If you read the previous post, you may be able to guess that the Power-Up Series is a no thrills, step-by-step guide to get readers in touch with technology. The focus of this blog post is leveraging Splunk's Light edition. Although it is capped at 500MB/day, the free version is an easy way to become familiarized with this analytic platform.
Update Ubuntu Host:
$ sudo apt-get -y update && sudo apt-get -y
dist-upgrade
Manual
set IP address:
$ sudo vim /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.0.2.7
netmask 255.255.255.0
gateway 192.0.2.254
Add
OpenDNS servers:
$ sudo vim /etc/resolv.conf
nameserver
208.67.222.222
nameserver
208.67.222.220
$ sudo service networking restart
If
reset fails: $ sudo shutdown -r now
Verify your IP address:
$ hostname -I
Download
latest Splunk Light version and run as root in order to create a Splunk user:
$ sudo bash
$ dpkg -i splunklight-6.2.5-272645-linux-2.6-amd64.deb
By
default, it will install to "/opt/splunk/" directory.
$ cat /etc/passwd |grep splunk
Start
Splunk:
$ sudo /opt/splunk/bin/splunk start --accept-license
Login
to Splunk Web Interface:
Browse
to http://<splunk_IP>:8000
Login
with default credentials ("admin" and "changeme")
Provide
new credentials
Enable
SSL:
Navigate
to "Server settings" >> "General Settings" and
"Enable SSL (HTTPS) in Splunk Web".
#Restart
Splunk to access via https://<splunk_IP>:8000
Add
Snort Alerts:
Requires
ASCII "alert" file
Click
"Add-Data" > "upload files from my computer" >
"Select file" > "Next" > Set sourcetype as
"Network security > Snort" > "Event Breaks" >
"Auto" > "Save AS"
Query
Index:
index="<index_name>"
starttime="03/31/2013:00:00:00" <keyword>
index="<index_name>"
starttime="03/31/2013:00:00:00" <keyword>| chart count(dstport)
by dstport
I strongly advise you to download the MalwareArchaelogy.com's Splunk cheat sheet, which is hosted at http://malwarearchaeology.squarespace.com/cheat-sheets/. Additionally, you can view the author's talk at DerbyCon - https://youtu.be/fode4bueb0s. Many thanks to the authors for their contributions to the InfoSec community.
I strongly advise you to download the MalwareArchaelogy.com's Splunk cheat sheet, which is hosted at http://malwarearchaeology.squarespace.com/cheat-sheets/. Additionally, you can view the author's talk at DerbyCon - https://youtu.be/fode4bueb0s. Many thanks to the authors for their contributions to the InfoSec community.
