:47:46.880 Now, one thing that I wanted to highlight 00:47:46.880 --> 00:47:49.440 is--you can, if you click on Edit--and I'll 00:47:49.440 --> 00:47:51.200 just go back to the 00:47:51.200 --> 00:47:53.200 Event Summary here because this is very 00:47:53.200 --> 00:47:55.119 important-- 00:47:55.119 --> 00:47:57.280 you can set this as your main dashboard. 00:47:57.280 --> 00:47:58.960 So if you right-click here, you can set 00:47:58.960 --> 00:48:01.520 this as your home dashboard. 00:48:01.520 --> 00:48:03.599 So I'll just click on that there. 00:48:03.599 --> 00:48:05.440 And now you'll see on your dashboard 00:48:05.440 --> 00:48:08.240 here, if I just close that top menu, 00:48:08.240 --> 00:48:10.240 that'll actually be displayed there. So 00:48:10.240 --> 00:48:12.319 give it a couple of seconds. 00:48:12.319 --> 00:48:15.279 And, of course, you can click on the cogwheel here 00:48:16.240 --> 00:48:19.280 and essentially display--whatever-- 00:48:19.280 --> 00:48:21.520 you know, you can specify your default 00:48:21.520 --> 00:48:23.200 dashboard. Now, there are a couple of 00:48:23.200 --> 00:48:25.599 other ones that are created by default. 00:48:25.599 --> 00:48:28.059 But yeah, you can have that on your dashboard. 00:48:28.400 --> 00:48:31.040 And, you know, if you actually click 00:48:31.040 --> 00:48:33.839 on the SNORT--the SNORT alert for Splunk here-- 00:48:33.839 --> 00:48:36.240 and we'll just go back into that SNORT 00:48:36.240 --> 00:48:38.240 event summary tab, 00:48:38.240 --> 00:48:40.880 you can actually edit the way these 00:48:40.880 --> 00:48:44.240 particular panels are tiled. So, 00:48:44.240 --> 00:48:46.079 you know, you can convert it to a 00:48:46.079 --> 00:48:48.880 prebuilt panel or, you know, 00:48:48.880 --> 00:48:50.400 you can--you can actually convert it to a 00:48:50.400 --> 00:48:52.960 prebuilt panel. You can get rid of it. 00:48:52.960 --> 00:48:54.720 You can also move them around based 00:48:54.720 --> 00:48:57.440 on your own requirements. And, in this 00:48:57.440 --> 00:48:59.680 case, you can actually--let's see if I can 00:48:59.680 --> 00:49:02.270 show you. You can actually select the visualization. 00:49:02.480 --> 00:49:04.240 So, in this case, I think the default 00:49:04.240 --> 00:49:06.079 one is fine, and you can then view the 00:49:06.079 --> 00:49:07.920 report here. So 00:49:08.960 --> 00:49:11.359 if we click on this one here, for example, 00:49:11.359 --> 00:49:13.280 we could actually use the bar graph to 00:49:13.280 --> 00:49:17.200 display the--you know--the number of--the actual-- 00:49:17.200 --> 00:49:19.440 the top source countries, and have 00:49:19.440 --> 00:49:21.599 them displayed in a bar graph style. But 00:49:21.599 --> 00:49:23.280 we can just take it back into the pie 00:49:23.280 --> 00:49:25.599 chart there. And you can also change this 00:49:25.599 --> 00:49:27.440 for the events as well. 00:49:27.440 --> 00:49:29.359 So, you know, if we wanted to view a 00:49:29.359 --> 00:49:32.240 trend, we can click on the bar graph there. 00:49:32.240 --> 00:49:34.000 In this case, I don't think that's 00:49:34.000 --> 00:49:37.040 formatted correctly. So if we just use 00:49:37.040 --> 00:49:39.440 the default one, 00:49:39.440 --> 00:49:42.880 which I believe was--I think it was--no, 00:49:42.880 --> 00:49:46.160 that wasn't the one. I believe it was-- 00:49:46.160 --> 00:49:47.920 let's see if I can identify it here. It 00:49:47.920 --> 00:49:50.800 was the number. There we are. So, 00:49:50.800 --> 00:49:53.920 as I said, you can customize this based on your own-- 00:49:53.920 --> 00:49:57.440 you know--your own requirements. So, for example, 00:49:57.440 --> 00:49:59.839 this one might do well if it was in the 00:49:59.839 --> 00:50:02.240 form of a bar graph. So, you know, 00:50:02.240 --> 00:50:04.240 you can utilize that if you feel that 00:50:04.240 --> 00:50:06.319 that is appropriate. 00:50:06.319 --> 00:50:08.319 In this case, you know, we can also 00:50:08.319 --> 00:50:11.920 specify the actual--you know--we can 00:50:11.920 --> 00:50:14.559 actually list the events themselves. 00:50:14.559 --> 00:50:16.079 Let's see which other ones look 00:50:16.079 --> 00:50:17.920 really good here. 00:50:17.920 --> 00:50:19.760 And yeah, once you're done with the 00:50:19.760 --> 00:50:22.079 customization, you can then cancel or 00:50:22.079 --> 00:50:24.559 save based on your requirements. And you 00:50:24.559 --> 00:50:27.200 can also filter on this particular tab 00:50:27.200 --> 00:50:30.760 here, you know, through the source IP, destination IP, etc. 00:50:31.280 --> 00:50:35.339 Let's see, what else did I want to highlight? 00:50:35.339 --> 00:50:38.000 Let me just refresh this once more 00:50:38.000 --> 00:50:41.310 and, you know, to essentially get the latest data. 00:50:42.480 --> 00:50:46.280 And you can see, in terms of the panels, 00:50:46.280 --> 00:50:49.520 this will display the last 100 attempts. 00:50:49.520 --> 00:50:52.960 And you can go through them like so. 00:50:53.599 --> 00:50:55.839 You can also view--I think we've gone 00:50:55.839 --> 00:50:57.119 through all of them--but you have the 00:50:57.119 --> 00:50:59.440 persistent sources. So, two or more days 00:50:59.440 --> 00:51:01.359 of activity in the last 30 days. So you 00:51:01.359 --> 00:51:03.040 actually need a lot of data for that to 00:51:03.040 --> 00:51:06.240 be displayed or to give you anything useful. 00:51:07.520 --> 00:51:09.760 Yep. So that is 00:51:09.760 --> 00:51:11.680 what I wanted to highlight in regards to 00:51:11.680 --> 00:51:14.079 the SNORT alert for Splunk app and the 00:51:14.079 --> 00:51:15.839 actual dashboards, which, as I said, it 00:51:15.839 --> 00:51:17.359 already does for you. 00:51:17.359 --> 00:51:19.119 Now, you can create your own dashboard, as 00:51:19.119 --> 00:51:22.720 I said, if I go back into Apps > Search and Reporting, 00:51:22.720 --> 00:51:25.200 based on your own sources. So I'll just 00:51:25.200 --> 00:51:27.280 click on Data Summary there. And if I 00:51:27.280 --> 00:51:29.280 click on Sources, 00:51:29.280 --> 00:51:30.960 you can click on 00:51:30.960 --> 00:51:33.839 this source here, for example. And, 00:51:33.839 --> 00:51:36.640 you know, in this case, we can actually 00:51:36.640 --> 00:51:39.680 just click on that there. And I can click 00:51:39.680 --> 00:51:41.920 on Extract Fields, 00:51:41.920 --> 00:51:43.359 and you can extract the fields with 00:51:43.359 --> 00:51:46.319 regex. So I'll click on Next there. 00:51:46.319 --> 00:51:47.760 And you can then select the fields that 00:51:47.760 --> 00:51:50.400 you want. So, for example, in this case, we 00:51:50.400 --> 00:51:52.720 would want the date and time. 00:51:52.720 --> 00:51:55.280 So I can just highlight that there. So I 00:51:55.280 --> 00:51:56.319 can say 00:51:56.319 --> 00:51:59.520 time, for example, add the extraction. 00:51:59.520 --> 00:52:02.000 And then, of course, we have the source IP 00:52:02.000 --> 00:52:03.839 and the port. But I'll just highlight 00:52:03.839 --> 00:52:05.680 them together. But I think it's actually 00:52:05.680 --> 00:52:08.630 recommended just to highlight the source IP there. 00:52:08.880 --> 00:52:15.280 So source—we can say src underscore port, IP. 00:52:15.520 --> 00:52:18.480 Add that extraction, and we then have the 00:52:18.480 --> 00:52:20.800 destination IP, which, in this case, 00:52:20.800 --> 00:52:22.559 because this is 00:52:22.559 --> 00:52:25.520 an SNMP broadcast 00:52:25.520 --> 00:52:27.520 request, we can--we know that that's the 00:52:27.520 --> 00:52:34.450 destination IP. So I'll say dst underscore IP, add the extraction. 00:52:34.450 --> 00:52:38.040 Let's see what else we can do. 00:52:40.079 --> 00:52:41.440 In this case, it's saying the extraction 00:52:41.440 --> 00:52:42.960 field you're extracting--if you're 00:52:42.960 --> 00:52:45.040 extracting multiple fields, try removing 00:52:45.040 --> 00:52:47.040 one or more fields. Start with the 00:52:47.040 --> 00:52:48.720 extractions that are embedded within 00:52:48.720 --> 00:52:51.680 longer strings. Okay. So let's try and use 00:52:51.680 --> 00:52:54.400 another alert here 00:52:54.400 --> 00:52:58.119 that was kind of interesting. Let's see. 00:52:58.319 --> 00:53:00.480 It's not displaying all of them here, but 00:53:00.480 --> 00:53:02.800 you get the idea. Once you're done-- 00:53:02.800 --> 00:53:04.480 you know, for example, I can remove 00:53:04.480 --> 00:53:06.079 that field here. I'm just giving you an 00:53:06.079 --> 00:53:08.720 example of that. So remove that field. 00:53:08.720 --> 00:53:12.000 There we are. I can then say Next, and 00:53:12.000 --> 00:53:15.440 I can click on Validate and Save based 00:53:15.440 --> 00:53:18.240 on those fields there. Hit Finish. 00:53:18.240 --> 00:53:20.800 And then, you know, I can go back, 00:53:20.800 --> 00:53:23.359 you know, to Search and Reporting. 00:53:23.359 --> 00:53:25.280 And if I wanted to create a very simple 00:53:25.280 --> 00:53:27.839 visualization, which I'll show you right now-- 00:53:27.839 --> 00:53:30.000 even though I don't really need those 00:53:30.000 --> 00:53:31.920 extracted fields, although they might be 00:53:31.920 --> 00:53:33.280 useful--so 00:53:33.280 --> 00:53:36.079 I can click on those extracted fields 00:53:36.079 --> 00:53:39.760 now. I believe they should have been added. 00:53:39.760 --> 00:53:41.200 I'm not really sure why they aren't 00:53:41.200 --> 00:53:43.440 being highlighted here. There we are. 00:53:43.440 --> 00:53:45.200 So source IP. 00:53:45.200 --> 00:53:47.760 We can also, say, specify the source port. 00:53:47.760 --> 00:53:50.240 We--oh, there they are. So 00:53:50.240 --> 00:53:51.760 actually, they took a while to be 00:53:51.760 --> 00:53:53.599 displayed there. So, 00:53:53.599 --> 00:53:56.559 source port--that--why not? We can-- 00:53:56.559 --> 00:53:59.920 yeah, I think that's pretty much it. So 00:53:59.920 --> 00:54:02.079 based on those, we can actually build 00:54:02.079 --> 00:54:04.480 an event type. However, if we go to 00:54:04.480 --> 00:54:07.520 Visualization and click on Pivot here-- 00:54:07.520 --> 00:54:10.640 selected fields is five--hit OK. 00:54:10.640 --> 00:54:12.559 We can actually, you know, visualize this 00:54:12.559 --> 00:54:14.319 however we want. So, for example, if I 00:54:14.319 --> 00:54:17.119 wanted a column chart here-- 00:54:17.119 --> 00:54:19.680 so number one will display the count-- 00:54:19.680 --> 00:54:22.909 I can just add the events 00:54:24.079 --> 00:54:26.319 because that's the count. And we should 00:54:26.319 --> 00:54:28.720 have, at the bottom, the time, which I did 00:54:28.720 --> 00:54:33.089 specify--I believe within that range there-- 00:54:34.000 --> 00:54:36.720 but that's not being highlighted here. So 00:54:36.720 --> 00:54:39.280 the number of events--and, you know, you 00:54:39.280 --> 00:54:41.839 can go ahead and click as--you can 00:54:41.839 --> 00:54:43.440 essentially save it. 00:54:43.440 --> 00:54:45.280 So you get the idea. You don't really 00:54:45.280 --> 00:54:46.880 need to do this because we have the 00:54:46.880 --> 00:54:48.480 SNORT app here, 00:54:48.480 --> 00:54:50.079 which pretty much gives you the 00:54:50.079 --> 00:54:52.880 summaries that are useful to you or for you. 00:54:53.839 --> 00:54:56.559 And there we are. So fantastic. So that's 00:54:56.559 --> 00:54:57.920 going to conclude the practical 00:54:57.920 --> 00:55:01.119 demonstration side of this video. 00:55:01.119 --> 00:55:02.799 So, thank you very much for watching 00:55:02.799 --> 00:55:04.559 this video. If you have any questions or 00:55:04.559 --> 00:55:06.880 suggestions, leave them in the comment section. 00:55:07.200 --> 00:55:08.559 If you want to reach out to me, you can 00:55:08.559 --> 00:55:10.160 do so via 00:55:10.160 --> 00:55:12.319 Twitter or the Discord server. The links 00:55:12.319 --> 00:55:14.240 to both of those are in the description 00:55:14.240 --> 00:55:16.720 section. Furthermore, we are now moving on 00:55:16.720 --> 00:55:18.720 to part two. So this will conclude part 00:55:18.720 --> 00:55:21.040 one. Part two will be available on the 00:55:21.040 --> 00:55:24.559 Linode’s ON24 platform. So, the videos 00:55:24.559 --> 00:55:26.559 are available on-demand. So all you 00:55:26.559 --> 00:55:28.559 need to do is just click the link 00:55:28.559 --> 00:55:31.599 in the description, register for part two, 00:55:31.599 --> 00:55:33.520 after which an email will be sent to you, 00:55:33.520 --> 00:55:34.720 and you'll be given--you know-- 00:55:34.720 --> 00:55:37.200 immediate access to the videos 00:55:37.200 --> 00:55:40.000 within part two. So, thank you very 00:55:40.000 --> 00:55:42.799 much for watching part one. In the 00:55:42.799 --> 00:55:45.040 next video, in part two, we'll get started-- 00:55:45.040 --> 00:55:46.640 or we'll take a look--at host intrusion 00:55:46.640 --> 00:55:49.520 detection with OSSEC. So I'll be seeing 00:55:49.520 --> 00:55:51.381 you in the next video. 00:55:51.381 --> 00:56:12.426 [Music].