-
Hello, everyone. Welcome back to the Blue
-
Team training series brought to you by
-
Linode and Hackersploit. In this video,
-
we're going to be taking a look at how
-
to set up or how to perform security
-
event monitoring with Splunk, more
-
specifically, Splunk Enterprise
-
Security. Right? So the objective here
-
will be to monitor intrusions and
-
threats with Splunk. And you might be
-
asking yourself, well, how are we going to
-
do this? What setup are we using? Well, the
-
scenario that I've set up for this video
-
is we are essentially going to
-
take all the knowledge that we've
-
learned during the Snort video, and we
-
are going to essentially forward all of
-
the Snort logs into Splunk or have
-
that done automatically through the
-
Splunk Universal Forwarder so that we get
-
the latest logs when Snort is running on
-
our Ubuntu virtual machine.
-
And the objective here is to use Splunk
-
in conjunction with the Splunk's Snort app
-
to essentially visualize and identify or
-
monitor network intrusions and any
-
malicious network traffic, you know, within the
-
network that I'm monitoring.
-
[Music].
-
At a very high level, what will we be
-
covering? Well, firstly, we'll get an
-
introduction to Splunk. Now before we
-
move any further or we actually carry on,
-
I do want to note that this video is not
-
going to be focused on Splunk
-
fundamentals. I'm going
-
to assume that you already know what
-
Splunk is and how it can be used, you know,
-
and how it's used generally speaking.
-
Because Splunk is not really a tool
-
that is specific to security, for example.
-
That's why they have the Splunk
-
Enterprise Security version or edition.
-
And I'm just going to assume that you
-
know how to use Splunk at a very basic
-
level. So once we get an introduction to
-
Splunk, we'll go over Splunk Enterprise
-
Security--the Enterprise Security edition--and how it
-
can be used for security event
-
monitoring, especially in our case
-
because we want to essentially monitor
-
the intrusion detection logs
-
generated by Snort.
-
So we'll then move on to deploying
-
Splunk Enterprise Security on Linode,
-
which is absolutely fantastic because
-
they have a cloud image
-
available for it that allows you to spin
-
it up without going through the process
-
of installing it and configuring it. So
-
that'll set it up for us.
-
We'll then take a look at how to
-
configure Splunk, and how to set up the
-
Splunk Universal Forwarder on the Ubuntu
-
virtual machine that is running Snort so
-
that we can forward those logs into
-
Splunk. And then, of course, we'll take
-
a look at the Splunk Snort event
-
dashboard that will be provided to us by
-
the Splunk Snort app. So if this sounds like
-
gibberish to you, don't worry. It will make
-
sense in a couple of minutes.
-
With that being said, given the fact
-
that we're going to be using, you know,
-
we're going to be using Snort to
-
generate alerts and monitor those alerts,
-
if you have not gone through
-
the actual Snort video, please do that as
-
it'll help you set up Snort, and you can
-
then run through this demo. With that
-
being said, this is not a holistic video
-
that will cover everything you can do
-
with Splunk Enterprise Security. We are
-
just focused on the intrusion
-
detection logs produced
-
by Snort and how they can be
-
imported or forwarded to Splunk for,
-
you know, analysis and monitoring.
-
So the prerequisites are the same as
-
the previous videos. The only difference
-
is, you know, that you need to have a
-
basic familiarity with Splunk and how to
-
navigate around the various menu
-
elements and, yeah,
-
essentially just how to use it at a very
-
basic level. If you're not familiar with
-
Splunk, I'll give you a few resources at
-
the end of these slides
-
that'll help you out or help
-
you get started. Alright.
-
So let's get an introduction
-
to Splunk. So what is Splunk? That's the
-
main question. If you've never heard of
-
Splunk, Splunk is an extremely powerful
-
platform that is used to analyze data
-
and logs produced by systems or machines,
-
as Splunk likes to call them. So
-
what problem is Splunk trying to solve
-
here? Well, let's look at this from the
-
perspective of Web 2.0 or, you know, the
-
interconnected world we live in
-
today. And we're going to be looking at
-
it from the context of or from the
-
perspective of security.
-
So if we take a simple system--let's say
-
we have a Windows operating system or a
-
system running Windows--well, that Windows
-
system produces a lot of data or logs
-
that, you know, contain
-
information that, you know, at first
-
glance might not seem that important. But
-
once you start getting into specific
-
sectors like security, those logs start,
-
you know, those logs have, you know,
-
very important value to organizations.
-
Now multiply that by a thousand systems.
-
So let's say we have an organization.
-
They have a thousand computers within
-
their network or, you know, distributed
-
worldwide. And all of these systems,
-
you know, need to be secured. Their
-
security needs to be monitored. So how do
-
we monitor all of this? Well, this is
-
where Splunk comes into play. So Splunk
-
allows you to essentially funnel all of
-
this data produced by systems or
-
machines into Splunk. And then Splunk allows you
-
to monitor, search, and analyze this
-
machine-generated data and the logs
-
through a web interface. So in order to
-
use Splunk, you'll need to import your
-
own data or logs. Alternatively, you can
-
utilize the Splunk Universal Forwarder to
-
forward logs and data to Splunk for
-
analysis and, of course, visualization, etc.
-
Now, Splunk does so much more that I
-
really can't go over all of the features
-
here. But as I said, we're looking at this
-
from the lens of a security engineer.
-
Alright. So Splunk collates all the
-
data and logs from various sources and
-
provides you with a central index that
-
you can search through. Splunk also
-
provides you with robust visualization
-
and reporting tools that allow you to
-
identify the data that interests you,
-
transform the data into results, and
-
visualize the answers in the form of a
-
report, chart, graph, etc. Alright. So what
-
I'm saying here is that Splunk allows
-
you to take all of this security-related
-
logs and data and make sense of them and
-
essentially get the answers that you're
-
looking for. So, for example, from the
-
perspective of a security engineer, what
-
do you want from all of this data? Well,
-
at a very high level, you want to know
-
whether something is going wrong and
-
what could go wrong. In the context of
-
security, a network could be compromised.
-
There could be some malicious network
-
traffic or activity going on. A system
-
could be compromised, etc., etc. You get the
-
idea. So we need that data to be
-
displayed to us as a security engineer.
-
And Splunk is really one of the best
-
tools, you know, when it comes down to,
-
you know, taking a lot of data
-
and then identifying the data that
-
interests you, transforming that data
-
into results, and then visualizing that
-
data in the form of a report, chart, or
-
graph. Right. So that's really what we're
-
going to be doing. And as I said, going
-
back to the scenario, we're going to be
-
focusing on how to, you know, essentially
-
get in or how to forward
-
the logs created--or the logs and alerts created--by
-
Snort into Splunk for analysis. And
-
luckily for us, Splunk has a Snort app or
-
plug-in, if you will, that will
-
essentially simplify this process.
-
So, let's get an idea as to, you know, how we
-
can use Splunk for security event
-
monitoring. So Splunk Enterprise Security,
-
also known as Splunk ES, is a security
-
information and event management
-
solution, also known as a SIEM.
-
It is used by security
-
teams to quickly detect and respond to
-
internal and external attacks or threats
-
or intrusions. So Splunk ES can be used
-
for security event monitoring, incident
-
response, and running a SOC or Security Operations Center.
-
In this video, we'll be using Splunk ES
-
to monitor and visualize the Snort
-
intrusion alerts. This will be
-
facilitated through the help of the Snort
-
app for Splunk and the Splunk Universal
-
Forwarder. Now, the Splunk Universal Forwarder
-
is pretty much the most important
-
element of what we'll be exploring
-
because what it does--and this is really
-
cool--is it automatically
-
forwards the latest logs,
-
even when Snort is running. It forwards those
-
alerts and logs into Splunk, and you can
-
see them in real time, which is
-
absolutely fantastic.
-
So as I said, if you're new to Splunk,
-
then these resources are really helpful
-
for you. Splunk offers really great
-
tutorials and courses designed for
-
absolute beginners. You can check that
-
out by clicking on the link within this
-
slide. And you can learn more about the
-
Splunk Enterprise Security edition from
-
that particular link.
-
Now, as I said, we are going to be deploying
-
Splunk on Linode, more specifically
-
Splunk ES. And this is the lab
-
environment. So we're going to spin up,
-
you know, Splunk ES on Linode. Now, again,
-
to follow through with this, you
-
know, Linode has been absolutely fantastic
-
with, you know, by providing all of
-
you guys with a way to get $100
-
in free Linode credit. All you
-
need to do is just click the link in the
-
description section and sign up, and
-
$100 will be added to your
-
account so that you can follow along
-
with this series. So we're going to
-
set up Splunk ES on Linode. And then
-
within my internal network, we're just
-
going to have a very basic infrastructure.
-
We're going to have the Ubuntu virtual
-
machine that is running Snort. This is the
-
same virtual machine that we had set up
-
and used to set up Snort and set up
-
Suricata and the one we had used with Wazuh.
-
And, yeah, that's essentially it. We're
-
going to have a very basic
-
infrastructure where we have an attacker
-
system that I'm going to be using to perform
-
a bit of network
-
intrusion detection emulation, whereby
-
I will essentially perform or run a
-
couple of commands or scripts to
-
essentially emulate malicious network
-
activity so that these logs are
-
essentially--so this traffic is
-
essentially logged--and that'll provide
-
us with a good idea as to how helpful
-
Splunk is for security event monitoring,
-
especially in the context of network intrusions.
-
So as I said, you don't really need to
-
have a Windows workstation. You simply
-
need to have the Ubuntu VM, and you can
-
pretty much run everything from it. And,
-
of course, you can set up the Splunk
-
Enterprise Security server on Linode
-
without any issues.
-
So that's the lab environment. We can now
-
get started with the practical
-
demonstration. So I'm going to switch
-
over to my Ubuntu virtual machine.
-
Alright. So I'm back on my Ubuntu
-
virtual machine, and you can see I have
-
Linode opened up here.
-
I haven't set anything up yet because
-
we're going to be walking through the
-
process together.
-
I then have the Splunk.com website here.
-
So if you're new to Splunk, then you need
-
to create a new account in order to
-
follow along. So just head over to
-
Splunk.com and, you know,
-
register for an account. It's free.
-
Once that is done,
-
you'll need to activate your account or
-
verify your account through
-
the verification email
-
they'll send you. Once that is done,
-
we can then move forward. Because in
-
order to access the actual
-
Splunk Universal Forwarder, you'll need to
-
have an account. And of course, you
-
know, in this case, I'll be going through
-
everything as we move along in a
-
structured manner. And
-
then to perform the actual NIDS tests,
-
we are going to be using the
-
testmyNIDS.org project,
-
which is on GitHub. So this is
-
essentially a bash script
-
that allows you to--as you can see here--
-
it allows you to essentially emulate or
-
simulate malicious network traffic. So,
-
previously, we had used
-
the website technique to essentially get
-
a Linux UID, and that traffic would be
-
logged as malicious, or
-
it could be logged as a potential
-
intrusion. And we can run a few other
-
checks like HTTP basic authentication,
-
bad certificate authorities,
-
an EXE or DLL download over HTTP. So,
-
you know, we can run tests that,
-
you know, will just make our
-
intrusion detection system blow up in
-
terms of alerts. And that's what we want
-
because we want to see how that data is
-
presented to us as a security engineer
-
on Splunk. With that being said, the first
-
step, of course, is to set up Splunk ES on Linode.
-
So just click on “Create a Linode” and click on “Marketplace.”
-
And they already have Splunk here. So
-
there we are. You can click on that there.
-
And if you click on this little info
-
button here, it'll give you an idea as to
-
how to deploy it on
-
Linode. And, of course, you have more
-
information regarding Splunk. So you have
-
the documentation link there. So I'll
-
just click on Splunk.
-
Once that is clicked, we can then head
-
over here. You'll need to specify the
-
Splunk admin user. I recommend using
-
“admin” to begin with and then specify a password.
-
If you're setting up, you know, Splunk on
-
a domain, then you can specify the
-
Linode API token to essentially create
-
the DNS records--that's if you're using
-
Linode's DNS service.
-
And then, of course, you need to add
-
the admin email for the server. So in
-
this case, I can just say, for example,
-
hackersploit@gmail.com.
-
Don't spam me on this email because I
-
don't respond anyway. So we can create
-
another user.
-
This is the username for the
-
Linode admin's SSH user. Please ensure
-
that the username does not contain any...
-
so we can just call this “admin.” And then
-
for the admin user, we'll just say
-
provide that there.
-
So the image--we're going to set it up on
-
Ubuntu 20.04. The region--I’ll say London
-
because that's closest to me.
-
As for the actual Linode plan,
-
Linode ES doesn't require that many
-
resources, especially because, you know,
-
the amount of data that we're processing
-
or the logs that are being forwarded to
-
Splunk are relatively few--so less than
-
100--which, if you've used Splunk before
-
for security event monitoring, you know
-
that that is
-
really, really small. In
-
fact, Splunk will actually tell you,
-
you know, that the amount of data
-
to begin with that you have imported or
-
forwarded is too little to make any sense of.
-
But that's where the Snort app for
-
Splunk comes into play. So I'll just say
-
“Splunk,”
-
and I'll provide my root password for the server.
-
And we can click on “Create.”
-
Alright. Now,
-
once this is set up and provisioned,
-
the actual installer is going to begin.
-
So it's going to set up because there is
-
an auto-installer setup that will set up Splunk.
-
Yes. For you. So, let it
-
provision. After that's done, you can
-
launch the Lish console to avoid logging
-
in via SSH. And of course, one thing that
-
I don't need to tell you
-
is, if you're setting this up for
-
production, then you need to make sure
-
you're securing your server. So do only
-
use SSH keys for authentication with the server.
-
If you're new to hardening and securing
-
a Linux server, you can check out the
-
previous series
-
that we did with Linux--the Linux Server
-
Security series. They'll give you,
-
you know, all the information you need to
-
secure a Linux server for production.
-
With that being said, I'm just going to
-
let it provision, after which we can
-
launch the Lish console to see what's
-
going on in the background. And we can
-
then get started, you know, officially
-
with how to set up Splunk. We then need
-
to set up the Universal Forwarder.
-
So, this is booting now.
-
Alright. So the server is booted, and
-
you can see I've just opened up the Lish
-
console here
-
to essentially view what's going on. As
-
you can see, it's begun setting up
-
Splunk ES. So just give this a couple of
-
minutes to essentially begin.
-
And once it's done, it'll actually
-
tell you that, and it'll provide you with the
-
login prompt.
-
But it's probably logged in as the root
-
user already. So
-
just let this complete. I'm just going to
-
wait for this to actually conclude.
-
Alright. So once Splunk ES is done,
-
or the actual Linode is done here
-
with the setup, you can see it's going to
-
tell you "installation complete,"
-
and you can then log in. Keep this
-
window open because this is going to be
-
very important, as we'll need to
-
configure a few firewall rules.
-
By default, this Linode comes with UFW,
-
which is the uncomplicated firewall for
-
Debian, or
-
it typically comes prepackaged with
-
Debian-based distributions like Ubuntu.
-
In this case, it's already added the
-
firewall rule for the port that we
-
wanted, but just keep it open because
-
we'll need to run a few checks. So you
-
can log in there. So I'm just going to
-
log in with the credentials that I
-
specified as the root user. And I can
-
just say sudo ufw status.
-
And you can see these are all the
-
allowed rules or the actual rules
-
configured for the firewall, which is
-
looking good so far.
-
So we can access the Splunk ES instance
-
that we set up by pasting in the IP of
-
the server and opening up port 8000.
-
That's going to open up Splunk ES for
-
you. So just give this a couple of
-
seconds. There we are. And the credentials
-
that we had used were "admin" and the
-
password that I created--that, you know,
-
of course, you'll be able to
-
specify yourself. So just sign in.
-
And once that is done, you'll be
-
brought to Splunk Enterprise Security here.
-
So there we are--explore
-
Splunk Enterprise.
-
And in this case, what we're going to be
-
doing--what we're going to start off with--
-
is we need to go through a few
-
configuration changes with Splunk itself.
-
So the idea, firstly, is to configure
-
the actual receiving of data.
-
So if you head over into "Settings,"
-
you can click on "Data," then just click
-
on "Forwarding and Receiving."
-
And once that is done--once that is
-
loaded up--
-
under "Receive Data," we need to
-
configure this instance to receive data
-
forwarded from other instances. So we
-
want to configure receiving,
-
and we just want to set the default receiving port.
-
So we can say "New Receiving Port,"
-
and the port is, of course, going to be
-
the default, which is 9997--which is why
-
that firewall rule was added. So I'll
-
click on Save.
-
Alright. So once that is done, we can
-
now install the Snort app
-
for Splunk. So click on "Apps" and head
-
over into "Find More Apps."
-
And because the Ubuntu server is running--
-
or the Ubuntu VM that I'm currently
-
working on is running--Snort 2, we'll need
-
the appropriate app here. So I'll just
-
search for "Snort" there. And we're not
-
looking for the Snort 3 JSON alerts,
-
although that, you know, could be quite
-
useful, but we want the Snort alert for
-
Splunk. Alright. So this app provides
-
field extraction. So that's really great
-
because performing your own field
-
extractions using regex
-
can be quite difficult if you're a
-
beginner. So fast and full,
-
as well as dashboards, saved searches,
-
reports, event types, tags, and event
-
search interfaces. So we'll install that.
-
Now you'll need to log in with
-
your Splunk account credentials that you,
-
you know, actually created on
-
splunk.com. So I'll just fill in my
-
information really quickly.
-
Alright. So I've put in my username and
-
password. So I'll just say I'll accept
-
the terms and conditions there. So log in
-
and install.
-
That's going to install it. There we are.
-
So we'll just hit "Done."
-
Now that that is done, if we head back over
-
into our dashboard--so I'll just click on
-
Splunk Enterprise there--
-
you can now see we have Snort
-
Alert for Splunk. So that already
-
comes preconfigured with a dashboard.
-
So we'll just let this load up here.
-
And you can see that we don't have
-
any data yet. So this will display
-
your events and sources, top source
-
countries, the events. This is very
-
important--these sources, top 10
-
classification. So that'll classify
-
your alerts in terms of the
-
type, which again will make sense in a
-
couple of seconds. So now that that is
-
done, we actually need to configure
-
the actual Splunk Universal Forwarder. So
-
I'll just open that up in a new tab. It's
-
absolutely free to download the Debian
-
client or the Splunk Universal
-
Forwarder Debian package. So Universal
-
Forwarders provide reliable, secure
-
data collection from remote
-
sources and forward that data into
-
Splunk software for indexing and
-
consolidation. They can scale to tens of
-
thousands of remote systems, collecting
-
terabytes of data. So
-
again, you can actually see why Splunk is
-
so powerful and why it's widely used
-
and deployed--because of the fact that
-
you can literally be...
-
literally forward a ton of data from a
-
ton of systems into Splunk. So because
-
Snort is running on this
-
Ubuntu VM, we need the Debian package. So
-
I'll click on Linux, and we want the
-
64-bit version. Again, you can choose one
-
based on your requirements. So if you're
-
running on Red Hat, Fedora, or CentOS, you
-
can use the RPM package. So I'll just
-
download the Debian package here.
-
Give that a couple of seconds. It's then
-
going to begin downloading it, and then
-
I'll walk you through the setup process.
-
So there we are.
-
It's begun the setup.
-
And once that is done, I'll open up my
-
terminal. So that's saved in the
-
Downloads directory. So
-
if we check--if we head over into the
-
Downloads directory--you can see we have
-
the Splunk Forwarder Debian package there.
-
So what we want to do, firstly, is we want
-
to move this package into the actual /opt
-
directory on Linux, which will
-
essentially allow us to, you know,
-
to set it up as optional software. And
-
it's really good to have all that
-
optional software stored in the
-
directory. So, once that is done and
-
once that's downloaded, we can say,
-
move
-
Splunk forward into opt,
-
and we'll need sudo privileges. So I'll
-
say sudo move. There we are. And I'll just
-
type in my password. Fantastic. So
-
now navigate to the opt directory. And to
-
install this, we can say sudo apt,
-
and then we can specify install. So we
-
can say sudo apt install,
-
and then we specify the package itself.
-
So Splunk forwarder,
-
and we're just going to hit enter. That's
-
going to install it for you.
-
Give that a couple of seconds.
-
Alright. So once that is installed, if
-
you list out the contents of this
-
directory, you're gonna have a Splunk
-
forwarder directory here. So I'll say cd
-
splunkforwarder. And under the binary
-
directory, we can navigate to that here.
-
We'll need to start--
-
we'll need to start Splunk. So we will
-
say sudo,
-
and the binary we want to run is called
-
splunk, and we'll accept the license.
-
The reason we're doing this is because
-
we need to configure it. So we need to
-
specify the username and password, or, you
-
know, create a username and password.
-
And once that is done, you'll actually
-
see what that looks like. So I'll just
-
say accept the license.
-
And, you can see in this case, let's see if I
-
typed that incorrectly. That should
-
actually start. So splunk start. I did not
-
specify start there.
-
There we are. So please enter an
-
administrator name. I'll just say admin.
-
So again, Splunk software must create an
-
administrator account during startup.
-
Otherwise, you cannot log in. So create
-
credentials for the administrator account.
-
So in this case, you can
-
create whatever you want. I'm just going
-
to fill in my credentials here.
-
Alright, so I've just entered my
-
administrator username and then, of
-
course, my password. So
-
that is done.
-
So it'll go through--
-
it'll essentially go through and check
-
the prerequisites. New certs have been
-
generated in the following directory,
-
and all the preliminary checks have
-
passed. So starting the Splunk server
-
daemon--so that started. You can also
-
enable it to run on system startup. So if
-
I say, you know, for example, sudo systemctl
-
status splunk,
-
let me type that correctly here. So
-
splunk--
-
sorry, systemctl,
-
and we can say splunkd.
-
Sorry. So we can say splunk. I'm not
-
really sure why that's not loading here.
-
But I do know that the daemon is running,
-
and there should be an init daemon for that.
-
But in any case,
-
you can always start it that way.
-
Once that is done, we will need to add
-
our forward server. So we need to add
-
the address of the server--the
-
Splunk server that we're forwarding our
-
logs to. We'll move on to what
-
logs we want to forward in a second. But
-
let's do that first. So again, we're going
-
to use the
-
Splunk binary, and we're going to say forward-server.
-
And we'll just copy the IP
-
address of your Splunk server here.
-
So there we are. And I'll paste that in there.
-
And then you need to type in the port--so
-
9997, that's the port to connect to. Hit enter.
-
So splunk forward--
-
yeah, we need to add it. I keep forgetting
-
the preliminary command. So add forward-server,
-
Splunk username.
-
So in this case, let me just put
-
in my credentials here.
-
Alright. And it's going to then add the
-
forwarding to that particular address.
-
Alright. Now that that is done,
-
we actually need to
-
configure a particular file,
-
and that is going to be the outputs.conf
-
directory. If it's already set up for us,
-
which it should be,
-
then we do not need to go through the
-
initial setup. So,
-
if we head over into the following
-
directory--so I'll just take a step back--
-
we're still in the Splunk forwarder directory.
-
We'll head over into the etc directory.
-
And under system,
-
we have a file under local, I think. It is
-
called outputs here. Right? So I'm going to say
-
sudo vim outputs.conf.
-
And really, the only thing that is
-
required here is,
-
of course, just leave the default
-
configuration as is. The default group is
-
fine. So tcpout:default-autolb-group,
-
that's fine. So make sure that the
-
server option here is configured--that's
-
the most important. And the tcpout-server
-
address is also configured in
-
this format. So we don't need to make any
-
changes there. So I'll just say quit and exit.
-
Once that is done, we also need to check
-
the actual inputs configuration file.
-
But before we do that,
-
let's take a look. So if you revisit the
-
Snort video,
-
you know that all the logs are stored
-
under /var/log/snort.
-
Right? So we have the alert log,
-
and we also have--so again, based on
-
the type of alerts
-
you want generated--so, you know,
-
if I say man snort here,
-
you can see that we have the alert mode.
-
So you can use the fast mode or the
-
full mode. In this case, I'll be using the
-
fast mode,
-
and I'll give you a description of what's
-
going on here. Right? So
-
full writes the alert to the alert
-
file with the full decoded header as
-
well as the alert message, which might be
-
important. So we can also do that as well.
-
So this was from the previous--from
-
the Snort video where we
-
had run...
-
essentially run Snort and, you know,
-
where we were identifying various alerts.
-
So, what we can do is, again, we'll
-
go through what needs to be created, but
-
we can run a quick test command just to
-
see whether
-
the actual alerts are being logged
-
within the alert file, because we have
-
alert.1. Ideally, we would only want
-
to forward this file into Splunk.
-
So, in order to do this, what I'm going
-
to do now is I'm just gonna run Snort
-
really quickly. So I'm going to say sudo snort -q,
-
for quiet, and then
-
the actual directory for the logs is /var/log/snort.
-
And then we can say the interface is enp0s3.
-
Again, make sure to replace that with
-
your own interface. The alert, we can
-
say full,
-
and the configuration is /etc/snort/snort.conf.
-
I believe we had another configuration
-
file. Yeah. We had used the snort.conf file.
-
So I'll hit enter.
-
And now let me open up my file explorer here.
-
We take a look at the var directory
-
under log. And under snort,
-
we have alert. There we are. So,
-
that has been modified. The last was
-
modified
-
right over there. Okay. So that's 19. Yeah.
-
So this is the last modified. So I know
-
this file is not human-readable. We
-
are not going to be forwarding this .log file.
-
So I'll just close that there.
-
So I'm just going to try and perform a few
-
checks on the network, like a few pings,
-
just to see if that's detected.
-
So I'll just, you know, perform a ping really quickly.
-
Again, the alerts will not be logged on
-
our terminal because they're being
-
logged, you know, into the respective
-
alert file or the alert log file. So I'll
-
just perform, you know, a few pings, as
-
I was saying, which I'm doing right now
-
on the attacker system.
-
Once that is done, let's see whether
-
those changes are being highlighted in
-
alert. Indeed, they are. Okay. So now,
-
as you can see here,
-
this is the full--
-
these are... So to begin with, we had used
-
the fast alert output mode.
-
And right over here, we then have the
-
full alert mode, which I'm not really sure how
-
we want to
-
go about doing this. But you can see,
-
we can actually make a few changes.
-
What we can do is we can get rid of this traffic here.
-
But you can see the message is actually
-
being logged. So
-
we can get rid of this here
-
because we don't want to mix fast alerts
-
with the full mode. So we can just get rid of that
-
there and save that.
-
Once that is done, I'll just say--
-
we actually need permissions to modify that file.
-
but you know what we can do is what i am
-
going to do actually is close without
-
saving is i'm just going to stop snort
-
there
-
and i'm just going to say
-
sudo remove var
-
log
-
and snort and we're going to remove
-
alert
-
all right and we're also going to remove
-
alert dot one
-
all right so i'm just going to run this
-
again just to see if that file is
-
generated
-
so there we are we have alert there
-
so now it's much cleaner so i'll just
-
run a few pings just to make sure that
-
the traffic is being locked all those
-
alerts are being logged
-
uh so there we are we have a few pings
-
there
-
and we can also you know just run a few
-
checks there okay so there we are we can
-
see that those are now being logged and
-
of course we can change the format based
-
on
-
you can change it based on your
-
requirements right
-
so um
-
now that that is done
-
what we can do is we can close that up
-
and we can actually leave snort running
-
as is
-
so what i'll do is i'm just going to
-
open up another tab
-
so i'll just you know i can say control
-
shift d there we are
-
and we're currently within the following
-
directory so opt opt splunk forward etsy
-
system local
-
so
-
once that is done we now need to add
-
uh we now need to add the files that we
-
would like to monitor or that we would
-
like to forward right so the log files
-
so i'll go back into the bin directory
-
so there we are cd bin because that's
-
where we have the splunk binary so i'll
-
say sudo
-
um
-
splunk
-
and we can say add monitor
-
and the file that we want to forward is
-
under var log snot and it is just alert
-
right so that's all that's really all
-
that we want to do right
-
and we can also utilize the fast alerts
-
but let's just do this for now
-
and we only want the alerts we don't
-
want the actual log files that contain
-
the packets themselves so i'll hit enter
-
all right so it's now going to forward
-
those alerts into splunk which pretty
-
much means that on our end we are done
-
however we still need to check one more
-
configuration file so i'll just take a
-
step back here and we'll head over into
-
the etsy directory under apps
-
and search
-
and then into local
-
when you think we'll need to root
-
permissions to access this so i'll just
-
switch to the root user and head over
-
into local
-
and we're looking for the inputs dot
-
conf file
-
uh right so we need to actually
-
configure this because this is very
-
important so
-
uh the first thing we want to do is let
-
us
-
add a new line here and within the
-
square brackets i'll just say splunk
-
uh tcp
-
and we then want to specify the port so
-
9997
-
let me make sure i type that in
-
correctly
-
we then need to actually put in the
-
connection
-
um so the connection host so connection
-
host is going to be equal to the ip
-
address of the splunk
-
server
-
so i'll just copy that there paste that
-
in there
-
once that is done
-
this is fine here disabled is set to
-
false we want index is going to be equal
-
to main
-
and then the source type
-
is going to be equal to snot
-
alert
-
full
-
and we can then say the source is equal
-
to snort all right so this is a very
-
important configuration so let me just
-
go through those options or
-
configurations again we have the splunk
-
tcp option
-
uh we then have the actual connection
-
host the monitor is set correctly to
-
that file
-
uh it's enabled index equals main source
-
type equals snorter that full source is
-
equal to snot fantastic so we'll write
-
in quit
-
uh once this is done
-
we'll need to restart splunk so i'll
-
switch back to my user lexis here and
-
we'll navigate back to the bin directory
-
so i'll say cd bin
-
and we'll say sudo
-
let me say splunk and we can then say
-
restart
-
all right hit enter
-
it's going to stop the splunk daemon
-
shutting it down
-
restart it and it's done successfully so
-
all the checks were completed without
-
any issue all right so
-
now that this is done we can actually go
-
back into splunk here and we'll navigate
-
to the dashboard
-
uh this is your splunk server right
-
and let's take a look at the messages
-
here that's just uh a few updates we
-
don't need to do anything there so if we
-
click on
-
search and reporting just to verify that
-
that data has indeed been for that i'll
-
just skip through this if we click on
-
data summary
-
under sources you should see that we
-
have the host and in my case the name of
-
the system is black box so that should
-
be reflected there so there we are black
-
box we have 42
-
logs or alerts if you will sources 42 we
-
can click on that there to just see the
-
data that has been logged indeed we can
-
see that has been done correctly so
-
source type is alert
-
uh we can see that it's imported you
-
know pretty much all the data or the you
-
know these are the this is the full log
-
whereby we have the reference to that
-
there
-
uh that's weird i didn't actually run
-
anything weird uh but uh there you go
-
um so now that this is done uh you can
-
use splunk to essentially visualize this
-
data you know however you want so you
-
know i can go into visualization
-
uh and we can click on maybe we can
-
create a um
-
we can select a few fields so if i go
-
back into the events here i can select a
-
few fields that i want displayed here
-
and i can you know essentially extract
-
the fields that i want with rejects
-
but
-
i don't think this is necessary in this
-
point because if we actually go back to
-
the dashboard
-
and we click on
-
let's see splunk snot alert for splunk
-
let's see if this is actually whether
-
this automates that process for us
-
uh there we are actually it looks like
-
it does so um classification bad traffic
-
so it looks like that is working
-
so what we can do now
-
is run a few
-
uh we can actually utilize this script
-
here the
-
uh the test my nids script here so all
-
you need to do to run it is just copy
-
this one liner script here or this
-
command that will download it into your
-
tmp directory and will then execute it
-
so you know to execute it within your
-
temp directory you can just uh execute
-
the actual
-
um
-
you know the actual binary there it is a
-
binary not a script
-
and uh once that is done you can then
-
select the option here so let me just do
-
that on my attacker system
-
i'm just gonna run it one more time so
-
um just going to say ls here and
-
if i uh open up the documentation so
-
firstly i will
-
i will run
-
a quick linux uid check so
-
i'll just hit enter
-
okay that is done i'll then perform a
-
http basic authentication
-
and a malware user agent so i'm doing
-
that right now
-
okay and we can run one more here so
-
uh let's see let's see let's see uh we
-
can try exe or dll download over http
-
that is surely going to be um
-
logged
-
or that's going to trigger an alert
-
so
-
uh do we have uh that is running all
-
right so snot is running that's great
-
uh so we know that the log is being uh
-
the actual alerts are being forwarded
-
absolutely fantastic so let's go back in
-
here i've already run those
-
uh those particular checks
-
so let me just refresh this i know it
-
usually takes a couple of seconds to a
-
couple of minutes but that data should
-
start should actually be reflected there
-
we are fantastic so
-
uh we can see that uh you know firstly
-
i'll just explain the dashboard here
-
because
-
uh this dashboard is automatically you
-
know set up for you by the snort app
-
which is really awesome as i said you
-
don't need to go through that process
-
yourself
-
so the first graph here essentially
-
tells you your events
-
uh and and it also displays uh you know
-
the total number of sources so you can
-
see that there you also have the time
-
uh and you saw you have your events and
-
then the timeline here and you can
-
essentially you know view a trend or the
-
trend of uh of events there you then
-
have the top uh the top source countries
-
right over here and if i just run
-
another check really quickly here
-
through the nids website
-
so uh let me just run the curl command
-
uh you should actually see that because
-
we are reaching out to uh you know a
-
connection made to an external server
-
that it should reflect that info under
-
the top countries the top source
-
countries
-
so uh we then have the events here which
-
uh you know you can click on um and then
-
of course you have the sources
-
so these are the uh snort event types
-
and these are actually the
-
classification so we can see potentially
-
bad traffic attempted information leak
-
and you know you can just refresh your
-
dashboard to get the latest
-
so we'll give that a couple of seconds
-
and you can also specify the actual uh
-
interval period
-
so uh i'll just wait for this uh let's
-
see if it's actually being logged or
-
whether we can see all of that so i'll
-
just go back into the dashboard here
-
and
-
we'll go into search and reporting and
-
if we click on the actual
-
data summary and the sources uh we can
-
see we have snort there and then vast
-
not alert so we click on snot there
-
okay so this is bad traffic that's
-
really weird because
-
the source is not we had added two
-
sources there
-
so data summary
-
let me just click on that there and if
-
we click on these sources there this is
-
the one that we want ideally
-
yeah so that looks like uh the correct
-
one there
-
yeah that's the correct traffic um uh i
-
think that's why uh the actual uh let me
-
see if i can find so snot alert for
-
splunk let me click on the app there
-
show filters it should be displaying
-
much more than that because i know yeah
-
they're not just four
-
so
-
uh if we actually head over into the
-
uh snot event search here
-
we can actually search for uh you know
-
we can utilize uh yeah so these are only
-
this is only monitoring the pings so
-
that's weird i'm not really sure why we
-
have two data sources i think it's to do
-
with the fact
-
uh that uh you know we had so let me
-
just go back here
-
apps search and sudo root
-
let me just check that here so cd local
-
vim
-
inputs dot look so there we are so the
-
source is snort
-
we already specified the source as not
-
there
-
but it's all it's adding
-
this particular you know the alert as uh
-
as a source as well
-
and then this the source type is not
-
alert full index main yeah that that
-
should be working that should be working
-
without any issues i'm not really sure
-
why that is the case but
-
we can actually customize what data set
-
we want to use
-
so uh
-
i think let me actually showcase how to
-
do that right now
-
um so apologies about that i actually
-
figured out what the issue was it was
-
because the system i was running
-
uh this particular
-
attacks from wasn't even connected to
-
the local network
-
and even though i was running these
-
these attacks i did realize that of
-
course they weren't working so i'm just
-
gonna i've just reconnected it
-
and what i'm gonna do is i'm just gonna
-
run this one more time
-
so just give me a second here and i'll
-
be able to do that one more time so
-
let me just navigate to that particular
-
directory
-
and
-
we'll actually see whether this will
-
work so
-
you can actually see there's much more
-
uh that's been captured in regards to
-
events and i'll be explaining this
-
dashboard in a couple of seconds
-
so
-
let me just uh
-
launch that first attack there so that
-
you know let me just launch that first
-
uh type of check and of course i'm using
-
test my nids here so uh unfortunately
-
that wasn't even being logged which is
-
why i was a bit confused as to why those
-
logs are not being displayed here
-
so i'll give that a couple of seconds
-
and
-
we'll be able to see this happen
-
in real time as well
-
all right so that is done so i've
-
essentially launched a couple of those
-
tests and uh
-
this as i said this is your default uh
-
dashboard that you're provided with here
-
so
-
um you know you can actually refresh uh
-
all of these um all of these panels here
-
if you will so that'll display the
-
latest and as i said here because i'd
-
had performed the actual
-
uh you know i'd perform the actual check
-
and then connected to an external server
-
you can see that you know the top source
-
countries are highlighted there
-
you can also refresh the number of
-
events as you can see here
-
and the number of sources so
-
uh you can also do that for the rest of
-
the panel so these are the top 10
-
classifications
-
in terms of events if you will and then
-
the snort event types as you can see
-
here
-
so for example in this case we have the
-
attack response id check which if we
-
click on
-
right over here
-
you can see that it actually displays
-
that and you can then uh you can then
-
click on the signature itself and this
-
is for statistics now if you click on
-
the snort event search tab right over
-
here
-
you can see that this allows you to
-
search based on the source ip the source
-
port the destination ip destination port
-
and the event type so i can check for
-
attack responses based on the rule set
-
that we had used previously
-
and i can also specify the timing right
-
so that's really fantastic there
-
so you can see that right over here we
-
have that logged
-
which is fantastic and
-
if we click on the snort world map
-
that'll essentially as you'll see in a
-
couple of seconds this will essentially
-
display the countries by the source ips
-
in this case it should display the
-
united states which makes sense
-
uh and there we are so again this is
-
extremely helpful especially if you work
-
in a sock and as i said there's multiple
-
uh you know security tools you can
-
integrate with uh with splunk
-
now one thing that i wanted to highlight
-
is you can if you click on edit i'll
-
just go back to the
-
event summary here because this is very
-
important
-
you can set this as your main dashboard
-
so if you right click here you can set
-
this as your home dashboard
-
so i'll just click on that there
-
and now you'll see on your dashboard
-
here if i just close that top menu
-
that will actually be displayed there so
-
give it a couple of seconds
-
and of course you can click on the cog
-
wheel here
-
and essentially display whatever
-
you know you can specify your default
-
dashboard now there are a couple of
-
other ones that are created by default
-
uh but yeah you can have that on your
-
dashboard
-
uh and uh you know if you actually click
-
on snot the snot alert for splunk here
-
and we'll just go back into that snot
-
event summary tab
-
uh you can actually edit the way these
-
um these particular panels are tiled so
-
uh you know you can convert it to a
-
pre-built panel or you know
-
you can you can actually convert it to a
-
pre-built panel you can get rid of it
-
uh you can also move them around based
-
on your own requirements and uh in this
-
case you can actually let's see if i can
-
show you can actually select the
-
visualization
-
uh so in this case i think the default
-
one is fine and you can then view the
-
report here so
-
um
-
if we click on this one here for example
-
we could actually use the bar graph to
-
display the you know the number of the
-
actual um
-
the top source countries uh and have
-
them displayed in a bar graph style but
-
we can just take it back into the pie
-
chart there and you can also change this
-
for the events as well
-
so uh you know if we wanted to view a
-
trend we can click on the bar graph
-
there
-
uh in this case i don't think that's
-
formatted correctly so uh if we just use
-
the the default one
-
uh which i believe was i think it was no
-
that wasn't the one i believe it was uh
-
let's see if i can identify it here it
-
was the number there we are so 26 uh so
-
as i said you can customize this based
-
on your own
-
uh you know
-
your own requirements so for example
-
this one might do well if it was in the
-
form of a bar graph so you know
-
you can utilize that if you feel that
-
that is appropriate
-
uh in this case uh you know we can also
-
specify uh the actual um you know we can
-
actually list the events themselves
-
uh let's see which other ones look
-
really good here
-
uh and uh yeah once you're done with the
-
customization you can then cancel or
-
save based on your requirements and you
-
can also filter on this particular tab
-
here you know through the source ip
-
destination ip etc
-
um let's see what else did i wanted to
-
did i want to highlight let me just
-
refresh this once more
-
and you know to essentially get the
-
latest data
-
and uh you can see uh in terms of the
-
fan the in terms of the panels this will
-
display the last 100 attempts
-
uh and uh you know you can go through
-
them like so
-
uh you can also view i think we've gone
-
through all of them but you have the
-
persistent sources so two or more days
-
of activity in the last 30 days so you
-
actually need a lot of data for that to
-
be displayed or to give you anything
-
useful
-
um
-
yeah so that is
-
what i wanted to highlight in regards to
-
the snot alert for splunk app and the
-
actual dashboards which i said it
-
already does for you
-
now you can create your own dashboard as
-
i said if i go back into apps and search
-
and reporting
-
based on your own sources so i'll just
-
click on data summary there and if i
-
click on sources
-
you can click on the
-
this source here for example and
-
you know in this case we can actually uh
-
just click on that there and i can click
-
on extract fields
-
and you can extract the fields with
-
rejects so i'll click on next there
-
and you can then select the fields that
-
you want so for example in this case we
-
would want the date and time
-
so i can just highlight that there so i
-
can say
-
time for example add the extraction
-
and then of course we have the source ip
-
and the port but i'll just highlight
-
them together but i think it's actually
-
recommended just to highlight the source
-
ip there
-
so source we can say crc src
-
underscore
-
ip
-
add that extraction and we then have the
-
destination ip which in this case uh
-
because this is uh
-
an sm snmp broadcast
-
request we can we know that that's the
-
destination ip so i'll say dst
-
underscore ip
-
add the extraction let's see what else
-
we can do um
-
in this case it's saying the extraction
-
field you're extracting if you're
-
extracting multiple fields try removing
-
one or more fields start with the
-
extractions that are embedded within
-
longer strings okay so let's try and use
-
another alert here
-
that was kind of interesting um let's
-
see
-
it's not displaying all of them here but
-
you get the idea once you're done
-
uh you know for example i can remove
-
that field here i'm just giving you an
-
example of that so remove that field
-
uh there we are i can then say next and
-
i can click on validate and save based
-
on those fields there hit finish
-
and then you know i can go back to
-
uh you know search and reporting
-
and if i wanted to create a very simple
-
visualization which i'll show you right
-
now
-
even though i don't really need those
-
extracted fields although they might be
-
useful so
-
i can click on those extracted fields
-
now i believe they should have been
-
added
-
i'm not really sure why they aren't
-
being highlighted here there we are so
-
source ip
-
uh we can also specify the source port
-
uh we all there there they are so i had
-
actually they took a while to be
-
displayed there so
-
uh so support that why why not we can
-
yeah i think that's pretty much it so
-
uh based on those we can actually build
-
an event type however if we go to
-
visualization and click on pivot here
-
selected fields is five hit ok
-
we can actually you know visualize this
-
however we want so for example if i
-
wanted a column chart here
-
number one will display the count
-
i can just add the
-
events
-
because that's the count and we should
-
have at the bottom the time which i did
-
specify uh we believe within that range
-
there
-
but that's not being highlighted here so
-
the number of events and you know you
-
can go ahead and click as you can
-
essentially save it
-
so you get the idea you don't really
-
need to do this because we have the
-
snort app here
-
which pretty much gives you the
-
summaries that are useful to you or for
-
you
-
and there we are so fantastic so that's
-
going to conclude the practical
-
demonstration side of this video
-
so uh thank you very much for watching
-
this video if you have any questions or
-
suggestions leave them in the comments
-
section
-
if you want to reach out to me you can
-
do so via
-
twitter or the discord server the links
-
to both of those are in the description
-
section furthermore we are now moving on
-
to part two so this will conclude part
-
one so part two will be available on the
-
lynnodes on 24 platform so uh the videos
-
are available uh on demand so all you
-
need to do just click uh click the link
-
in the description register for part two
-
after which an email will be sent to you
-
and you'll be given uh you know
-
immediate access to to the videos uh
-
within part two so uh thank you very
-
much uh for watching part one uh in the
-
next video in part two we'll get started
-
or we'll take a look at host intrusion
-
detection with os sec so i'll be seeing
-
you in the next video
-
[Music]
-
you
