-
Hello, everyone. Welcome back to the Blue
-
Team training series brought to you by
-
Linode and Hackersploit. In this video,
-
we're going to be taking a look at how
-
to set up or how to perform security
-
event monitoring with Splunk, more
-
specifically, Splunk Enterprise
-
Security. Right? So the objective here
-
will be to monitor intrusions and
-
threats with Splunk. And you might be
-
asking yourself, well, how are we going to
-
do this? What setup are we using? Well, the
-
scenario that I've set up for this video
-
is we are essentially going to
-
take all the knowledge that we've
-
learned during the Snort video, and we
-
are going to essentially forward all of
-
the Snort logs into Splunk or have
-
that done automatically through the
-
Splunk Universal Forwarder so that we get
-
the latest logs when Snort is running on
-
our Ubuntu virtual machine.
-
And the objective here is to use Splunk
-
in conjunction with the Splunk's Snort app
-
to essentially visualize and identify or
-
monitor network intrusions and any
-
malicious network traffic, you know, within the
-
network that I'm monitoring.
-
[Music].
-
At a very high level, what will we be
-
covering? Well, firstly, we'll get an
-
introduction to Splunk. Now before we
-
move any further or we actually carry on,
-
I do want to note that this video is not
-
going to be focused on Splunk
-
fundamentals. I'm going
-
to assume that you already know what
-
Splunk is and how it can be used, you know,
-
and how it's used generally speaking.
-
Because Splunk is not really a tool
-
that is specific to security, for example.
-
That's why they have the Splunk
-
Enterprise Security version or edition.
-
And I'm just going to assume that you
-
know how to use Splunk at a very basic
-
level. So once we get an introduction to
-
Splunk, we'll go over Splunk Enterprise
-
Security--the Enterprise Security edition--and how it
-
can be used for security event
-
monitoring, especially in our case
-
because we want to essentially monitor
-
the intrusion detection logs
-
generated by Snort.
-
So we'll then move on to deploying
-
Splunk Enterprise Security on Linode,
-
which is absolutely fantastic because
-
they have a cloud image
-
available for it that allows you to spin
-
it up without going through the process
-
of installing it and configuring it. So
-
that'll set it up for us.
-
We'll then take a look at how to
-
configure Splunk, and how to set up the
-
Splunk Universal Forwarder on the Ubuntu
-
virtual machine that is running Snort so
-
that we can forward those logs into
-
Splunk. And then, of course, we'll take
-
a look at the Splunk Snort event
-
dashboard that will be provided to us by
-
the Splunk Snort app. So if this sounds like
-
gibberish to you, don't worry. It will make
-
sense in a couple of minutes.
-
With that being said, given the fact
-
that we're going to be using, you know,
-
we're going to be using Snort to
-
generate alerts and monitor those alerts,
-
if you have not gone through
-
the actual Snort video, please do that as
-
it'll help you set up Snort, and you can
-
then run through this demo. With that
-
being said, this is not a holistic video
-
that will cover everything you can do
-
with Splunk Enterprise Security. We are
-
just focused on the intrusion
-
detection logs produced
-
by Snort and how they can be
-
imported or forwarded to Splunk for,
-
you know, analysis and monitoring.
-
So the prerequisites are the same as
-
the previous videos. The only difference
-
is, you know, that you need to have a
-
basic familiarity with Splunk and how to
-
navigate around the various menu
-
elements and, yeah,
-
essentially just how to use it at a very
-
basic level. If you're not familiar with
-
Splunk, I'll give you a few resources at
-
the end of these slides
-
that'll help you out or help
-
you get started. Alright.
-
So let's get an introduction
-
to Splunk. So what is Splunk? That's the
-
main question. If you've never heard of
-
Splunk, Splunk is an extremely powerful
-
platform that is used to analyze data
-
and logs produced by systems or machines,
-
as Splunk likes to call them. So
-
what problem is Splunk trying to solve
-
here? Well, let's look at this from the
-
perspective of Web 2.0 or, you know, the
-
interconnected world we live in
-
today. And we're going to be looking at
-
it from the context of or from the
-
perspective of security.
-
So if we take a simple system--let's say
-
we have a Windows operating system or a
-
system running Windows--well, that Windows
-
system produces a lot of data or logs
-
that, you know, contain
-
information that, you know, at first
-
glance might not seem that important. But
-
once you start getting into specific
-
sectors like security, those logs start,
-
you know, those logs have, you know,
-
very important value to organizations.
-
Now multiply that by a thousand systems.
-
So let's say we have an organization.
-
They have a thousand computers within
-
their network or, you know, distributed
-
worldwide. And all of these systems,
-
you know, need to be secured. Their
-
security needs to be monitored. So how do
-
we monitor all of this? Well, this is
-
where Splunk comes into play. So Splunk
-
allows you to essentially funnel all of
-
this data produced by systems or
-
machines into Splunk. And then Splunk allows you
-
to monitor, search, and analyze this
-
machine-generated data and the logs
-
through a web interface. So in order to
-
use Splunk, you'll need to import your
-
own data or logs. Alternatively, you can
-
utilize the Splunk Universal Forwarder to
-
forward logs and data to Splunk for
-
analysis and, of course, visualization, etc.
-
Now, Splunk does so much more that I
-
really can't go over all of the features
-
here. But as I said, we're looking at this
-
from the lens of a security engineer.
-
Alright. So Splunk collates all the
-
data and logs from various sources and
-
provides you with a central index that
-
you can search through. Splunk also
-
provides you with robust visualization
-
and reporting tools that allow you to
-
identify the data that interests you,
-
transform the data into results, and
-
visualize the answers in the form of a
-
report, chart, graph, etc. Alright. So what
-
I'm saying here is that Splunk allows
-
you to take all of this security-related
-
logs and data and make sense of them and
-
essentially get the answers that you're
-
looking for. So, for example, from the
-
perspective of a security engineer, what
-
do you want from all of this data? Well,
-
at a very high level, you want to know
-
whether something is going wrong and
-
what could go wrong. In the context of
-
security, a network could be compromised.
-
There could be some malicious network
-
traffic or activity going on. A system
-
could be compromised, etc., etc. You get the
-
idea. So we need that data to be
-
displayed to us as a security engineer.
-
And Splunk is really one of the best
-
tools, you know, when it comes down to,
-
you know, taking a lot of data
-
and then identifying the data that
-
interests you, transforming that data
-
into results, and then visualizing that
-
data in the form of a report, chart, or
-
graph. Right. So that's really what we're
-
going to be doing. And as I said, going
-
back to the scenario, we're going to be
-
focusing on how to, you know, essentially
-
get in or how to forward
-
the logs created--or the logs and alerts created--by
-
Snort into Splunk for analysis. And
-
luckily for us, Splunk has a Snort app or
-
plug-in, if you will, that will
-
essentially simplify this process.
-
So, let's get an idea as to, you know, how we
-
can use Splunk for security event
-
monitoring. So Splunk Enterprise Security,
-
also known as Splunk ES, is a security
-
information and event management
-
solution, also known as a SIEM.
-
It is used by security
-
teams to quickly detect and respond to
-
internal and external attacks or threats
-
or intrusions. So Splunk ES can be used
-
for security event monitoring, incident
-
response, and running a SOC or Security Operations Center.
-
In this video, we'll be using Splunk ES
-
to monitor and visualize the Snort
-
intrusion alerts. This will be
-
facilitated through the help of the Snort
-
app for Splunk and the Splunk Universal
-
Forwarder. Now, the Splunk Universal Forwarder
-
is pretty much the most important
-
element of what we'll be exploring
-
because what it does--and this is really
-
cool--is it automatically
-
forwards the latest logs,
-
even when Snort is running. It forwards those
-
alerts and logs into Splunk, and you can
-
see them in real time, which is
-
absolutely fantastic.
-
So as I said, if you're new to Splunk,
-
then these resources are really helpful
-
for you. Splunk offers really great
-
tutorials and courses designed for
-
absolute beginners. You can check that
-
out by clicking on the link within this
-
slide. And you can learn more about the
-
Splunk Enterprise Security edition from
-
that particular link.
-
Now, as I said, we are going to be deploying
-
Splunk on Linode, more specifically
-
Splunk ES. And this is the lab
-
environment. So we're going to spin up,
-
you know, Splunk ES on Linode. Now, again,
-
to follow through with this, you
-
know, Linode has been absolutely fantastic
-
with, you know, by providing all of
-
you guys with a way to get $100
-
in free Linode credit. All you
-
need to do is just click the link in the
-
description section and sign up, and
-
$100 will be added to your
-
account so that you can follow along
-
with this series. So we're going to
-
set up Splunk ES on Linode. And then
-
within my internal network, we're just
-
going to have a very basic infrastructure.
-
We're going to have the Ubuntu virtual
-
machine that is running Snort. This is the
-
same virtual machine that we had set up
-
and used to set up Snort and set up
-
Suricata and the one we had used with Wazuh.
-
And, yeah, that's essentially it. We're
-
going to have a very basic
-
infrastructure where we have an attacker
-
system that I'm going to be using to perform
-
a bit of network
-
intrusion detection emulation, whereby
-
I will essentially perform or run a
-
couple of commands or scripts to
-
essentially emulate malicious network
-
activity so that these logs are
-
essentially--so this traffic is
-
essentially logged--and that'll provide
-
us with a good idea as to how helpful
-
Splunk is for security event monitoring,
-
especially in the context of network intrusions.
-
So as I said, you don't really need to
-
have a Windows workstation. You simply
-
need to have the Ubuntu VM, and you can
-
pretty much run everything from it. And,
-
of course, you can set up the Splunk
-
Enterprise Security server on Linode
-
without any issues.
-
So that's the lab environment. We can now
-
get started with the practical
-
demonstration. So I'm going to switch
-
over to my Ubuntu virtual machine.
-
Alright. So I'm back on my Ubuntu
-
virtual machine, and you can see I have
-
Linode opened up here.
-
I haven't set anything up yet because
-
we're going to be walking through the
-
process together.
-
I then have the Splunk.com website here.
-
So if you're new to Splunk, then you need
-
to create a new account in order to
-
follow along. So just head over to
-
Splunk.com and, you know,
-
register for an account. It's free.
-
Once that is done,
-
you'll need to activate your account or
-
verify your account through
-
the verification email
-
they'll send you. Once that is done,
-
we can then move forward. Because in
-
order to access the actual
-
Splunk Universal Forwarder, you'll need to
-
have an account. And of course, you
-
know, in this case, I'll be going through
-
everything as we move along in a
-
structured manner. And
-
then to perform the actual NIDS tests,
-
we are going to be using the
-
testmyNIDS.org project,
-
which is on GitHub. So this is
-
essentially a bash script
-
that allows you to--as you can see here--
-
it allows you to essentially emulate or
-
simulate malicious network traffic. So,
-
previously, we had used
-
the website technique to essentially get
-
a Linux UID, and that traffic would be
-
logged as malicious, or
-
it could be logged as a potential
-
intrusion. And we can run a few other
-
checks like HTTP basic authentication,
-
bad certificate authorities,
-
an EXE or DLL download over HTTP. So,
-
you know, we can run tests that,
-
you know, will just make our
-
intrusion detection system blow up in
-
terms of alerts. And that's what we want
-
because we want to see how that data is
-
presented to us as a security engineer
-
on Splunk. With that being said, the first
-
step, of course, is to set up Splunk ES on Linode.
-
So just click on “Create a Linode” and click on “Marketplace.”
-
And they already have Splunk here. So
-
there we are. You can click on that there.
-
And if you click on this little info
-
button here, it'll give you an idea as to
-
how to deploy it on
-
Linode. And, of course, you have more
-
information regarding Splunk. So you have
-
the documentation link there. So I'll
-
just click on Splunk.
-
Once that is clicked, we can then head
-
over here. You'll need to specify the
-
Splunk admin user. I recommend using
-
“admin” to begin with and then specify a password.
-
If you're setting up, you know, Splunk on
-
a domain, then you can specify the
-
Linode API token to essentially create
-
the DNS records--that's if you're using
-
Linode's DNS service.
-
And then, of course, you need to add
-
the admin email for the server. So in
-
this case, I can just say, for example,
-
hackersploit@gmail.com.
-
Don't spam me on this email because I
-
don't respond anyway. So we can create
-
another user.
-
This is the username for the
-
Linode admin's SSH user. Please ensure
-
that the username does not contain any...
-
so we can just call this “admin.” And then
-
for the admin user, we'll just say
-
provide that there.
-
So the image--we're going to set it up on
-
Ubuntu 20.04. The region--I’ll say London
-
because that's closest to me.
-
As for the actual Linode plan,
-
Linode ES doesn't require that many
-
resources, especially because, you know,
-
the amount of data that we're processing
-
or the logs that are being forwarded to
-
Splunk are relatively few--so less than
-
100--which, if you've used Splunk before
-
for security event monitoring, you know
-
that that is
-
really, really small. In
-
fact, Splunk will actually tell you,
-
you know, that the amount of data
-
to begin with that you have imported or
-
forwarded is too little to make any sense of.
-
But that's where the Snort app for
-
Splunk comes into play. So I'll just say
-
“Splunk,”
-
and I'll provide my root password for the server.
-
And we can click on “Create.”
-
Alright. Now,
-
once this is set up and provisioned,
-
the actual installer is going to begin.
-
So it's going to set up because there is
-
an auto-installer setup that will set up Splunk.
-
Yes. For you. So, let it
-
provision. After that's done, you can
-
launch the Lish console to avoid logging
-
in via SSH. And of course, one thing that
-
I don't need to tell you
-
is, if you're setting this up for
-
production, then you need to make sure
-
you're securing your server. So do only
-
use SSH keys for authentication with the server.
-
If you're new to hardening and securing
-
a Linux server, you can check out the
-
previous series
-
that we did with Linux--the Linux Server
-
Security series. They'll give you,
-
you know, all the information you need to
-
secure a Linux server for production.
-
With that being said, I'm just going to
-
let it provision, after which we can
-
launch the Lish console to see what's
-
going on in the background. And we can
-
then get started, you know, officially
-
with how to set up Splunk. We then need
-
to set up the Universal Forwarder.
-
So, this is booting now.
-
Alright. So the server is booted, and
-
you can see I've just opened up the Lish
-
console here
-
to essentially view what's going on. As
-
you can see, it's begun setting up
-
Splunk ES. So just give this a couple of
-
minutes to essentially begin.
-
And once it's done, it'll actually
-
tell you that, and it'll provide you with the
-
login prompt.
-
But it's probably logged in as the root
-
user already. So
-
just let this complete. I'm just going to
-
wait for this to actually conclude.
-
Alright. So once Splunk ES is done,
-
or the actual Linode is done here
-
with the setup, you can see it's going to
-
tell you "installation complete,"
-
and you can then log in. Keep this
-
window open because this is going to be
-
very important, as we'll need to
-
configure a few firewall rules.
-
By default, this Linode comes with UFW,
-
which is the uncomplicated firewall for
-
Debian, or
-
it typically comes prepackaged with
-
Debian-based distributions like Ubuntu.
-
In this case, it's already added the
-
firewall rule for the port that we
-
wanted, but just keep it open because
-
we'll need to run a few checks. So you
-
can log in there. So I'm just going to
-
log in with the credentials that I
-
specified as the root user. And I can
-
just say sudo ufw status.
-
And you can see these are all the
-
allowed rules or the actual rules
-
configured for the firewall, which is
-
looking good so far.
-
So we can access the Splunk ES instance
-
that we set up by pasting in the IP of
-
the server and opening up port 8000.
-
That's going to open up Splunk ES for
-
you. So just give this a couple of
-
seconds. There we are. And the credentials
-
that we had used were "admin" and the
-
password that I created--that, you know,
-
of course, you'll be able to
-
specify yourself. So just sign in.
-
And once that is done, you'll be
-
brought to Splunk Enterprise Security here.
-
So there we are--explore
-
Splunk Enterprise.
-
And in this case, what we're going to be
-
doing--what we're going to start off with--
-
is we need to go through a few
-
configuration changes with Splunk itself.
-
So the idea, firstly, is to configure
-
the actual receiving of data.
-
So if you head over into "Settings,"
-
you can click on "Data," then just click
-
on "Forwarding and Receiving."
-
And once that is done--once that is
-
loaded up--
-
under "Receive Data," we need to
-
configure this instance to receive data
-
forwarded from other instances. So we
-
want to configure receiving,
-
and we just want to set the default receiving port.
-
So we can say "New Receiving Port,"
-
and the port is, of course, going to be
-
the default, which is 9997--which is why
-
that firewall rule was added. So I'll
-
click on Save.
-
Alright. So once that is done, we can
-
now install the Snort app
-
for Splunk. So click on "Apps" and head
-
over into "Find More Apps."
-
And because the Ubuntu server is running--
-
or the Ubuntu VM that I'm currently
-
working on is running--Snort 2, we'll need
-
the appropriate app here. So I'll just
-
search for "Snort" there. And we're not
-
looking for the Snort 3 JSON alerts,
-
although that, you know, could be quite
-
useful, but we want the Snort alert for
-
Splunk. Alright. So this app provides
-
field extraction. So that's really great
-
because performing your own field
-
extractions using regex
-
can be quite difficult if you're a
-
beginner. So fast and full,
-
as well as dashboards, saved searches,
-
reports, event types, tags, and event
-
search interfaces. So we'll install that.
-
Now you'll need to log in with
-
your Splunk account credentials that you,
-
you know, actually created on
-
splunk.com. So I'll just fill in my
-
information really quickly.
-
Alright. So I've put in my username and
-
password. So I'll just say I'll accept
-
the terms and conditions there. So log in
-
and install.
-
That's going to install it. There we are.
-
So we'll just hit "Done."
-
Now that that is done, if we head back over
-
into our dashboard--so I'll just click on
-
Splunk Enterprise there--
-
you can now see we have Snort
-
Alert for Splunk. So that already
-
comes preconfigured with a dashboard.
-
So we'll just let this load up here.
-
And you can see that we don't have
-
any data yet. So this will display
-
your events and sources, top source
-
countries, the events. This is very
-
important--these sources, top 10
-
classification. So that'll classify
-
your alerts in terms of the
-
type, which again will make sense in a
-
couple of seconds. So now that that is
-
done, we actually need to configure
-
the actual Splunk Universal Forwarder. So
-
I'll just open that up in a new tab. It's
-
absolutely free to download the Debian
-
client or the Splunk Universal
-
Forwarder Debian package. So Universal
-
Forwarders provide reliable, secure
-
data collection from remote
-
sources and forward that data into
-
Splunk software for indexing and
-
consolidation. They can scale to tens of
-
thousands of remote systems, collecting
-
terabytes of data. So
-
again, you can actually see why Splunk is
-
so powerful and why it's widely used
-
and deployed--because of the fact that
-
you can literally be...
-
literally forward a ton of data from a
-
ton of systems into Splunk. So because
-
Snort is running on this
-
Ubuntu VM, we need the Debian package. So
-
I'll click on Linux, and we want the
-
64-bit version. Again, you can choose one
-
based on your requirements. So if you're
-
running on Red Hat, Fedora, or CentOS, you
-
can use the RPM package. So I'll just
-
download the Debian package here.
-
Give that a couple of seconds. It's then
-
going to begin downloading it, and then
-
I'll walk you through the setup process.
-
So there we are.
-
It's begun the setup.
-
And once that is done, I'll open up my
-
terminal. So that's saved in the
-
Downloads directory. So
-
if we check--if we head over into the
-
Downloads directory--you can see we have
-
the Splunk Forwarder Debian package there.
-
So what we want to do, firstly, is we want
-
to move this package into the actual /opt
-
directory on Linux, which will
-
essentially allow us to, you know,
-
to set it up as optional software. And
-
it's really good to have all that
-
optional software stored in the
-
directory. So, once that is done and
-
once that's downloaded, we can say,
-
move
-
Splunk forward into opt,
-
and we'll need sudo privileges. So I'll
-
say sudo move. There we are. And I'll just
-
type in my password. Fantastic. So
-
now navigate to the opt directory. And to
-
install this, we can say sudo apt,
-
and then we can specify install. So we
-
can say sudo apt install,
-
and then we specify the package itself.
-
So Splunk forwarder,
-
and we're just going to hit enter. That's
-
going to install it for you.
-
Give that a couple of seconds.
-
Alright. So once that is installed, if
-
you list out the contents of this
-
directory, you're gonna have a Splunk
-
forwarder directory here. So I'll say cd
-
splunkforwarder. And under the binary
-
directory, we can navigate to that here.
-
We'll need to start--
-
we'll need to start Splunk. So we will
-
say sudo,
-
and the binary we want to run is called
-
splunk, and we'll accept the license.
-
The reason we're doing this is because
-
we need to configure it. So we need to
-
specify the username and password, or, you
-
know, create a username and password.
-
And once that is done, you'll actually
-
see what that looks like. So I'll just
-
say accept the license.
-
And, you can see in this case, let's see if I
-
typed that incorrectly. That should
-
actually start. So splunk start. I did not
-
specify start there.
-
There we are. So please enter an
-
administrator name. I'll just say admin.
-
So again, Splunk software must create an
-
administrator account during startup.
-
Otherwise, you cannot log in. So create
-
credentials for the administrator account.
-
So in this case, you can
-
create whatever you want. I'm just going
-
to fill in my credentials here.
-
Alright, so I've just entered my
-
administrator username and then, of
-
course, my password. So
-
that is done.
-
So it'll go through--
-
it'll essentially go through and check
-
the prerequisites. New certs have been
-
generated in the following directory,
-
and all the preliminary checks have
-
passed. So starting the Splunk server
-
daemon--so that started. You can also
-
enable it to run on system startup. So if
-
I say, you know, for example, sudo systemctl
-
status splunk,
-
let me type that correctly here. So
-
splunk--
-
sorry, systemctl,
-
and we can say splunkd.
-
Sorry. So we can say splunk. I'm not
-
really sure why that's not loading here.
-
But I do know that the daemon is running,
-
and there should be an init daemon for that.
-
But in any case,
-
you can always start it that way.
-
Once that is done, we will need to add
-
our forward server. So we need to add
-
the address of the server--the
-
Splunk server that we're forwarding our
-
logs to. We'll move on to what
-
logs we want to forward in a second. But
-
let's do that first. So again, we're going
-
to use the
-
Splunk binary, and we're going to say forward-server.
-
And we'll just copy the IP
-
address of your Splunk server here.
-
So there we are. And I'll paste that in there.
-
And then you need to type in the port--so
-
9997, that's the port to connect to. Hit enter.
-
So splunk forward--
-
yeah, we need to add it. I keep forgetting
-
the preliminary command. So add forward-server,
-
Splunk username.
-
So in this case, let me just put
-
in my credentials here.
-
Alright. And it's going to then add the
-
forwarding to that particular address.
-
Alright. Now that that is done,
-
we actually need to
-
configure a particular file,
-
and that is going to be the outputs.conf
-
directory. If it's already set up for us,
-
which it should be,
-
then we do not need to go through the
-
initial setup. So,
-
if we head over into the following
-
directory--so I'll just take a step back--
-
we're still in the Splunk forwarder directory.
-
We'll head over into the etc directory.
-
And under system,
-
we have a file under local, I think. It is
-
called outputs here. Right? So I'm going to say
-
sudo vim outputs.conf.
-
And really, the only thing that is
-
required here is,
-
of course, just leave the default
-
configuration as is. The default group is
-
fine. So tcpout:default-autolb-group,
-
that's fine. So make sure that the
-
server option here is configured--that's
-
the most important. And the tcpout-server
-
address is also configured in
-
this format. So we don't need to make any
-
changes there. So I'll just say quit and exit.
-
Once that is done, we also need to check
-
the actual inputs configuration file.
-
But before we do that,
-
let's take a look. So if you revisit the
-
Snort video,
-
you know that all the logs are stored
-
under /var/log/snort.
-
Right? So we have the alert log,
-
and we also have--so again, based on
-
the type of alerts
-
you want generated--so, you know,
-
if I say man snort here,
-
you can see that we have the alert mode.
-
So you can use the fast mode or the
-
full mode. In this case, I'll be using the
-
fast mode,
-
and I'll give you a description of what's
-
going on here. Right? So
-
full writes the alert to the alert
-
file with the full decoded header as
-
well as the alert message, which might be
-
important. So we can also do that as well.
-
So this was from the previous--from
-
the Snort video where we
-
had run...
-
essentially run Snort and, you know,
-
where we were identifying various alerts.
-
So, what we can do is, again, we'll
-
go through what needs to be created, but
-
we can run a quick test command just to
-
see whether
-
the actual alerts are being logged
-
within the alert file, because we have
-
alert.1. Ideally, we would only want
-
to forward this file into Splunk.
-
So, in order to do this, what I'm going
-
to do now is I'm just gonna run Snort
-
really quickly. So I'm going to say sudo snort -q,
-
for quiet, and then
-
the actual directory for the logs is /var/log/snort.
-
And then we can say the interface is enp0s3.
-
Again, make sure to replace that with
-
your own interface. The alert, we can
-
say full,
-
and the configuration is /etc/snort/snort.conf.
-
I believe we had another configuration
-
file. Yeah. We had used the snort.conf file.
-
So I'll hit enter.
-
And now let me open up my file explorer here.
-
We take a look at the var directory
-
under log. And under snort,
-
we have alert. There we are. So,
-
that has been modified. The last was
-
modified
-
right over there. Okay. So that's 19. Yeah.
-
So this is the last modified. So I know
-
this file is not human-readable. We
-
are not going to be forwarding this .log file.
-
So I'll just close that there.
-
So I'm just going to try and perform a few
-
checks on the network, like a few pings,
-
just to see if that's detected.
-
So I'll just, you know, perform a ping really quickly.
-
Again, the alerts will not be logged on
-
our terminal because they're being
-
logged, you know, into the respective
-
alert file or the alert log file. So I'll
-
just perform, you know, a few pings, as
-
I was saying, which I'm doing right now
-
on the attacker system.
-
Once that is done, let's see whether
-
those changes are being highlighted in
-
alert. Indeed, they are. Okay. So now,
-
as you can see here,
-
this is the full--
-
these are... So to begin with, we had used
-
the fast alert output mode.
-
And right over here, we then have the
-
full alert mode, which I'm not really sure how
-
we want to
-
go about doing this. But you can see,
-
we can actually make a few changes.
-
What we can do is we can get rid of this traffic here.
-
But you can see the message is actually
-
being logged. So
-
we can get rid of this here
-
because we don't want to mix fast alerts
-
with the full mode. So we can just get rid of that
-
there and save that.
-
Once that is done, I'll just say--
-
we actually need permissions to modify that file.
-
But, you know, what we can do is--what I am
-
going to do actually is close without
-
saving. I'm just going to stop Snort there.
-
And I'm just going to say
-
sudo rm /var/log/snort.
-
And we're going to remove alert.
-
Alright. And we're also going to remove alert.1.
-
Alright. So I'm just going to run this
-
again, just to see that the file is generated.
-
So there we are. We have alert there.
-
So now it's much cleaner. I'll just
-
run a few pings, just to make sure that
-
the traffic is being logged--all those
-
alerts are being logged.
-
So there we are. We have a few pings there.
-
And we can also, you know, just run a few
-
checks there. Okay. So there we are. We can
-
see that those are now being logged. And
-
of course, we can change the format based on--
-
well, you can change it based on your
-
requirements. Right?
-
So
-
now that that is done,
-
what we can do is we can close that up,
-
and we can actually leave Snort running as is.
-
So what I'll do is I'm just going to
-
open up another tab.
-
So just, you know--I can say Ctrl+Shift+T.
-
There we are. And we're currently within the following
-
directory: /opt/splunkforwarder/etc/system/local.
-
So,
-
once that is done, we now need to add
-
the files that we would like to monitor
-
or that we would like to forward. Right?
-
So, the log files. I'll go back into the bin directory.
-
So there we are--cd bin--because that's
-
where we have the Splunk binary. So I'll
-
say sudo splunk.
-
And we can say add monitor.
-
And the file that we want to forward is
-
under /var/log/snort, and it is just alert.
-
Right? So that's all. That's really all
-
that we want to do. Right?
-
And we can also utilize the fast alerts,
-
but let's just do this for now.
-
We only want the alerts--we don't
-
want the actual log files that contain
-
the packets themselves. So I'll hit Enter.
-
Alright. So it's now going to forward
-
those alerts into Splunk, which pretty
-
much means that on our end, we are done.
-
However, we still need to check one more
-
configuration file. So I'll just take a
-
step back here, and we'll head over into
-
the /etc directory under apps/search,
-
and then into local.
-
I think we'll need root
-
permissions to access this. So I'll just
-
switch to the root user and head over
-
into local.
-
And we're looking for the inputs.conf file. Right?
-
We need to actually
-
configure this because this is very
-
important.
-
The first thing we want to do is--let us
-
add a new line here. And within the
-
square brackets, I'll just say [splunk-tcp].
-
And we then want to specify the port--so
-
9997.
-
Let me make sure I type that in correctly.
-
We then need to actually put in the connection.
-
So the connection_host
-
is going to be equal to the IP
-
address of the Splunk server.
-
So I'll just copy that there and paste that in there.
-
Once that is done,
-
this is fine here--disabled is set to false.
-
We want index to be equal to main.
-
And then the sourcetype
-
is going to be equal to snort_alert_full.
-
And we can then say the source is equal
-
to snort. Alright? So this is a very
-
important configuration. Let me just
-
go through those options or
-
configurations again. We have the splunk-tcp option.
-
We then have the actual connection_host.
-
The monitor is set correctly to that file.
-
It's enabled, index=main, sourcetype=snort_alert_full, source=snort.
-
Fantastic.
-
So we'll write and quit.
-
Once this is done,
-
we'll need to restart Splunk. So I'll
-
switch back to my user, Lexus, here, and
-
we'll navigate back to the bin directory.
-
So I'll say cd bin,
-
and we'll say sudo splunk restart. Alright, hit Enter.
-
It's going to stop the Splunk daemon,
-
shut it down,
-
restart it--and it's done successfully. So
-
all the checks were completed without
-
any issue. Alright, so
-
now that this is done, we can actually go
-
back into Splunk here, and we'll navigate
-
to the dashboard.
-
This is your Splunk server. Right?
-
And let's take a look at the messages
-
here. That's just a few updates--we
-
don't need to do anything there. So if we
-
click on
-
Search & Reporting, just to verify that
-
data has indeed been forwarded, I'll
-
just skip through this. If we click on
-
Data Summary,
-
under Sources, you should see that we
-
have the host. And in my case, the name of
-
the system is blackbox, so that should
-
be reflected there. So there we are--blackbox.
-
We have 42
-
logs or alerts, if you will. Sources: 42. We
-
can click on that there to just see the
-
data that has been logged. Indeed, we can
-
see that has been done correctly. So
-
sourcetype is alert.
-
We can see that it's imported, you
-
know, pretty much all the data--or, you
-
know, these are the... this is the full log
-
whereby we have the reference to that there.
-
That's weird--I didn’t actually run
-
anything weird, but there you go.
-
So now that this is done, you can
-
use Splunk to essentially visualize this
-
data however you want. So, you
-
know, I can go into Visualization,
-
and we can click on--maybe we can
-
create a...
-
we can select a few fields. So if I go
-
back into the Events here, I can select a
-
few fields that I want displayed here,
-
and I can, you know, essentially extract
-
the fields that I want with regex.
-
But I don't think this is necessary at this
-
point, because if we actually go back to
-
the dashboard
-
and we click on--
-
let's see--Snort Alerts for Splunk,
-
let's see if this is actually whether
-
this automates that process for us.
-
There we are. Actually, it looks like
-
it does. So, classification: bad-traffic.
-
So it looks like that is working.
-
What we can do now
-
is run a few--
-
we can actually utilize this script here,
-
the TestMyNIDS script here. So all
-
you need to do to run it is just copy
-
this one-liner script here--or this
-
command--that will download it into your
-
/tmp directory and will then execute it.
-
So, you know, to execute it within your
-
temp directory, you can just execute
-
the actual,
-
you know, the actual binary there. It is a
-
binary, not a script.
-
And once that is done, you can then
-
select the option here. So let me just do
-
that on my attacker system.
-
I'm just going to run it one more time. So
-
I'm just going to say ls here. And
-
if I open up the documentation--so
-
firstly, I will run
-
a quick Linux UID check. So
-
I'll just hit Enter.
-
Okay. That is done. I'll then perform an
-
HTTP basic authentication
-
and a malware user-agent. So I'm doing
-
that right now.
-
Okay. And we can run one more here. So,
-
let's see. Let's see. Let's see. We
-
can try EXE or DLL download over HTTP.
-
That is surely going to be logged,
-
or that's going to trigger an alert.
-
So,
-
do we have--that is running.
-
Alright. So Snort is running. That's great.
-
So we know that the log is being--
-
the actual alerts are being forwarded.
-
Absolutely fantastic. So let's go back in
-
here. I've already run those
-
particular checks.
-
So let me just refresh this. I know it
-
usually takes a couple of seconds to a
-
couple of minutes, but that data should
-
start--should actually be reflected. There
-
we are. Fantastic. So
-
we can see that--firstly,
-
I'll just explain the dashboard here
-
because
-
this dashboard is automatically, you
-
know, set up for you by the Snort app,
-
which is really awesome. As I said, you
-
don't need to go through that process yourself.
-
So the first graph here essentially
-
tells you your events,
-
and it also displays the, you know,
-
the total number of sources. So you can
-
see that there. You also have the time.
-
So you have your events and
-
then the timeline here. And you can
-
essentially, you know, view a trend--or the
-
trend--of events there. You then
-
have the top source countries
-
right over here. And if I just run
-
another check really quickly here
-
through the NIDS website--
-
so let me just run the curl command--
-
you should actually see that because
-
we are reaching out to, you know, there's a
-
connection made to an external server,
-
that it should reflect that info under
-
the top countries--the top source countries.
-
So we then have the events here, which,
-
you know, you can click on. And then,
-
of course, you have the sources.
-
So these are the Snort event types,
-
and these are actually the
-
classifications. So we can see potentially
-
bad traffic, attempted information leak,
-
and, you know, you can just refresh your
-
dashboard to get the latest.
-
So we'll give that a couple of seconds.
-
And you can also specify the actual interval period.
-
So I'll just wait for this. Let's
-
see if it's actually being logged or
-
whether we can see all of that. So I'll
-
just go back into the dashboard here,
-
and we'll go into Search and Reporting.
-
And we click on the actual
-
Data Summary and the Sources. We can
-
see we have Snort there, and then /var/snort/alert.
-
So we click on Snort there. Okay.
-
So this is bad traffic. That's
-
really weird because
-
the source is Snort. We had added two
-
sources there.
-
So Data Summary--
-
let me just click on that there. And if
-
we click on the sources there, this is
-
the one that we want, ideally.
-
Yeah. So that looks like the correct one there.
-
Yeah. That's the correct traffic. I
-
think that's why the actual--let me
-
see if I can find it. So Snort Alerts for
-
Splunk--let me click on the app there.
-
Show Filters. It should be displaying
-
much more than that because I know--yeah,
-
there are not just four.
-
So
-
if we actually head over into the
-
Snort Event Search here,
-
we can actually search for--you know,
-
we can utilize--yeah. So these are only--
-
this is only monitoring the pings. So
-
that's weird. I'm not really sure why we
-
have two data sources. I think it's to do
-
with the fact
-
that, you know, we had--so let me
-
just go back here.
-
Apps > Search, and sudo root.
-
Let me just check that here. So cd local,
-
vim
-
inputs.conf. So there we are. So the
-
source is Snort.
-
We already specified the source as Snort
-
there,
-
but it's also adding
-
this particular, you know, the alert,
-
as a source as well.
-
And then the source type is snort_alert_full, index main.
-
Yeah. That
-
should be working. That should be working
-
without any issues. I'm not really sure
-
why that is the case, but
-
we can actually customize what dataset
-
we want to use.
-
So
-
I think--let me actually showcase how to
-
do that right now.
-
So apologies about that. I actually
-
figured out what the issue was. It was
-
because the system I was running
-
these particular
-
attacks from wasn't even connected to
-
the local network.
-
And even though I was running
-
these attacks, I did realize that, of
-
course, they weren't working. So I've just reconnected it.
-
And what I'm going to do is I'm just going to
-
run this one more time.
-
So just give me a second here, and I'll
-
be able to do that one more time. So
-
let me just navigate to that particular
-
directory,
-
and we'll actually see whether this will work.
-
So
-
you can actually see there's much more
-
that has been captured in regards to
-
events, and I'll be explaining this
-
dashboard in a couple of seconds.
-
So let me just
-
launch that first attack there--so that
-
you know--let me just launch that first
-
type of check. And of course, I'm using
-
TestMyNIDS here. So, unfortunately,
-
that wasn't even being logged, which is
-
why I was a bit confused as to why those
-
logs are not being displayed here.
-
So I'll give that a couple of seconds,
-
and we'll be able to see this happen
-
in real time as well.
-
Alright. So that is done. So I've
-
essentially launched a couple of those
-
tests. And, as I said,
-
this is your default
-
dashboard that you're provided with here.
-
So,
-
you know, you can actually refresh
-
all of these panels here, if you will.
-
So that'll display the
-
latest. And, as I said here, because I'd
-
performed the actual check
-
and it connected to an external server,
-
you can see that the top source
-
countries are highlighted there.
-
You can also refresh the number of
-
events, as you can see here,
-
and the number of sources. So
-
you can also do that for the rest of
-
the panels. These are the top 10
-
classifications
-
in terms of events, if you will, and then
-
these Snort event types, as you can see here.
-
So, for example, in this case, we have the
-
Attack-Response ID Check, which, if we
-
click on
-
right over here,
-
you can see that it actually displays
-
that, and you can then
-
click on the signature itself. And this
-
is for statistics. Now, if you click on
-
the Snort Event Search tab right over here,
-
you can see that this allows you to
-
search based on the source IP, the source
-
port, the destination IP, destination port,
-
and the event type. So I can check for
-
attack responses based on the rule set
-
that we had used previously.
-
And I can also specify the timing. Right?
-
So that's really fantastic there.
-
So you can see that right over here, we
-
have that logged,
-
which is fantastic. And
-
if we click on the Snort World Map,
-
that'll essentially--as you'll see in a
-
couple of seconds--this will essentially
-
display the countries by the source IPs.
-
In this case, it should display the
-
United States, which makes sense.
-
And there we are. So, again, this is
-
extremely helpful, especially if you work
-
in a SOC. And as I said, there's multiple,
-
you know, security tools you can
-
integrate with Splunk.
-
Now, one thing that I wanted to highlight
-
is--you can, if you click on Edit--and I'll
-
just go back to the
-
Event Summary here because this is very
-
important--
-
you can set this as your main dashboard.
-
So if you right-click here, you can set
-
this as your home dashboard.
-
So I'll just click on that there.
-
And now you'll see on your dashboard
-
here, if I just close that top menu,
-
that'll actually be displayed there. So
-
give it a couple of seconds.
-
And, of course, you can click on the cogwheel here
-
and essentially display--whatever--
-
you know, you can specify your default
-
dashboard. Now, there are a couple of
-
other ones that are created by default.
-
But yeah, you can have that on your dashboard.
-
And, you know, if you actually click
-
on the SNORT--the SNORT alert for Splunk here--
-
and we'll just go back into that SNORT
-
event summary tab,
-
you can actually edit the way these
-
particular panels are tiled. So,
-
you know, you can convert it to a
-
prebuilt panel or, you know,
-
you can--you can actually convert it to a
-
prebuilt panel. You can get rid of it.
-
You can also move them around based
-
on your own requirements. And, in this
-
case, you can actually--let's see if I can
-
show you. You can actually select the visualization.
-
So, in this case, I think the default
-
one is fine, and you can then view the
-
report here. So
-
if we click on this one here, for example,
-
we could actually use the bar graph to
-
display the--you know--the number of--the actual--
-
the top source countries, and have
-
them displayed in a bar graph style. But
-
we can just take it back into the pie
-
chart there. And you can also change this
-
for the events as well.
-
So, you know, if we wanted to view a
-
trend, we can click on the bar graph there.
-
In this case, I don't think that's
-
formatted correctly. So if we just use
-
the default one,
-
which I believe was--I think it was--no,
-
that wasn't the one. I believe it was--
-
let's see if I can identify it here. It
-
was the number. There we are. So,
-
as I said, you can customize this based on your own--
-
you know--your own requirements. So, for example,
-
this one might do well if it was in the
-
form of a bar graph. So, you know,
-
you can utilize that if you feel that
-
that is appropriate.
-
In this case, you know, we can also
-
specify the actual--you know--we can
-
actually list the events themselves.
-
Let's see which other ones look
-
really good here.
-
And yeah, once you're done with the
-
customization, you can then cancel or
-
save based on your requirements. And you
-
can also filter on this particular tab
-
here, you know, through the source IP, destination IP, etc.
-
Let's see, what else did I want to highlight?
-
Let me just refresh this once more
-
and, you know, to essentially get the latest data.
-
And you can see, in terms of the panels,
-
this will display the last 100 attempts.
-
And you can go through them like so.
-
You can also view--I think we've gone
-
through all of them--but you have the
-
persistent sources. So, two or more days
-
of activity in the last 30 days. So you
-
actually need a lot of data for that to
-
be displayed or to give you anything useful.
-
Yep. So that is
-
what I wanted to highlight in regards to
-
the SNORT alert for Splunk app and the
-
actual dashboards, which, as I said, it
-
already does for you.
-
Now, you can create your own dashboard, as
-
I said, if I go back into Apps > Search and Reporting,
-
based on your own sources. So I'll just
-
click on Data Summary there. And if I
-
click on Sources,
-
you can click on
-
this source here, for example. And,
-
you know, in this case, we can actually
-
just click on that there. And I can click
-
on Extract Fields,
-
and you can extract the fields with
-
regex. So I'll click on Next there.
-
And you can then select the fields that
-
you want. So, for example, in this case, we
-
would want the date and time.
-
So I can just highlight that there. So I
-
can say
-
time, for example, add the extraction.
-
And then, of course, we have the source IP
-
and the port. But I'll just highlight
-
them together. But I think it's actually
-
recommended just to highlight the source IP there.
-
So source—we can say src underscore port, IP.
-
Add that extraction, and we then have the
-
destination IP, which, in this case,
-
because this is
-
an SNMP broadcast
-
request, we can--we know that that's the
-
destination IP. So I'll say dst underscore IP, add the extraction.
-
Let's see what else we can do.
-
In this case, it's saying the extraction
-
field you're extracting--if you're
-
extracting multiple fields, try removing
-
one or more fields. Start with the
-
extractions that are embedded within
-
longer strings. Okay. So let's try and use
-
another alert here
-
that was kind of interesting. Let's see.
-
It's not displaying all of them here, but
-
you get the idea. Once you're done--
-
you know, for example, I can remove
-
that field here. I'm just giving you an
-
example of that. So remove that field.
-
There we are. I can then say Next, and
-
I can click on Validate and Save based
-
on those fields there. Hit Finish.
-
And then, you know, I can go back,
-
you know, to Search and Reporting.
-
And if I wanted to create a very simple
-
visualization, which I'll show you right now--
-
even though I don't really need those
-
extracted fields, although they might be
-
useful--so
-
I can click on those extracted fields
-
now. I believe they should have been added.
-
I'm not really sure why they aren't
-
being highlighted here. There we are.
-
So source IP.
-
We can also, say, specify the source port.
-
We--oh, there they are. So
-
actually, they took a while to be
-
displayed there. So,
-
source port--that--why not? We can--
-
yeah, I think that's pretty much it. So
-
based on those, we can actually build
-
an event type. However, if we go to
-
Visualization and click on Pivot here--
-
selected fields is five--hit OK.
-
We can actually, you know, visualize this
-
however we want. So, for example, if I
-
wanted a column chart here--
-
so number one will display the count--
-
I can just add the events
-
because that's the count. And we should
-
have, at the bottom, the time, which I did
-
specify--I believe within that range there--
-
but that's not being highlighted here. So
-
the number of events--and, you know, you
-
can go ahead and click as--you can
-
essentially save it.
-
So you get the idea. You don't really
-
need to do this because we have the
-
SNORT app here,
-
which pretty much gives you the
-
summaries that are useful to you or for you.
-
And there we are. So fantastic. So that's
-
going to conclude the practical
-
demonstration side of this video.
-
So, thank you very much for watching
-
this video. If you have any questions or
-
suggestions, leave them in the comment section.
-
If you want to reach out to me, you can
-
do so via
-
Twitter or the Discord server. The links
-
to both of those are in the description
-
section. Furthermore, we are now moving on
-
to part two. So this will conclude part
-
one. Part two will be available on the
-
Linode’s ON24 platform. So, the videos
-
are available on-demand. So all you
-
need to do is just click the link
-
in the description, register for part two,
-
after which an email will be sent to you,
-
and you'll be given--you know--
-
immediate access to the videos
-
within part two. So, thank you very
-
much for watching part one. In the
-
next video, in part two, we'll get started--
-
or we'll take a look--at host intrusion
-
detection with OSSEC. So I'll be seeing
-
you in the next video.
-
[Music].
