Splunk Security Event Monitoring | Blue Team Series with Hackersploit

Rollback to version 1

0:01 - 0:04

hello everyone welcome back to the blue
0:04 - 0:05

team training series brought to you by
0:05 - 0:08

linode and hackersploit in this video
0:08 - 0:10

we're going to be taking a look at how
0:10 - 0:12

to set up or how to perform security
0:12 - 0:14

vent monitoring with splunk more
0:14 - 0:17

specifically uh splunk enterprise
0:17 - 0:19

security right so the objective here
0:19 - 0:21

will be to monitor uh intrusions and
0:21 - 0:24

threats with splunk and you might be
0:24 - 0:25

asking yourself well how are we going to
0:25 - 0:28

do this what setup are we using well the
0:28 - 0:30

scenario that i've set up for this video
0:30 - 0:33

is we're essentially going to
0:33 - 0:34

take all the knowledge that we've
0:34 - 0:38

learned during the snort video and we
0:38 - 0:39

are going to essentially forward all of
0:39 - 0:43

the snort logs uh into splunk or have
0:43 - 0:44

that done automatically through the
0:44 - 0:48

splunk universal folder so that we get
0:48 - 0:50

the latest logs when snort is running on
0:50 - 0:52

our ubuntu virtual machine
0:52 - 0:55

and the objective here is to use splunk
0:55 - 0:58

in conjunction with the splunk snort app
0:58 - 1:01

to essentially visualize and identify or
1:01 - 1:03

monitor network intrusions and any
1:03 - 1:04

malicious
1:04 - 1:07

network traffic you know within the
1:07 - 1:09

network that i'm monitoring
1:09 - 1:19

[Music]
1:19 - 1:22

at a very high level what will we be
1:22 - 1:23

covering well firstly we'll get an
1:23 - 1:25

introduction to splunk now before we
1:25 - 1:28

move any forward or we actually carry on
1:28 - 1:31

i do want to note that this video is not
1:31 - 1:32

going to be focused on splunk
1:32 - 1:35

fundamentals i'm going to be i'm going
1:35 - 1:36

to assume that you already know what
1:36 - 1:38

splunk is
1:38 - 1:40

and how it can be used you know
1:40 - 1:42

and how it's used generally speaking
1:42 - 1:45

because splunk is not really a tool uh
1:45 - 1:48

that is specific to security for example
1:48 - 1:50

that's why they have the splunk
1:50 - 1:53

enterprise security version or edition
1:53 - 1:54

and i'm just going to assume that you
1:54 - 1:56

know how to use splunk at a very basic
1:56 - 1:58

level so once we get an introduction to
1:58 - 2:01

splunk we'll go over splunk enterprise
2:01 - 2:03

uh security at the enterprise the
2:03 - 2:05

enterprise security edition and how it
2:05 - 2:07

can be used for security event
2:07 - 2:08

monitoring especially in our case
2:08 - 2:11

because we want to essentially monitor
2:11 - 2:13

uh the intrusion detection logs
2:13 - 2:15

generated by snort
2:15 - 2:17

so we'll then move on to deploying
2:17 - 2:19

splunk enterprise security on linux
2:19 - 2:21

which is absolutely fantastic because
2:21 - 2:23

they have a cloud image
2:23 - 2:25

available for it that allows you to spin
2:25 - 2:26

it up without going through the process
2:26 - 2:29

of installing it and configuring it so
2:29 - 2:31

that will set up that'll set it up for
2:31 - 2:33

us we'll then take a look at how to
2:33 - 2:35

configure splunk and how to set up the
2:35 - 2:38

splunk universal folder on the ubuntu
2:38 - 2:40

virtual machine that is running snot so
2:40 - 2:42

that we can forward those logs into
2:42 - 2:45

splunk uh and then of course we'll take
2:45 - 2:47

a look at the splunk snot event uh
2:47 - 2:50

dashboard that will be provided to us by
2:50 - 2:50

the
2:50 - 2:53

splunk snot app so if this sounds like a
2:53 - 2:55

gibberish to you don't worry it'll make
2:55 - 2:58

sense in a couple of uh in a couple of
2:58 - 2:59

minutes
2:59 - 3:01

with that being said uh given the fact
3:01 - 3:03

that we're going to be using uh you know
3:03 - 3:04

we're going to be using snort to
3:04 - 3:07

generate alerts and monitor those alerts
3:07 - 3:09

uh if you have not gone through these uh
3:09 - 3:12

the actual snort video please do that as
3:12 - 3:14

it will help you set up snot and you can
3:14 - 3:16

then run through this demo with that
3:16 - 3:19

being said this is not a holistic video
3:19 - 3:21

that will cover everything you can do
3:21 - 3:23

with splunk enterprise security we are
3:23 - 3:25

just focused on
3:25 - 3:28

the intrusion detection uh logs produced
3:28 - 3:30

by snort and how they can be
3:30 - 3:33

imported or forwarded to splunk for uh
3:33 - 3:36

you know analysis and monitoring
3:36 - 3:38

uh so the prerequisites are the same as
3:38 - 3:40

the previous videos the only difference
3:40 - 3:42

is uh you know that you need to have a
3:42 - 3:44

basic familiarity with splunk and how to
3:44 - 3:46

navigate around the various menu
3:46 - 3:48

elements and
3:48 - 3:50

essentially just how to use it at a very
3:50 - 3:51

basic level if you're not familiar with
3:51 - 3:54

splunk i'll give you a few resources at
3:54 - 3:56

the end of the at the end of these
3:56 - 3:58

slides uh that will help you out or help
3:58 - 4:00

you get started
4:00 - 4:02

all right so let's get an introduction
4:02 - 4:04

to splunk so what is splunk that's the
4:04 - 4:06

main question if you've never heard of
4:06 - 4:08

splunk splunk is an extremely powerful
4:08 - 4:10

platform that is used to analyze data
4:10 - 4:13

and logs produced by systems or machines
4:13 - 4:16

as splunk likes to call them so
4:16 - 4:19

what problem is splunk trying to solve
4:19 - 4:21

here well let's look at this from the
4:21 - 4:25

perspective of web 2.0 or you know the
4:25 - 4:27

the interconnected world we live in
4:27 - 4:29

today and we're going to be looking at
4:29 - 4:31

it from the context of from the
4:31 - 4:33

perspective of security
4:33 - 4:36

so if we take a simple system let's say
4:36 - 4:39

we have a windows operating system or a
4:39 - 4:41

system running windows well that windows
4:41 - 4:45

system produces a lot of data or logs
4:45 - 4:47

uh that you know that contain
4:47 - 4:49

information that you know at a first
4:49 - 4:52

glance might not seem that important but
4:52 - 4:54

once you start getting into specific
4:54 - 4:57

sectors like security those logs start
4:57 - 5:00

uh you know those logs have uh you know
5:00 - 5:02

very important value to organizations
5:02 - 5:05

now multiply that by a thousand systems
5:05 - 5:07

so let's say we have an organization
5:07 - 5:09

they have a thousand computers within
5:09 - 5:10

their network or you know distributed
5:10 - 5:14

worldwide and all of these systems are
5:14 - 5:15

you know need to be secured their
5:15 - 5:18

security needs to be monitored so how do
5:18 - 5:21

we monitor all of this well this is
5:21 - 5:23

where splunk comes into play so splunk
5:23 - 5:25

allows you to essentially funnel all of
5:25 - 5:27

this data produced by systems or
5:27 - 5:29

machines
5:29 - 5:31

into splunk and then splunk allows you
5:31 - 5:33

to monitor search and analyze this
5:33 - 5:35

machine generated data and the logs
5:35 - 5:38

through a web interface so in order to
5:38 - 5:40

use splunk you'll need to import your
5:40 - 5:42

own data or logs alternatively you can
5:42 - 5:45

utilize the splunk universal folder to
5:45 - 5:48

forward logs and data to splunk for
5:48 - 5:51

analysis and of course visualization etc
5:51 - 5:53

now splunk does so much more that i
5:53 - 5:55

really can't go over all of the features
5:55 - 5:57

here but as i said we're looking at this
5:57 - 6:00

from the uh lens of a security engineer
6:00 - 6:02

all right so splunk collates all the
6:02 - 6:05

data and logs from various sources and
6:05 - 6:07

provides you with a central index that
6:07 - 6:09

you can search through splunk also
6:09 - 6:11

provides you with robust visualization
6:11 - 6:13

and reporting tools that allow you to
6:13 - 6:15

identify the data that interests you
6:15 - 6:17

transform the data into results and
6:17 - 6:20

visualize the answers in the form of a
6:20 - 6:23

report chart graph etc all right so what
6:23 - 6:25

i'm saying here is that splunk allows
6:25 - 6:28

you to take all of this security related
6:28 - 6:32

logs and data and make sense of them and
6:32 - 6:34

essentially get the answers that you're
6:34 - 6:36

looking for so for example from the
6:36 - 6:38

perspective of a security engineer what
6:38 - 6:40

do you want from all of this data well
6:40 - 6:42

at a very high level you want to know
6:42 - 6:44

whether something is going wrong and
6:44 - 6:46

what could go wrong in the context of
6:46 - 6:49

security a network could be compromised
6:49 - 6:51

there could be some malicious network
6:51 - 6:53

traffic or activity going on a system
6:53 - 6:56

could be compromised etc etc you get the
6:56 - 6:58

idea so we need that data to be
6:58 - 7:01

displayed to us as a security engineer
7:01 - 7:03

and splunk is really one of the best
7:03 - 7:05

tools uh you know when it comes down to
7:05 - 7:08

you know taking a lot of data
7:08 - 7:10

and then identifying the data that
7:10 - 7:12

interests you transforming that data
7:12 - 7:15

into results and then visualizing that
7:15 - 7:17

data in the form of the report chart or
7:17 - 7:20

graph right so that's really what we're
7:20 - 7:22

going to be doing and as i said going
7:22 - 7:24

back to the scenario we're going to be
7:24 - 7:26

focusing on how to you know essentially
7:26 - 7:29

get in or how to forward
7:29 - 7:32

the logs created or the logs and alerts
7:32 - 7:33

created by
7:33 - 7:36

snort into splunk for analysis and
7:36 - 7:39

luckily for us splunk has a snort app or
7:39 - 7:41

plug-in if you will that that will
7:41 - 7:44

essentially simplify this process
7:44 - 7:45

so
7:45 - 7:47

let's get an idea as to you know how we
7:47 - 7:49

can use splunk for security when
7:49 - 7:52

monitoring so splunk enterprise security
7:52 - 7:55

also known as splunk es is a security
7:55 - 7:57

information and event management
7:57 - 7:59

solution also known as a seam
7:59 - 8:01

it is used to but is used by security
8:01 - 8:04

teams to quickly detect and respond to
8:04 - 8:06

internal and external attacks or threats
8:06 - 8:10

or intrusions so splunk es can be used
8:10 - 8:12

for security when monitoring incident
8:12 - 8:14

response and running a sock or security
8:14 - 8:16

operations center
8:16 - 8:18

in this video we'll be using splunk es
8:18 - 8:20

to monitor and visualize the snort
8:20 - 8:22

intrusion alerts this will be
8:22 - 8:24

facilitated through the help of the snot
8:24 - 8:27

app for splunk and the splunk universal
8:27 - 8:29

folder now the splunk universal folder
8:29 - 8:31

is pretty much the most important
8:31 - 8:33

element of what we'll be exploring
8:33 - 8:35

because what it does and this is really
8:35 - 8:37

cool is it allow it automatically
8:37 - 8:39

forwards the latest logs
8:39 - 8:40

even when
8:40 - 8:42

when snot is running it forwards those
8:42 - 8:45

alerts and logs into splunk and you can
8:45 - 8:47

see them in real time which is
8:47 - 8:49

absolutely fantastic
8:49 - 8:52

so as i said if you're new to splunk
8:52 - 8:55

then these resources are really helpful
8:55 - 8:57

for you so splunk offer really great
8:57 - 8:59

tutorials and courses designed for
8:59 - 9:01

absolute beginners you can check that
9:01 - 9:03

out by clicking on the link within this
9:03 - 9:06

slide and you can learn more about the
9:06 - 9:08

splunk enterprise security edition from
9:08 - 9:10

that particular link
9:10 - 9:11

now as i said we're going to be
9:11 - 9:12

deploying
9:12 - 9:15

uh splunk on linux more specifically
9:15 - 9:17

splunk es and this is the lab
9:17 - 9:19

environment so we're going to spin up uh
9:19 - 9:22

you know splunk yes on linux now again
9:22 - 9:23

to follow through with this as uh you
9:23 - 9:26

know linux has been absolutely fantastic
9:26 - 9:28

with uh you know by providing uh all of
9:28 - 9:31

you guys uh with a way to get a hundred
9:31 - 9:33

dollars in free linux credit all you
9:33 - 9:35

need to do is just click the link in the
9:35 - 9:37

description section and sign up and a
9:37 - 9:39

hundred dollars will be added to your
9:39 - 9:41

account so that you can follow along
9:41 - 9:43

with this series um so we're going to
9:43 - 9:45

set up splunk yes on linux and then
9:45 - 9:47

within my internal network uh we're just
9:47 - 9:49

gonna have a very basic infrastructure
9:49 - 9:50

we're going to have the ubuntu virtual
9:50 - 9:53

machine that is running snot this is the
9:53 - 9:55

same virtual machine that we had set up
9:55 - 9:58

and used uh to set up snort and set up
9:58 - 10:00

suricata and the one we had used with
10:00 - 10:01

wazoo
10:01 - 10:04

and yeah that's essentially it we're
10:04 - 10:05

going to have a very basic
10:05 - 10:06

infrastructure where we have an attacker
10:06 - 10:09

system that i'm going to be using to
10:09 - 10:10

perform
10:10 - 10:12

uh a bit of uh you know network
10:12 - 10:15

intrusion detection uh emulation whereby
10:15 - 10:18

i will essentially perform or run a
10:18 - 10:21

couple of commands or uh or scripts to
10:21 - 10:23

essentially emulate malicious network
10:23 - 10:26

activity so that these logs are uh are
10:26 - 10:28

essentially or so so this traffic is
10:28 - 10:30

essentially logged and that will provide
10:30 - 10:33

us with a good idea as to how helpful
10:33 - 10:35

splunk is for security event monitoring
10:35 - 10:38

especially in the context of our network
10:38 - 10:40

intrusions
10:40 - 10:42

so as i said you don't really need to
10:42 - 10:44

have a windows workstation you simply
10:44 - 10:46

need to have the ubuntu vm and you can
10:46 - 10:49

pretty much run everything from it and
10:49 - 10:51

of course you can set up the splunk
10:51 - 10:52

enterprise
10:52 - 10:54

enterprise security server on linux
10:54 - 10:56

without any issues
10:56 - 10:58

so that's the lab environment we can now
10:58 - 11:00

get started with the practical
11:00 - 11:01

demonstration so i'm going to switch
11:01 - 11:05

over to my ubuntu virtual machine
11:05 - 11:08

all right so i'm back on my ubuntu
11:08 - 11:09

virtual machine and you can see i have
11:09 - 11:11

linux opened up here
11:11 - 11:13

i haven't set anything up yet because
11:13 - 11:15

we're going to be walking through the
11:15 - 11:16

process together
11:16 - 11:19

i then have the splunk.com website here
11:19 - 11:21

so if you're new to splunk then you need
11:21 - 11:23

to create a new account in order to
11:23 - 11:25

follow along so uh just head over to
11:25 - 11:27

head over to splunk.com and you know
11:27 - 11:30

register for an account it's free
11:30 - 11:31

once that is done
11:31 - 11:33

you'll need to activate your account or
11:33 - 11:35

verify your account through the email or
11:35 - 11:37

the verification email
11:37 - 11:40

they'll send you once that is done
11:40 - 11:41

we can then move forward because in
11:41 - 11:44

order to access the actual um
11:44 - 11:47

splunk universal folder you'll need to
11:47 - 11:49

have an account and of course um you
11:49 - 11:51

know in this case i'll be going through
11:51 - 11:53

everything as we move along in a
11:53 - 11:56

structured uh in a structured manner and
11:56 - 11:59

then to perform the actual nids
11:59 - 12:00

tests
12:00 - 12:02

we are going to be using the test
12:02 - 12:04

mynids.org
12:04 - 12:06

project which is on github so this is
12:06 - 12:09

essentially a bash script
12:09 - 12:11

that allows you to as you can see here
12:11 - 12:13

it allows you to essentially emulate or
12:13 - 12:17

simulate malicious network traffic so uh
12:17 - 12:19

previously we had used the website uh
12:19 - 12:21

the website technique to essentially get
12:21 - 12:24

a linux uid and that traffic would be
12:24 - 12:26

logged as malicious or
12:26 - 12:28

it could be logged as a potential
12:28 - 12:30

intrusion and we can run a few other
12:30 - 12:33

checks like an http basic authentication
12:33 - 12:36

bad certificate authorities
12:36 - 12:39

uh an exe or dll download over http so
12:39 - 12:41

you know just we can run tests that are
12:41 - 12:43

you know will just make our
12:43 - 12:45

intrusion detection system uh blow up in
12:45 - 12:48

terms of alerts and that's what we want
12:48 - 12:50

because we want to see how that data is
12:50 - 12:52

presented to us as a security engineer
12:52 - 12:55

on splunk with that being said the first
12:55 - 12:58

step of course is to set up splunk es on
12:58 - 12:59

linux so
12:59 - 13:02

just click on uh click on create and a
13:02 - 13:04

linux and click on marketplace
13:04 - 13:06

and they already have splunk here so
13:06 - 13:08

there we are you can click on that there
13:08 - 13:10

and if you click on this little info
13:10 - 13:12

button here it'll give you an idea as to
13:12 - 13:14

how to deploy it on
13:14 - 13:16

uh on linux and of course you have more
13:16 - 13:18

information regarding splunk so you have
13:18 - 13:20

the documentation link there so i'll
13:20 - 13:23

just click on splunk
13:23 - 13:25

once that is clicked we can then head
13:25 - 13:27

over here you'll need to specify the
13:27 - 13:29

splunk admin user i recommend using
13:29 - 13:32

admin to begin with and then specify a
13:32 - 13:33

password
13:33 - 13:36

if you're setting up you know splunk on
13:36 - 13:38

a domain then you can specify the
13:38 - 13:40

lynnode api token to essentially create
13:40 - 13:42

the dns records that's if you're using
13:42 - 13:44

linux dns
13:44 - 13:46

dns service
13:46 - 13:48

uh and then of course you need to add
13:48 - 13:50

the admin email for the server so in
13:50 - 13:52

this case i can just say for example
13:52 - 13:54

hackersploit
13:54 - 13:56

gmail.com
13:56 - 13:57

don't spam me on this email because i
13:57 - 14:00

don't respond anyway so we can create
14:00 - 14:01

another user
14:01 - 14:02

uh so this is the username for the
14:02 - 14:05

lynnode admins ssh user please ensure
14:05 - 14:06

that the username does not contain any
14:06 - 14:09

so we can just call this admin and then
14:09 - 14:11

for the admin user we'll just say
14:11 - 14:13

provide that there
14:13 - 14:15

so the image we're going to set it up on
14:15 - 14:18

ubuntu 20.04 the region i'll say london
14:18 - 14:20

because that's closest to me
14:20 - 14:22

as for the actual linux plan
14:22 - 14:25

linux es doesn't require that many
14:25 - 14:26

resources especially because you know
14:26 - 14:29

the amount of data that we're processing
14:29 - 14:31

on the logs that are being forwarded to
14:31 - 14:34

splunk are relatively few so less than
14:34 - 14:36

100 which if you've used splunk before
14:36 - 14:38

for security vent monitoring you know
14:38 - 14:39

that that is
14:39 - 14:41

like really really small in fl in in
14:41 - 14:43

fact splunk will actually tell you that
14:43 - 14:45

you know the amount of data
14:45 - 14:48

to begin with that you have imported or
14:48 - 14:50

you afforded is too little to make any
14:50 - 14:51

sense off
14:51 - 14:52

but that's where the snort app for
14:52 - 14:55

splunk comes into play so i'll just say
14:55 - 14:56

splunk
14:56 - 14:58

and i'll provide my root password for
14:58 - 14:59

the server
14:59 - 15:02

and we can click on create
15:02 - 15:03

all right now
15:03 - 15:06

uh once this is set up and provisioned
15:06 - 15:08

the actual installer is going to begin
15:08 - 15:10

so it's going to set up because there is
15:10 - 15:13

an auto installer setup that will set up
15:13 - 15:15

splunk yes for you so uh let it
15:15 - 15:17

provision after that's done you can
15:17 - 15:19

launch the lish console to avoid logging
15:19 - 15:22

in via ssh and of course one thing that
15:22 - 15:24

i need to that i don't need to tell you
15:24 - 15:26

is if you're setting this up for
15:26 - 15:28

production then you need to make sure
15:28 - 15:30

you're securing your server so do only
15:30 - 15:33

use ssh keys for authentication with the
15:33 - 15:34

server
15:34 - 15:36

if you're new to hardening and securing
15:36 - 15:38

a linux server you can check out the
15:38 - 15:39

previous series
15:39 - 15:42

that we did with linux the linux server
15:42 - 15:45

security series uh that'll give you uh
15:45 - 15:47

you know all the information you need to
15:47 - 15:50

secure a linux server for production
15:50 - 15:51

with that being said i'm just going to
15:51 - 15:53

let it provision after which we can
15:53 - 15:55

launch the english console to see what's
15:55 - 15:57

going on in the background and we can
15:57 - 15:59

then get started uh you know officially
15:59 - 16:00

with um
16:00 - 16:02

with how to set up splunk we then need
16:02 - 16:05

to set up the universal folder
16:05 - 16:09

so uh this is booting now
16:09 - 16:11

all right so the server is booted and
16:11 - 16:13

you can see i've just opened up the lish
16:13 - 16:14

console here
16:14 - 16:16

to essentially view what's going on as
16:16 - 16:18

you can see it's begun setting up a
16:18 - 16:20

splunk yes so just give this a couple of
16:20 - 16:22

minutes
16:22 - 16:23

to essentially begin
16:23 - 16:26

um and once it's done it'll actually
16:26 - 16:27

tell you that it'll provide you with the
16:27 - 16:29

login prompt
16:29 - 16:30

but it's probably logged in as the root
16:30 - 16:32

user already so
16:32 - 16:34

uh just let this complete i'm just gonna
16:34 - 16:37

wait for this to actually conclude
16:37 - 16:40

all right so once uh splunk es is done
16:40 - 16:43

uh or the actual uh linode is done here
16:43 - 16:44

with the setup you can see it's gonna
16:44 - 16:46

tell you installation complete
16:46 - 16:48

and you can then log in uh keep this
16:48 - 16:50

window open because this is going to be
16:50 - 16:51

very important as we'll need to
16:51 - 16:53

configure a few firewall rules because
16:53 - 16:56

uh by default this linux comes with ufw
16:56 - 16:59

which is the uncomplicated firewall for
16:59 - 17:00

debian or
17:00 - 17:02

it typically comes pre-packaged with
17:02 - 17:05

debian-based distributions like ubuntu
17:05 - 17:07

in this case it's already added the
17:07 - 17:08

firewall rule for the port that we
17:08 - 17:10

wanted but just keep it open because
17:10 - 17:13

we'll need to run a few checks um so you
17:13 - 17:14

can log in there so i'm just going to
17:14 - 17:16

log in with the credentials that i
17:16 - 17:19

specified as the root user and i can
17:19 - 17:22

just say sudo ufw status
17:22 - 17:24

um
17:24 - 17:25

and you can see these are all the
17:25 - 17:28

allowed rules or the actual rules
17:28 - 17:30

configured for the firewall which is
17:30 - 17:32

looking good uh so far
17:32 - 17:36

so we can access the splunk es instance
17:36 - 17:38

that we set up by pasting in the ip of
17:38 - 17:42

the server and and opening up port 8000
17:42 - 17:44

that's going to open up splunk yes for
17:44 - 17:46

you so just give this a couple of
17:46 - 17:48

seconds there we are and the credentials
17:48 - 17:51

that we had used were admin and the
17:51 - 17:53

password that i created uh that you know
17:53 - 17:55

of course you'll you'll be able to
17:55 - 17:57

specify yourself so just sign in
17:57 - 18:00

um and once that is done you'll be
18:00 - 18:03

brought to splunk enterprise
18:03 - 18:05

security here so there we are explore
18:05 - 18:07

splunk enterprise
18:07 - 18:10

uh and um
18:10 - 18:11

in this case what we're going to be
18:11 - 18:14

doing what we're going to start off with
18:14 - 18:16

is we need to go through a few
18:16 - 18:19

configuration uh changes with splunk
18:19 - 18:20

itself
18:20 - 18:23

so the idea firstly is to configure
18:23 - 18:26

uh the actual uh rece the receiving of
18:26 - 18:27

data so if you head over into settings
18:27 - 18:29

you can click on under data just click
18:29 - 18:32

on forwarding and receiving
18:32 - 18:34

uh and once that is done once that is
18:34 - 18:36

loaded up
18:36 - 18:38

um under received data we need to
18:38 - 18:40

configure this instance to receive data
18:40 - 18:42

forwarded from other instances so we
18:42 - 18:44

want to configure receiving
18:44 - 18:45

and we just want to set the default
18:45 - 18:47

receiving port
18:47 - 18:50

so we can say new receiving port
18:50 - 18:52

and the port is of course going to be
18:52 - 18:55

the default which is 9997 which is why
18:55 - 18:57

that firewall rule was added so i'll
18:57 - 18:59

click on save
18:59 - 19:01

all right so once that is done we can
19:01 - 19:04

now install the snot
19:04 - 19:06

app for splunk so click on apps and head
19:06 - 19:08

over into find more apps
19:08 - 19:11

and because the ubuntu server is running
19:11 - 19:13

or the ubuntu vm that i'm currently
19:13 - 19:16

working on is running snot 2 we'll need
19:16 - 19:18

the appropriate uh app here so i'll just
19:18 - 19:20

search for snot there and we're not
19:20 - 19:22

looking for these note 3 json alerts
19:22 - 19:24

although that you know could be quite
19:24 - 19:26

useful but we want the snort alert for
19:26 - 19:29

splunk all right so this app provides
19:29 - 19:31

field extraction so that's really great
19:31 - 19:32

because performing your own field
19:32 - 19:35

extractions uh you know using rejects
19:35 - 19:36

can be quite difficult if you're a
19:36 - 19:39

beginner so fast and full
19:39 - 19:42

as well as dashboards uh saved searches
19:42 - 19:46

reports event types tags and event
19:46 - 19:48

search interfaces so we'll install that
19:48 - 19:50

now you'll need to log in with the spa
19:50 - 19:52

your splunk account credentials that you
19:52 - 19:55

uh you know that you actually created on
19:55 - 19:58

splunk.com so i'll just fill in my
19:58 - 20:00

information really quickly
20:00 - 20:02

all right so i've put in my username and
20:02 - 20:04

password so i'll just say i'll accept
20:04 - 20:06

the terms and conditions there so log in
20:06 - 20:08

and install
20:08 - 20:09

that's going to install it there we are
20:09 - 20:11

so we'll just hit done
20:11 - 20:13

now that is done if we head back over
20:13 - 20:16

into our dashboard so i'll just click on
20:16 - 20:18

splunk enterprise there
20:18 - 20:21

and you can now see we have snot alert
20:21 - 20:23

force for splunk so that's it already
20:23 - 20:26

comes pre-configured with a dashboard
20:26 - 20:28

um so we'll just let this uh load up
20:28 - 20:30

here and you can see that we don't have
20:30 - 20:32

any data yet so uh this will display
20:32 - 20:35

your events and sources top source
20:35 - 20:36

countries the events this is very
20:36 - 20:38

important the sources top 10
20:38 - 20:41

classifications so that will classify uh
20:41 - 20:44

your alerts uh in in terms of uh the
20:44 - 20:47

type which again will make sense uh in a
20:47 - 20:49

couple of seconds uh so now that that is
20:49 - 20:52

done we actually need to configure
20:52 - 20:54

the actual splunk universal folder so
20:54 - 20:56

i'll just open that up in a new tab it's
20:56 - 20:59

absolutely free to download the debian
20:59 - 21:02

client or the uh the splunk universal
21:02 - 21:04

ford debian package so universal
21:04 - 21:07

forwarders uh provide reliable secure
21:07 - 21:09

data collection from remote from remote
21:09 - 21:12

sources and forward that data into
21:12 - 21:14

splunk software for indexing and
21:14 - 21:17

consolidation they can scale to tens of
21:17 - 21:19

thousands of remote systems collecting
21:19 - 21:21

terabytes of data so
21:21 - 21:23

again you can actually see why splunk is
21:23 - 21:25

so powerful and why it's widely uh used
21:25 - 21:27

and deployed because of the fact that
21:27 - 21:30

you can literally uh you know be you can
21:30 - 21:33

literally forward a ton of data from a
21:33 - 21:36

ton of systems into splunk so because
21:36 - 21:38

the uh because snot is running on this
21:38 - 21:40

ubuntu vm we need the debian package so
21:40 - 21:42

i'll click on linux and we want the
21:42 - 21:45

64-bit version again you can choose one
21:45 - 21:47

based on your requirements so if you're
21:47 - 21:50

running on red at fedora or centos you
21:50 - 21:52

can use the rpm package so i'll just
21:52 - 21:55

download the debian package here
21:55 - 21:56

give that a couple of seconds it's then
21:56 - 21:58

going to begin downloading it and then
21:58 - 22:00

i'll walk you through the setup process
22:00 - 22:02

so there we are
22:02 - 22:05

it's begun the setup
22:07 - 22:09

and once that is done i'll open up my
22:09 - 22:11

terminal so that's saved in the
22:11 - 22:13

downloads directory so
22:13 - 22:14

if we check if we head over into the
22:14 - 22:16

downloads directory you can see we have
22:16 - 22:18

the splunk forwarder debian package
22:18 - 22:19

there
22:19 - 22:22

so what we want to do firstly is we want
22:22 - 22:25

to move this package uh into the actual
22:25 - 22:28

opt directory on linux uh which will
22:28 - 22:31

essentially allow us to uh you know to
22:31 - 22:33

to set it up as as optional software and
22:33 - 22:35

it's really good to have all that
22:35 - 22:38

optional software stored in the opt
22:38 - 22:42

directory so uh once that is done uh
22:42 - 22:44

once that's downloaded we can say uh
22:44 - 22:46

move
22:46 - 22:48

splunk forwarder into opt
22:48 - 22:50

and we'll need sudo privileges so i'll
22:50 - 22:53

say sudo move there we are and i'll just
22:53 - 22:55

type in my password fantastic so we'll
22:55 - 22:57

now navigate to the opt directory and to
22:57 - 23:00

install this we can say sudo apt
23:00 - 23:03

and then we can specify install so we
23:03 - 23:05

can say sudo apt install
23:05 - 23:07

and then we specify the package itself
23:07 - 23:09

so splunk folder
23:09 - 23:11

and we're just going to hit enter that's
23:11 - 23:14

going to install it for you
23:14 - 23:17

give that a couple of seconds
23:19 - 23:22

all right so once that is installed if
23:22 - 23:23

you list out the contents of this
23:23 - 23:25

directory you're going to have a splunk
23:25 - 23:27

for the directory here so i'll say cd
23:27 - 23:29

splunk folder and under the binary
23:29 - 23:31

directory we can navigate to that here
23:31 - 23:33

we'll need to start
23:33 - 23:36

us we'll need to start splunk so we will
23:36 - 23:37

say uh sudo
23:37 - 23:39

and a binary we want to run is called
23:39 - 23:41

splunk and we'll accept the license uh
23:41 - 23:43

the reason we're doing this is because
23:43 - 23:45

we need to configure it so we need to
23:45 - 23:47

specify the username and password or you
23:47 - 23:49

know create a username and password
23:49 - 23:52

and once that is done uh you'll actually
23:52 - 23:53

see what that looks like so i'll just
23:53 - 23:56

say accept the license
23:56 - 23:57

and
23:57 - 23:59

you can see in this case let's see if i
23:59 - 24:01

typed that in correctly that should
24:01 - 24:04

actually start so splunk start i did not
24:04 - 24:05

specify start there
24:05 - 24:07

there we are so please enter an
24:07 - 24:10

administrator name i'll just say admin
24:10 - 24:12

so again splunk software must create an
24:12 - 24:14

administrator account during startup
24:14 - 24:17

otherwise you cannot log in so create
24:17 - 24:18

credentials for the administrator
24:18 - 24:19

account
24:19 - 24:21

um
24:21 - 24:22

so in this case uh you know you can
24:22 - 24:24

create whatever you want i'm just going
24:24 - 24:26

to fill in my credentials here
24:26 - 24:29

all right so i've just entered my
24:29 - 24:30

administrator username and then of
24:30 - 24:32

course my password so
24:32 - 24:34

that is done
24:34 - 24:36

uh so it'll go through um
24:36 - 24:38

it'll essentially go through and check
24:38 - 24:40

the prerequisites uh new certs have been
24:40 - 24:43

generated in the following directory
24:43 - 24:45

and all the preliminary checks have
24:45 - 24:48

passed so starting the splunk server
24:48 - 24:49

daemon so that's started you can also
24:49 - 24:52

enable it to run on system startup so if
24:52 - 24:55

i say you know for example sudo system
24:55 - 24:57

ctl
24:57 - 25:00

status splunk
25:00 - 25:02

let me type that in correctly here so
25:02 - 25:03

splunk
25:03 - 25:08

sorry systems pseudosystem ctl
25:08 - 25:10

and we can say splunk d
25:10 - 25:13

uh sorry so we can say splunk i'm not
25:13 - 25:15

really sure why that's not loading here
25:15 - 25:18

but i do know that the daemon is running
25:18 - 25:21

and there should be a an init
25:21 - 25:25

an init demon for that but in any case
25:25 - 25:27

you can always start it that way
25:27 - 25:30

once that is done we will need to add
25:30 - 25:32

our ford server so the we need to add
25:32 - 25:35

the the address of the server uh the
25:35 - 25:37

splunk server that we're forwarding our
25:37 - 25:40

logs to we'll go we'll move on to what
25:40 - 25:42

logs we want to forward in a second but
25:42 - 25:44

let's do that first so again we're going
25:44 - 25:47

to use the
25:48 - 25:49

the splunk binary and we're going to say
25:49 - 25:50

forward
25:50 - 25:53

server and we'll just copy the ip
25:53 - 25:55

address of your
25:55 - 25:58

your splunk server here so there we are
25:58 - 26:01

and i'll paste that in there
26:01 - 26:03

and then you need to type in the port so
26:03 - 26:07

9997 that's the port to connect to hit
26:07 - 26:08

enter
26:08 - 26:11

um so splunk ford uh
26:11 - 26:13

yeah we need to add it i keep forgetting
26:13 - 26:16

the the preliminary command so add ford
26:16 - 26:18

server splunk username
26:18 - 26:22

um so in this case uh let me just uh put
26:22 - 26:26

in my credentials here
26:27 - 26:29

all right and it's going to then add the
26:29 - 26:32

forwarding to that particular address
26:32 - 26:34

all right now that that is done
26:34 - 26:35

we can actually we actually need to
26:35 - 26:38

configure a particular file
26:38 - 26:41

and that is going to be the outputs.conf
26:41 - 26:43

directory if it's already set up for us
26:43 - 26:45

which it should be
26:45 - 26:47

then we do not need to go through the
26:47 - 26:49

initial setup so
26:49 - 26:51

if we head over into the following
26:51 - 26:53

directory so i'll just take a step back
26:53 - 26:54

we're still in the splunk for the
26:54 - 26:55

directory
26:55 - 26:58

uh we'll head over into
26:58 - 27:02

the etsy directory and under system
27:02 - 27:05

we have a file under local i think it is
27:05 - 27:07

called outputs right so i'm going to say
27:07 - 27:09

sudo vim outputs
27:09 - 27:10

dot conf
27:10 - 27:12

and really the only thing that is
27:12 - 27:14

required here
27:14 - 27:16

is of course just leave the default
27:16 - 27:18

configuration as is the default group is
27:18 - 27:22

fine so tcp out default auto lb group
27:22 - 27:23

that's fine so you make sure that the
27:23 - 27:26

server option here is configured that's
27:26 - 27:28

the most important and the tcp out
27:28 - 27:30

server address is also configured in
27:30 - 27:32

this format so we don't need to make any
27:32 - 27:34

changes there so i'll just say quit and
27:34 - 27:35

exit
27:35 - 27:39

once that is done we also need to check
27:39 - 27:41

uh the actual inputs configuration file
27:41 - 27:43

but before we do that
27:43 - 27:45

let's take a look so if you revisit the
27:45 - 27:47

snort video
27:47 - 27:49

you know that all the logs are stored
27:49 - 27:52

under var uh log
27:52 - 27:56

and snot right so we have the alert log
27:56 - 27:59

um and we also have uh so again based on
27:59 - 28:01

the type of um
28:01 - 28:03

of alerts you want generated so you know
28:03 - 28:05

if i say man snort here
28:05 - 28:07

uh you can see that we have the alert
28:07 - 28:09

mode so you can use the fast mode or the
28:09 - 28:11

full mode in this case i'll be using the
28:11 - 28:13

fast mode
28:13 - 28:14

um
28:14 - 28:15

and i'll give you a description of what
28:15 - 28:17

what's going on here right so
28:17 - 28:20

uh full writes the alert to the alert
28:20 - 28:22

file with the full decoded header as
28:22 - 28:25

well as the alert message which might be
28:25 - 28:27

important so we can also do that as well
28:27 - 28:30

so this was from the previous uh from
28:30 - 28:32

the from from the snort video where we
28:32 - 28:33

had ran uh you know where we had
28:33 - 28:36

essentially run snot and uh you know
28:36 - 28:38

where we were identifying various alerts
28:38 - 28:42

so uh what we can do is uh again we will
28:42 - 28:44

go through what needs to be created but
28:44 - 28:46

we can run a quick test command just to
28:46 - 28:47

see whether
28:47 - 28:49

the the actual alerts are being logged
28:49 - 28:50

within the alert file because we have
28:50 - 28:53

alert dot one ideally we would only want
28:53 - 28:56

to forward this file into splunk
28:56 - 28:58

so uh in order to do this what i'm going
28:58 - 29:00

to do now is i'm just going to run snot
29:00 - 29:02

really quickly so i'm going to say sudo
29:02 - 29:03

snort
29:03 - 29:04

queue
29:04 - 29:06

for quiet and then
29:06 - 29:09

the actual directory for the logs is var
29:09 - 29:11

log snot
29:11 - 29:13

and then we can say the interface is
29:13 - 29:15

enp0s3
29:15 - 29:16

again make sure to replace that with
29:16 - 29:19

your own interface uh the alert we can
29:19 - 29:20

say full
29:20 - 29:23

and the configuration is sc
29:23 - 29:25

snort
29:25 - 29:26

dot conf
29:26 - 29:28

i believe we had another configuration
29:28 - 29:31

file yeah we had used the snot.com file
29:31 - 29:32

so i'll hit enter
29:32 - 29:35

and now let me open up my file explorer
29:35 - 29:36

here
29:36 - 29:39

we take a look at the var directory
29:39 - 29:42

under log and under snort
29:42 - 29:45

we have alert there we are so
29:45 - 29:48

that has been modified the last was
29:48 - 29:51

modified uh
29:51 - 29:54

right over there okay so that's 19 yeah
29:54 - 29:56

so this is the last modified so i know
29:56 - 29:58

this file is not human readable uh we
29:58 - 30:00

are not going to be folding this dot log
30:00 - 30:03

file so i'll just close that there
30:03 - 30:06

so i'm just going to try and uh
30:06 - 30:07

i'm just going to try and perform a few
30:07 - 30:10

checks on the networks like a few pings
30:10 - 30:12

just to see if that's detected
30:12 - 30:14

uh so i'll just you know perform a ping
30:14 - 30:16

really quickly
30:16 - 30:18

again the alerts will not be logged on
30:18 - 30:19

our terminal because they're being
30:19 - 30:21

logged uh you know into the respective
30:21 - 30:24

alert file or the alert log file so i'll
30:24 - 30:26

just perform uh you know a few pings as
30:26 - 30:28

i was saying which i'm doing right now
30:28 - 30:30

on the attacker system
30:30 - 30:32

uh once that is done let's see whether
30:32 - 30:34

those changes are being highlighted in
30:34 - 30:38

alet indeed they are okay so now this is
30:38 - 30:40

um
30:40 - 30:42

as you can see here
30:42 - 30:45

this is the full
30:45 - 30:48

these are so to begin with we had used
30:48 - 30:50

the fast alert
30:50 - 30:54

we had used the fast alert output mode
30:54 - 30:56

and right over here we then have the
30:56 - 30:57

full
30:57 - 31:00

alert mode which i'm not really sure how
31:00 - 31:02

we want to
31:02 - 31:05

go about doing this but you can see
31:05 - 31:07

we can actually make a few changes but
31:07 - 31:10

what we can do is we can get rid of this
31:10 - 31:11

traffic here
31:11 - 31:14

but you can see the messages actually
31:14 - 31:15

being logged so
31:15 - 31:18

we can get rid of this here
31:18 - 31:20

because we don't want to mix fast um we
31:20 - 31:23

don't mix fast alerts
31:23 - 31:24

with um
31:24 - 31:26

we don't want to mix the alerts that
31:26 - 31:29

were output in the fast mode uh with the
31:29 - 31:32

full mode so we can just get rid of that
31:32 - 31:34

there and save that
31:34 - 31:38

so once that is done i'll just say
31:38 - 31:40

we actually need permissions to modify
31:40 - 31:42

that file
31:42 - 31:46

but you know what we can do is what i am
31:46 - 31:47

going to do actually is close without
31:47 - 31:50

saving is i'm just going to stop snort
31:50 - 31:50

there
31:50 - 31:52

and i'm just going to say
31:52 - 31:54

sudo remove var
31:54 - 31:57

log
31:57 - 31:59

and snort and we're going to remove
31:59 - 32:01

alert
32:01 - 32:03

all right and we're also going to remove
32:03 - 32:04

alert dot one
32:04 - 32:05

all right so i'm just going to run this
32:05 - 32:07

again just to see if that file is
32:07 - 32:08

generated
32:08 - 32:11

so there we are we have alert there
32:11 - 32:13

so now it's much cleaner so i'll just
32:13 - 32:14

run a few pings just to make sure that
32:14 - 32:16

the traffic is being locked all those
32:16 - 32:18

alerts are being logged
32:18 - 32:20

uh so there we are we have a few pings
32:20 - 32:22

there
32:22 - 32:25

and we can also you know just run a few
32:25 - 32:27

checks there okay so there we are we can
32:27 - 32:29

see that those are now being logged and
32:29 - 32:32

of course we can change the format based
32:32 - 32:32

on
32:32 - 32:34

you can change it based on your
32:34 - 32:35

requirements right
32:35 - 32:38

so um
32:38 - 32:40

now that that is done
32:40 - 32:42

what we can do is we can close that up
32:42 - 32:45

and we can actually leave snort running
32:45 - 32:46

as is
32:46 - 32:49

so what i'll do is i'm just going to
32:49 - 32:51

open up another tab
32:51 - 32:53

so i'll just you know i can say control
32:53 - 32:55

shift d there we are
32:55 - 32:57

and we're currently within the following
32:57 - 33:00

directory so opt opt splunk forward etsy
33:00 - 33:02

system local
33:02 - 33:03

so
33:03 - 33:06

once that is done we now need to add
33:06 - 33:08

uh we now need to add the files that we
33:08 - 33:10

would like to monitor or that we would
33:10 - 33:12

like to forward right so the log files
33:12 - 33:15

so i'll go back into the bin directory
33:15 - 33:18

so there we are cd bin because that's
33:18 - 33:19

where we have the splunk binary so i'll
33:19 - 33:21

say sudo
33:21 - 33:22

um
33:22 - 33:24

splunk
33:24 - 33:28

and we can say add monitor
33:28 - 33:31

and the file that we want to forward is
33:31 - 33:34

under var log snot and it is just alert
33:34 - 33:37

right so that's all that's really all
33:37 - 33:39

that we want to do right
33:39 - 33:42

and we can also utilize the fast alerts
33:42 - 33:44

but let's just do this for now
33:44 - 33:46

and we only want the alerts we don't
33:46 - 33:48

want the actual log files that contain
33:48 - 33:54

the packets themselves so i'll hit enter
33:54 - 33:56

all right so it's now going to forward
33:56 - 33:59

those alerts into splunk which pretty
33:59 - 34:02

much means that on our end we are done
34:02 - 34:04

however we still need to check one more
34:04 - 34:06

configuration file so i'll just take a
34:06 - 34:08

step back here and we'll head over into
34:08 - 34:11

the etsy directory under apps
34:11 - 34:13

and search
34:13 - 34:16

and then into local
34:16 - 34:17

when you think we'll need to root
34:17 - 34:18

permissions to access this so i'll just
34:18 - 34:20

switch to the root user and head over
34:20 - 34:22

into local
34:22 - 34:24

and we're looking for the inputs dot
34:24 - 34:27

conf file
34:27 - 34:28

uh right so we need to actually
34:28 - 34:30

configure this because this is very
34:30 - 34:31

important so
34:31 - 34:35

uh the first thing we want to do is let
34:35 - 34:36

us
34:36 - 34:39

add a new line here and within the
34:39 - 34:41

square brackets i'll just say splunk
34:41 - 34:44

uh tcp
34:44 - 34:46

and we then want to specify the port so
34:46 - 34:48

9997
34:48 - 34:50

let me make sure i type that in
34:50 - 34:52

correctly
34:52 - 34:54

we then need to actually put in the
34:54 - 34:57

connection
34:57 - 35:01

um so the connection host so connection
35:01 - 35:03

host is going to be equal to the ip
35:03 - 35:05

address of the splunk
35:05 - 35:07

server
35:07 - 35:09

so i'll just copy that there paste that
35:09 - 35:11

in there
35:11 - 35:14

once that is done
35:14 - 35:16

this is fine here disabled is set to
35:16 - 35:19

false we want index is going to be equal
35:19 - 35:20

to main
35:20 - 35:24

and then the source type
35:24 - 35:27

is going to be equal to snot
35:27 - 35:28

alert
35:28 - 35:29

full
35:29 - 35:31

and we can then say the source is equal
35:31 - 35:33

to snort all right so this is a very
35:33 - 35:35

important configuration so let me just
35:35 - 35:37

go through those options or
35:37 - 35:39

configurations again we have the splunk
35:39 - 35:40

tcp option
35:40 - 35:43

uh we then have the actual connection
35:43 - 35:46

host the monitor is set correctly to
35:46 - 35:47

that file
35:47 - 35:50

uh it's enabled index equals main source
35:50 - 35:52

type equals snorter that full source is
35:52 - 35:54

equal to snot fantastic so we'll write
35:54 - 35:55

in quit
35:55 - 35:57

uh once this is done
35:57 - 35:59

we'll need to restart splunk so i'll
35:59 - 36:01

switch back to my user lexis here and
36:01 - 36:05

we'll navigate back to the bin directory
36:05 - 36:06

so i'll say cd bin
36:06 - 36:09

and we'll say sudo
36:09 - 36:12

let me say splunk and we can then say
36:12 - 36:13

restart
36:13 - 36:16

all right hit enter
36:16 - 36:18

it's going to stop the splunk daemon
36:18 - 36:20

shutting it down
36:20 - 36:22

restart it and it's done successfully so
36:22 - 36:25

all the checks were completed without
36:25 - 36:27

any issue all right so
36:27 - 36:29

now that this is done we can actually go
36:29 - 36:31

back into splunk here and we'll navigate
36:31 - 36:33

to the dashboard
36:33 - 36:36

uh this is your splunk server right
36:36 - 36:37

and let's take a look at the messages
36:37 - 36:40

here that's just uh a few updates we
36:40 - 36:42

don't need to do anything there so if we
36:42 - 36:43

click on
36:43 - 36:46

search and reporting just to verify that
36:46 - 36:48

that data has indeed been for that i'll
36:48 - 36:49

just skip through this if we click on
36:49 - 36:51

data summary
36:51 - 36:53

under sources you should see that we
36:53 - 36:56

have the host and in my case the name of
36:56 - 36:59

the system is black box so that should
36:59 - 37:01

be reflected there so there we are black
37:01 - 37:03

box we have 42
37:03 - 37:07

logs or alerts if you will sources 42 we
37:07 - 37:09

can click on that there to just see the
37:09 - 37:11

data that has been logged indeed we can
37:11 - 37:13

see that has been done correctly so
37:13 - 37:15

source type is alert
37:15 - 37:17

uh we can see that it's imported you
37:17 - 37:19

know pretty much all the data or the you
37:19 - 37:21

know these are the this is the full log
37:21 - 37:24

whereby we have the reference to that
37:24 - 37:25

there
37:25 - 37:27

uh that's weird i didn't actually run
37:27 - 37:30

anything weird uh but uh there you go
37:30 - 37:33

um so now that this is done uh you can
37:33 - 37:35

use splunk to essentially visualize this
37:35 - 37:37

data you know however you want so you
37:37 - 37:39

know i can go into visualization
37:39 - 37:42

uh and we can click on maybe we can
37:42 - 37:45

create a um
37:45 - 37:47

we can select a few fields so if i go
37:47 - 37:50

back into the events here i can select a
37:50 - 37:52

few fields that i want displayed here
37:52 - 37:54

and i can you know essentially extract
37:54 - 37:57

the fields that i want with rejects
37:57 - 37:58

but
37:58 - 38:00

i don't think this is necessary in this
38:00 - 38:02

point because if we actually go back to
38:02 - 38:04

the dashboard
38:04 - 38:06

and we click on
38:06 - 38:10

let's see splunk snot alert for splunk
38:10 - 38:11

let's see if this is actually whether
38:11 - 38:15

this automates that process for us
38:15 - 38:17

uh there we are actually it looks like
38:17 - 38:22

it does so um classification bad traffic
38:22 - 38:24

so it looks like that is working
38:24 - 38:26

so what we can do now
38:26 - 38:29

is run a few
38:29 - 38:31

uh we can actually utilize this script
38:31 - 38:34

here the
38:34 - 38:37

uh the test my nids script here so all
38:37 - 38:39

you need to do to run it is just copy
38:39 - 38:42

this one liner script here or this
38:42 - 38:43

command that will download it into your
38:43 - 38:46

tmp directory and will then execute it
38:46 - 38:49

so you know to execute it within your
38:49 - 38:52

temp directory you can just uh execute
38:52 - 38:53

the actual
38:53 - 38:54

um
38:54 - 38:56

you know the actual binary there it is a
38:56 - 38:59

binary not a script
38:59 - 39:01

and uh once that is done you can then
39:01 - 39:04

select the option here so let me just do
39:04 - 39:06

that on my attacker system
39:06 - 39:09

i'm just gonna run it one more time so
39:09 - 39:14

um just going to say ls here and
39:16 - 39:19

if i uh open up the documentation so
39:19 - 39:22

firstly i will
39:22 - 39:23

i will run
39:23 - 39:27

a quick linux uid check so
39:27 - 39:29

i'll just hit enter
39:29 - 39:31

okay that is done i'll then perform a
39:31 - 39:35

http basic authentication
39:35 - 39:38

and a malware user agent so i'm doing
39:38 - 39:41

that right now
39:41 - 39:46

okay and we can run one more here so
39:46 - 39:49

uh let's see let's see let's see uh we
39:49 - 39:52

can try exe or dll download over http
39:52 - 39:55

that is surely going to be um
39:55 - 39:57

logged
39:57 - 40:00

or that's going to trigger an alert
40:00 - 40:01

so
40:01 - 40:03

uh do we have uh that is running all
40:03 - 40:05

right so snot is running that's great
40:05 - 40:08

uh so we know that the log is being uh
40:08 - 40:10

the actual alerts are being forwarded
40:10 - 40:13

absolutely fantastic so let's go back in
40:13 - 40:15

here i've already run those
40:15 - 40:18

uh those particular checks
40:18 - 40:20

so let me just refresh this i know it
40:20 - 40:22

usually takes a couple of seconds to a
40:22 - 40:24

couple of minutes but that data should
40:24 - 40:26

start should actually be reflected there
40:26 - 40:28

we are fantastic so
40:28 - 40:31

uh we can see that uh you know firstly
40:31 - 40:33

i'll just explain the dashboard here
40:33 - 40:34

because
40:34 - 40:36

uh this dashboard is automatically you
40:36 - 40:38

know set up for you by the snort app
40:38 - 40:40

which is really awesome as i said you
40:40 - 40:41

don't need to go through that process
40:41 - 40:43

yourself
40:43 - 40:45

so the first graph here essentially
40:45 - 40:46

tells you your events
40:46 - 40:49

uh and and it also displays uh you know
40:49 - 40:50

the total number of sources so you can
40:50 - 40:53

see that there you also have the time
40:53 - 40:54

uh and you saw you have your events and
40:54 - 40:56

then the timeline here and you can
40:56 - 40:59

essentially you know view a trend or the
40:59 - 41:02

trend of uh of events there you then
41:02 - 41:05

have the top uh the top source countries
41:05 - 41:07

right over here and if i just run
41:07 - 41:09

another check really quickly here
41:09 - 41:11

through the nids website
41:11 - 41:15

so uh let me just run the curl command
41:15 - 41:17

uh you should actually see that because
41:17 - 41:19

we are reaching out to uh you know a
41:19 - 41:21

connection made to an external server
41:21 - 41:24

that it should reflect that info under
41:24 - 41:26

the top countries the top source
41:26 - 41:27

countries
41:27 - 41:29

so uh we then have the events here which
41:29 - 41:31

uh you know you can click on um and then
41:31 - 41:33

of course you have the sources
41:33 - 41:36

so these are the uh snort event types
41:36 - 41:38

and these are actually the
41:38 - 41:40

classification so we can see potentially
41:40 - 41:43

bad traffic attempted information leak
41:43 - 41:45

and you know you can just refresh your
41:45 - 41:47

dashboard to get the latest
41:47 - 41:49

so we'll give that a couple of seconds
41:49 - 41:52

and you can also specify the actual uh
41:52 - 41:54

interval period
41:54 - 41:56

so uh i'll just wait for this uh let's
41:56 - 41:59

see if it's actually being logged or
41:59 - 42:00

whether we can see all of that so i'll
42:00 - 42:04

just go back into the dashboard here
42:04 - 42:05

and
42:05 - 42:07

we'll go into search and reporting and
42:07 - 42:10

if we click on the actual
42:10 - 42:13

data summary and the sources uh we can
42:13 - 42:15

see we have snort there and then vast
42:15 - 42:20

not alert so we click on snot there
42:20 - 42:22

okay so this is bad traffic that's
42:22 - 42:25

really weird because
42:26 - 42:28

the source is not we had added two
42:28 - 42:30

sources there
42:30 - 42:33

so data summary
42:33 - 42:35

let me just click on that there and if
42:35 - 42:37

we click on these sources there this is
42:37 - 42:41

the one that we want ideally
42:43 - 42:46

yeah so that looks like uh the correct
42:46 - 42:49

one there
42:50 - 42:52

yeah that's the correct traffic um uh i
42:52 - 42:55

think that's why uh the actual uh let me
42:55 - 42:57

see if i can find so snot alert for
42:57 - 43:01

splunk let me click on the app there
43:02 - 43:04

show filters it should be displaying
43:04 - 43:06

much more than that because i know yeah
43:06 - 43:08

they're not just four
43:08 - 43:10

so
43:10 - 43:13

uh if we actually head over into the
43:13 - 43:17

uh snot event search here
43:18 - 43:21

we can actually search for uh you know
43:21 - 43:25

we can utilize uh yeah so these are only
43:25 - 43:28

this is only monitoring the pings so
43:28 - 43:30

that's weird i'm not really sure why we
43:30 - 43:32

have two data sources i think it's to do
43:32 - 43:34

with the fact
43:34 - 43:37

uh that uh you know we had so let me
43:37 - 43:40

just go back here
43:40 - 43:43

apps search and sudo root
43:43 - 43:47

let me just check that here so cd local
43:47 - 43:48

vim
43:48 - 43:51

inputs dot look so there we are so the
43:51 - 43:53

source is snort
43:53 - 43:56

we already specified the source as not
43:56 - 43:58

there
43:58 - 44:00

but it's all it's adding
44:00 - 44:02

this particular you know the alert as uh
44:02 - 44:04

as a source as well
44:04 - 44:06

and then this the source type is not
44:06 - 44:09

alert full index main yeah that that
44:09 - 44:11

should be working that should be working
44:11 - 44:12

without any issues i'm not really sure
44:12 - 44:14

why that is the case but
44:14 - 44:16

we can actually customize what data set
44:16 - 44:18

we want to use
44:18 - 44:19

so uh
44:19 - 44:22

i think let me actually showcase how to
44:22 - 44:23

do that right now
44:23 - 44:26

um so apologies about that i actually
44:26 - 44:28

figured out what the issue was it was
44:28 - 44:30

because the system i was running
44:30 - 44:32

uh this particular
44:32 - 44:35

attacks from wasn't even connected to
44:35 - 44:37

the local network
44:37 - 44:39

and even though i was running these
44:39 - 44:41

these attacks i did realize that of
44:41 - 44:43

course they weren't working so i'm just
44:43 - 44:45

gonna i've just reconnected it
44:45 - 44:47

and what i'm gonna do is i'm just gonna
44:47 - 44:50

run this one more time
44:50 - 44:53

so just give me a second here and i'll
44:53 - 44:56

be able to do that one more time so
44:56 - 44:59

let me just navigate to that particular
44:59 - 45:00

directory
45:00 - 45:01

and
45:01 - 45:02

we'll actually see whether this will
45:02 - 45:04

work so
45:04 - 45:06

you can actually see there's much more
45:06 - 45:08

uh that's been captured in regards to
45:08 - 45:10

events and i'll be explaining this
45:10 - 45:12

dashboard in a couple of seconds
45:12 - 45:13

so
45:13 - 45:15

let me just uh
45:15 - 45:17

launch that first attack there so that
45:17 - 45:19

you know let me just launch that first
45:19 - 45:22

uh type of check and of course i'm using
45:22 - 45:26

test my nids here so uh unfortunately
45:26 - 45:28

that wasn't even being logged which is
45:28 - 45:30

why i was a bit confused as to why those
45:30 - 45:33

logs are not being displayed here
45:33 - 45:36

so i'll give that a couple of seconds
45:36 - 45:37

and
45:37 - 45:39

we'll be able to see this happen
45:39 - 45:42

in real time as well
45:42 - 45:45

all right so that is done so i've
45:45 - 45:46

essentially launched a couple of those
45:46 - 45:48

tests and uh
45:48 - 45:51

this as i said this is your default uh
45:51 - 45:53

dashboard that you're provided with here
45:53 - 45:54

so
45:54 - 45:56

um you know you can actually refresh uh
45:56 - 45:59

all of these um all of these panels here
45:59 - 46:01

if you will so that'll display the
46:01 - 46:04

latest and as i said here because i'd
46:04 - 46:06

had performed the actual
46:06 - 46:08

uh you know i'd perform the actual check
46:08 - 46:10

and then connected to an external server
46:10 - 46:12

you can see that you know the top source
46:12 - 46:14

countries are highlighted there
46:14 - 46:16

you can also refresh the number of
46:16 - 46:18

events as you can see here
46:18 - 46:20

and the number of sources so
46:20 - 46:22

uh you can also do that for the rest of
46:22 - 46:24

the panel so these are the top 10
46:24 - 46:27

classifications
46:27 - 46:29

in terms of events if you will and then
46:29 - 46:31

the snort event types as you can see
46:31 - 46:32

here
46:32 - 46:34

so for example in this case we have the
46:34 - 46:36

attack response id check which if we
46:36 - 46:38

click on
46:38 - 46:40

right over here
46:41 - 46:43

you can see that it actually displays
46:43 - 46:44

that and you can then uh you can then
46:44 - 46:46

click on the signature itself and this
46:46 - 46:49

is for statistics now if you click on
46:49 - 46:52

the snort event search tab right over
46:52 - 46:53

here
46:53 - 46:55

you can see that this allows you to
46:55 - 46:57

search based on the source ip the source
46:57 - 47:00

port the destination ip destination port
47:00 - 47:02

and the event type so i can check for
47:02 - 47:04

attack responses based on the rule set
47:04 - 47:06

that we had used previously
47:06 - 47:09

and i can also specify the timing right
47:09 - 47:12

so that's really fantastic there
47:12 - 47:15

so you can see that right over here we
47:15 - 47:16

have that logged
47:16 - 47:19

which is fantastic and
47:19 - 47:22

if we click on the snort world map
47:22 - 47:24

that'll essentially as you'll see in a
47:24 - 47:26

couple of seconds this will essentially
47:26 - 47:29

display the countries by the source ips
47:29 - 47:30

in this case it should display the
47:30 - 47:32

united states which makes sense
47:32 - 47:35

uh and there we are so again this is
47:35 - 47:37

extremely helpful especially if you work
47:37 - 47:40

in a sock and as i said there's multiple
47:40 - 47:42

uh you know security tools you can
47:42 - 47:45

integrate with uh with splunk
47:45 - 47:47

now one thing that i wanted to highlight
47:47 - 47:49

is you can if you click on edit i'll
47:49 - 47:51

just go back to the
47:51 - 47:53

event summary here because this is very
47:53 - 47:55

important
47:55 - 47:57

you can set this as your main dashboard
47:57 - 47:59

so if you right click here you can set
47:59 - 48:02

this as your home dashboard
48:02 - 48:04

so i'll just click on that there
48:04 - 48:05

and now you'll see on your dashboard
48:05 - 48:08

here if i just close that top menu
48:08 - 48:10

that will actually be displayed there so
48:10 - 48:12

give it a couple of seconds
48:12 - 48:14

and of course you can click on the cog
48:14 - 48:16

wheel here
48:16 - 48:19

and essentially display whatever
48:19 - 48:22

you know you can specify your default
48:22 - 48:23

dashboard now there are a couple of
48:23 - 48:26

other ones that are created by default
48:26 - 48:27

uh but yeah you can have that on your
48:27 - 48:28

dashboard
48:28 - 48:31

uh and uh you know if you actually click
48:31 - 48:34

on snot the snot alert for splunk here
48:34 - 48:36

and we'll just go back into that snot
48:36 - 48:38

event summary tab
48:38 - 48:41

uh you can actually edit the way these
48:41 - 48:44

um these particular panels are tiled so
48:44 - 48:46

uh you know you can convert it to a
48:46 - 48:49

pre-built panel or you know
48:49 - 48:50

you can you can actually convert it to a
48:50 - 48:53

pre-built panel you can get rid of it
48:53 - 48:55

uh you can also move them around based
48:55 - 48:57

on your own requirements and uh in this
48:57 - 49:00

case you can actually let's see if i can
49:00 - 49:01

show you can actually select the
49:01 - 49:02

visualization
49:02 - 49:04

uh so in this case i think the default
49:04 - 49:06

one is fine and you can then view the
49:06 - 49:08

report here so
49:08 - 49:09

um
49:09 - 49:11

if we click on this one here for example
49:11 - 49:13

we could actually use the bar graph to
49:13 - 49:15

display the you know the number of the
49:15 - 49:17

actual um
49:17 - 49:19

the top source countries uh and have
49:19 - 49:22

them displayed in a bar graph style but
49:22 - 49:23

we can just take it back into the pie
49:23 - 49:26

chart there and you can also change this
49:26 - 49:27

for the events as well
49:27 - 49:29

so uh you know if we wanted to view a
49:29 - 49:31

trend we can click on the bar graph
49:31 - 49:32

there
49:32 - 49:34

uh in this case i don't think that's
49:34 - 49:37

formatted correctly so uh if we just use
49:37 - 49:39

the the default one
49:39 - 49:43

uh which i believe was i think it was no
49:43 - 49:46

that wasn't the one i believe it was uh
49:46 - 49:48

let's see if i can identify it here it
49:48 - 49:51

was the number there we are so 26 uh so
49:51 - 49:53

as i said you can customize this based
49:53 - 49:54

on your own
49:54 - 49:55

uh you know
49:55 - 49:57

your own requirements so for example
49:57 - 50:00

this one might do well if it was in the
50:00 - 50:02

form of a bar graph so you know
50:02 - 50:04

you can utilize that if you feel that
50:04 - 50:06

that is appropriate
50:06 - 50:08

uh in this case uh you know we can also
50:08 - 50:12

specify uh the actual um you know we can
50:12 - 50:15

actually list the events themselves
50:15 - 50:16

uh let's see which other ones look
50:16 - 50:18

really good here
50:18 - 50:20

uh and uh yeah once you're done with the
50:20 - 50:22

customization you can then cancel or
50:22 - 50:25

save based on your requirements and you
50:25 - 50:27

can also filter on this particular tab
50:27 - 50:29

here you know through the source ip
50:29 - 50:31

destination ip etc
50:31 - 50:34

um let's see what else did i wanted to
50:34 - 50:36

did i want to highlight let me just
50:36 - 50:38

refresh this once more
50:38 - 50:40

and you know to essentially get the
50:40 - 50:42

latest data
50:42 - 50:44

and uh you can see uh in terms of the
50:44 - 50:46

fan the in terms of the panels this will
50:46 - 50:50

display the last 100 attempts
50:50 - 50:52

uh and uh you know you can go through
50:52 - 50:54

them like so
50:54 - 50:56

uh you can also view i think we've gone
50:56 - 50:57

through all of them but you have the
50:57 - 50:59

persistent sources so two or more days
50:59 - 51:01

of activity in the last 30 days so you
51:01 - 51:03

actually need a lot of data for that to
51:03 - 51:05

be displayed or to give you anything
51:05 - 51:06

useful
51:06 - 51:08

um
51:08 - 51:10

yeah so that is
51:10 - 51:12

what i wanted to highlight in regards to
51:12 - 51:14

the snot alert for splunk app and the
51:14 - 51:16

actual dashboards which i said it
51:16 - 51:17

already does for you
51:17 - 51:19

now you can create your own dashboard as
51:19 - 51:21

i said if i go back into apps and search
51:21 - 51:23

and reporting
51:23 - 51:25

based on your own sources so i'll just
51:25 - 51:27

click on data summary there and if i
51:27 - 51:29

click on sources
51:29 - 51:31

you can click on the
51:31 - 51:34

this source here for example and
51:34 - 51:37

you know in this case we can actually uh
51:37 - 51:40

just click on that there and i can click
51:40 - 51:42

on extract fields
51:42 - 51:43

and you can extract the fields with
51:43 - 51:46

rejects so i'll click on next there
51:46 - 51:48

and you can then select the fields that
51:48 - 51:50

you want so for example in this case we
51:50 - 51:53

would want the date and time
51:53 - 51:55

so i can just highlight that there so i
51:55 - 51:56

can say
51:56 - 52:00

time for example add the extraction
52:00 - 52:02

and then of course we have the source ip
52:02 - 52:04

and the port but i'll just highlight
52:04 - 52:06

them together but i think it's actually
52:06 - 52:07

recommended just to highlight the source
52:07 - 52:09

ip there
52:09 - 52:13

so source we can say crc src
52:13 - 52:15

underscore
52:15 - 52:16

ip
52:16 - 52:18

add that extraction and we then have the
52:18 - 52:21

destination ip which in this case uh
52:21 - 52:23

because this is uh
52:23 - 52:26

an sm snmp broadcast
52:26 - 52:28

request we can we know that that's the
52:28 - 52:31

destination ip so i'll say dst
52:31 - 52:33

underscore ip
52:33 - 52:37

add the extraction let's see what else
52:37 - 52:40

we can do um
52:40 - 52:41

in this case it's saying the extraction
52:41 - 52:43

field you're extracting if you're
52:43 - 52:45

extracting multiple fields try removing
52:45 - 52:47

one or more fields start with the
52:47 - 52:49

extractions that are embedded within
52:49 - 52:52

longer strings okay so let's try and use
52:52 - 52:54

another alert here
52:54 - 52:58

that was kind of interesting um let's
52:58 - 52:58

see
52:58 - 53:00

it's not displaying all of them here but
53:00 - 53:03

you get the idea once you're done
53:03 - 53:04

uh you know for example i can remove
53:04 - 53:06

that field here i'm just giving you an
53:06 - 53:09

example of that so remove that field
53:09 - 53:12

uh there we are i can then say next and
53:12 - 53:15

i can click on validate and save based
53:15 - 53:18

on those fields there hit finish
53:18 - 53:21

and then you know i can go back to
53:21 - 53:23

uh you know search and reporting
53:23 - 53:25

and if i wanted to create a very simple
53:25 - 53:27

visualization which i'll show you right
53:27 - 53:28

now
53:28 - 53:30

even though i don't really need those
53:30 - 53:32

extracted fields although they might be
53:32 - 53:33

useful so
53:33 - 53:36

i can click on those extracted fields
53:36 - 53:39

now i believe they should have been
53:39 - 53:40

added
53:40 - 53:41

i'm not really sure why they aren't
53:41 - 53:43

being highlighted here there we are so
53:43 - 53:45

source ip
53:45 - 53:48

uh we can also specify the source port
53:48 - 53:50

uh we all there there they are so i had
53:50 - 53:52

actually they took a while to be
53:52 - 53:54

displayed there so
53:54 - 53:57

uh so support that why why not we can
53:57 - 54:00

yeah i think that's pretty much it so
54:00 - 54:02

uh based on those we can actually build
54:02 - 54:04

an event type however if we go to
54:04 - 54:08

visualization and click on pivot here
54:08 - 54:11

selected fields is five hit ok
54:11 - 54:13

we can actually you know visualize this
54:13 - 54:14

however we want so for example if i
54:14 - 54:17

wanted a column chart here
54:17 - 54:20

number one will display the count
54:20 - 54:22

i can just add the
54:22 - 54:24

events
54:24 - 54:26

because that's the count and we should
54:26 - 54:29

have at the bottom the time which i did
54:29 - 54:33

specify uh we believe within that range
54:33 - 54:34

there
54:34 - 54:37

but that's not being highlighted here so
54:37 - 54:39

the number of events and you know you
54:39 - 54:42

can go ahead and click as you can
54:42 - 54:43

essentially save it
54:43 - 54:45

so you get the idea you don't really
54:45 - 54:47

need to do this because we have the
54:47 - 54:48

snort app here
54:48 - 54:50

which pretty much gives you the
54:50 - 54:53

summaries that are useful to you or for
54:53 - 54:54

you
54:54 - 54:57

and there we are so fantastic so that's
54:57 - 54:58

going to conclude the practical
54:58 - 55:01

demonstration side of this video
55:01 - 55:03

so uh thank you very much for watching
55:03 - 55:05

this video if you have any questions or
55:05 - 55:06

suggestions leave them in the comments
55:06 - 55:07

section
55:07 - 55:09

if you want to reach out to me you can
55:09 - 55:10

do so via
55:10 - 55:12

twitter or the discord server the links
55:12 - 55:14

to both of those are in the description
55:14 - 55:17

section furthermore we are now moving on
55:17 - 55:19

to part two so this will conclude part
55:19 - 55:21

one so part two will be available on the
55:21 - 55:25

lynnodes on 24 platform so uh the videos
55:25 - 55:27

are available uh on demand so all you
55:27 - 55:29

need to do just click uh click the link
55:29 - 55:32

in the description register for part two
55:32 - 55:34

after which an email will be sent to you
55:34 - 55:35

and you'll be given uh you know
55:35 - 55:37

immediate access to to the videos uh
55:37 - 55:40

within part two so uh thank you very
55:40 - 55:43

much uh for watching part one uh in the
55:43 - 55:45

next video in part two we'll get started
55:45 - 55:47

or we'll take a look at host intrusion
55:47 - 55:50

detection with os sec so i'll be seeing
55:50 - 55:54

you in the next video
55:59 - 56:12

[Music]
56:12 - 56:14

you

Title:: Splunk Security Event Monitoring | Blue Team Series with Hackersploit
Description:: more » « less
Video Language:: English
Duration:: 56:13

	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit

English subtitles

Revisions Compare revisions

Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit
	OEVIDEOS edited English subtitles for Splunk Security Event Monitoring \| Blue Team Series with Hackersploit

	Revision Number	Author	Created
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Splunk Security Event Monitoring | Blue Team Series with Hackersploit

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)