Installing Splunk on the Ubuntu VM

If you are from people who like the issues related to ethical hacking, then Splunk tines that are part of your list of tools. why in this blog we will tell you how you can install them.

Installing Splunk on the Ubuntu VM

you can go to the following link and download and create your own virtual machine.

https://www.ubuntu.com/download

 

The first step to start using Splunk in our Ubuntu VM is to download the Deb file, to do this we have to use the wget command to download the file directly from the official website it should like this:

wget -c  -O splunklight.deb  \ (Enter)

 

‘https://www.splunk.com/bin/splunk/DownloadsActivityServlet?architecture=x86_64&platform=linux&version=6.5.0&product=splunk_light&filename=splunklight-6.5.0-59c8927def0f-linux-2.6-amd64.deb&wget=true’

Once you’ve downloaded the Deb file, upload the file to your Ubuntu server and place it a temporary directory.

After that we can use the following commands to look for an update that our system may require to run Splunk without problems:

sudo 'which iptables' -F&&\
sudo apt-get update &&\
sudo apt-get upgrade -y

After that, the run process can be executed through the dpkg command to install the Splunk server. The filename of the .deb file may change as new versions are made available so make sure that you have downloaded.

sudo dpkg -i splunklight.deb

The log that appears at the end on the unpacking is caused by a previous version of Splunk on the system it shouldn’t cause troubles while installing Splunk. Next, we need to create the init. D script so that we can quickly start and stop Splunk.

The  default Splunk directory can be changed and run the executable file with the commands shown below:

cd /opt/splunk/bin/
sudo ./splunk enable boot-start

Once you have applied these commands, you can press SPACE to view all of the license agreement and then pulse Y to accept it. You have to use the service command shown below to Start Splunk

ThIis command should be executed to start Splunk:

sudo service splunk start

Now you have begun Splunk Point on your browser at (as a recommendation is better to access another website before engaging Splunk GUI)

http://localhost:8000/. Open the URL in the browser and log in with the below details:

User Name: admin

Password: changeme

You now have your Splunk installation up and running. What’s required next is to get data from your various applications, logs, and monitoring tools into Splunk.

Now we have these statistics the next step is to import them into another platform for visualization purposes. We recommend continuing reading through the next module which explains the downloading, installing and configuring process for Splunk Forwarder.

Resources:

https://www.splunk.com/

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

 

Burp Suite

Welcome to the introductory tutorial to Burp Suite. It gives details about the installation and usage of Burp Suite, which is an essential tool for bug hunters and web application pentesters.

Burp Suite logo

Installing JAVA

In Ubuntu open the terminal then run:

sudo add-apt-repository ppa:webupd8team/java

sudo apt-get update

sudo apt-get install oracle-java8-installer

Install Foxyproxy

Foxyproxy for Firefox

Download links are:

Click on Foxyproxy’s icon and click “Options”:

FoxyProxy edit tabClick “Add new proxy”.  In the “Proxy details” section → “Manual Proxy Configuration” insert the following values for Server and Port:

  • Server: 127.0.0.1
  • Port: 8080

In the “General” section, give the proxy a name and select a color. Then save.

Now start the proxy you just created by right-clicking on the Foxyproxy icon and selecting the newly created proxy.

Burp Suite – How To

Starting Up Burp Suite

Double-click on Burp executable to start it. On Linux double-click the jar file or download the plain jar file, and run it from the terminal:

java -jar burpsuite_community_v1.7.33.jar

Note. Your version may have a different version number.

Start Burp Suite with default settings.

Proxy

The proxy intercepts requests from the web browser. Requests can be modified in real time or can also be viewed in connection with their responses in the “HTTP history” tab.

Click “Proxy” > “Intercept” > “Intercept On” this will stop requests intercepting.

Burp Suite intercept tab

Once the page is open in the web browser when “intercept is on,” Burp will display the request sent from your browser until you press “forward” or if “intercept is on” is enabled. Unless the request to the web application server will not be forwarder henceforth, no response will be received. We can see the web browser waiting for the response to be initiated. Since Burp suite yet has not initiated the send request.

If the intercept is on and you do not want to send the request forward, click “drop.” Requests will not be sent to the destination. “drop” tab also enables to inspect the request and then drop it once when done. For example, the request will be intercepted by clicking on “submit” button on the target site. The request will be made available immediately in the repeater side “action” → “Send to repeater” which then “drop”. 

Proxy Options

To see the proxy settings, Click “Proxy” → “Optionsauthorized

FoxyProxy options tab

As you can see the default port used by Burp for its proxy is port 8080. Choose the same for Foxyproxy. You can have multiple proxies; you need to make sure that the ports in Burp and Foxyproxy match.

To conclude:

The Foxy Proxy configuration: IP: 127.0.0.1 Port: 1337, must be similar to the same configuration in Burp Proxy, IP: 127.0.0.1 Port: 1337. The communication protocol works as follows:

  • The target site is browsed by the user;
  • Foxy Proxy and Burp are configured with same IP and Port as explained above;
  • Foxy Proxy is on; then Burp Proxy is on;
  •  Every single request made by the user sends it corresponding to the proxy’s IP, and port  is taken by Foxy Proxy ( in this case Burp’s proxy);
  • Intercepted request by the Burp Proxy is stored in the HTTP History;
  • Concurrently, Burp also forwards the request to the destination web application server and waits for a reply
  • Once the web server is initiated to send back a response, Burp forwards the response to the Browser.

Foxy Proxy ensures that all the initiated requests are sent to Burp’s Proxy.

Resources:

https://portswigger.net/burp

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Security Onion Advanced Configuration

The architecture of security onion is designed to be deployed in different ways, its components master server, forward nodes and storage nodes, can be deployed in a distributed manner or in standalone mode. for this course, we will use the standalone mode that combines all the components in a box.

Advanced configuration Process:

Once the network configuration is finished we now start the configuration of Elastic capabilities which are the detection and monitoring tools included in Security Onion.

In the picture above we can see the different tools that are going to be installed in Onion, we press in “Yes, Continue”, After that we managed into Wizard setup that will request if we want to configure the network interfaces again, we click into “skip the network configuration” to avoid this process:

After we skip the network configuration, the setup will show a warning that says, the minimum requirements that are necessary for the correct performance of all the tools that are going to be installed.

We click in Continue and security onion will ask us which mode we want to use a platform to start the services, we select evaluation mode which is recommended for the first try of the software, as we have already commented, the evaluation mode allows to deploy in standalone mode. The production mode is for advanced and distributed configurations, where we can separate the master, forward and storage node into several hosts.

Security Onion can run either Snort or Suricata as its Network Intrusion Detection System (NIDS). When you run Setup and choose Evaluation Mode, it will automatically default to Snort. If you choose Production Mode, you will be asked to choose whether you want to run Snort or Suricata:

After this, we must select which interface will be monitored

Once we select the interfaces that will be monitored, we have to create the first username for the system, this process can be seen in the picture below:

We select a password for our new user:

After we complete this process, Security Onion will display the list of the changes that are going to be executed over the system, we click in continue and accept the changes.

After this, the process will be complete, Security Onion will display some more windows that provide information about technical aspect related to the installation.

Post-Configuration Information:

Now the NIDS stands for Network Intrusion Detection System, start a monitoring network traffic task, looking for specific activity, and generating alerts. The next step is to recreate some traffic using the .pcap files available in /opt/samples/bro directory.

Security Onion Components

Introduction

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes.

How does Security Onion work?

Security Onion is built on a modified distributed client-server model. In the past, Security Onion relied solely on the use of a “sensor” (the client) and a Security Onion “server” (the server). With the inclusion of the Elastic Stack, the distributed architecture has since changed, and now includes the use of Elastic components and separate nodes for processing and storing Elastic stack data.

This means that a standard distributed deployment is now comprised of the master server, one or more forward nodes (previously called a sensor — runs sensor components), and one or more storage nodes (runs Elastic components). This architecture is ideal; while it may cost more upfront, this architecture provides for greater scalability and performance down the line, as one can simply “snap in” new storage nodes to handle more traffic or log sources.

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

In the image above we can see the architecture of a Security Onion Instance, this can be deployed in a distributed or standalone way. For our Lab, we will set up and standalone mode which combines the functions of a master serverforward node, and storage node.

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

In a standalone mode, the deploy consists of a single server running master server components, sensor, and Elastic stack components.

 

Technical Aspects of Security Onion:

As a Linux distribution based on Ubuntu, Security Onion contains several tools of security like Suricata, Snort, Bro, CapME, Squert, NetworkMiner, Wireshark, ELSA ( which are now Logstash + Kibana) and some others, all these tools are integrated in the system, the use of these features is quite easy to set up due to the complementation configurated for them is relatively easy to pivot between each one of them.

The principal objective of these tools is the detection of intrusions and the monitoring process of the network keeping special attention over the security events within the network. Now to understand a little better the functions of each tool we have to describe a few one of them which are the most used or relevant tools included in Security Onion:

OSSEC/HIDS:

OSSEC is a host intruder detection system, the technical characteristics of this tool are the following:

  • Rootkits Detection
  • Active response and notification in real time
  • System architecture based on a centralized service hosted by a server and several agents installed in the devices that need to be monitored.
  • Files verification system

Bro Security Monitor:

Bro Network monitor is a framework which is used for network monitoring activities, the technical characteristics of Bro monitor can be listed as:

  • Bro monitor includes features that can be used to scan the most common network protocols.
  • The information can be gathered in a database and can be consulted through ELSA or Logstash, which complements the information at the time that alerts need to be analyzed.
  • The tool can be used to monitor the network activity and generates active logs for TCP/UDP connections, network services, and software tools detected that affect the network, DNS requests, SSH petitions, SSL certificates integrity, HTTP activity and FTP shared services.

SNORT/NIDS:

Snort IDS which is based in an Open-Source software, the technical aspects of Snort can be listed as:

Functioning process:

  • Sensors which can capture network packets
  • Features which handled the normalization of the traffic
  • The tool detects threats and attacks and generates alerts for the administrators
  • The results of the threats captured are compared with previous patterns and rules created by the administrators to handle the threats
  • The scanning process can be switched to Suricata
  • The rules included in the detection scheme are updated automatically through a function called pulled-pork

Sguil:

Sguil is a console system which can be used for security analysis, the technical aspects of Sguil can be described as:

  • Sguil posses a graphic interface which allows the access to the security alerts, the data capture, and the session data.
  • Sguil posses integrated tools like  CapMe, Network Miner and Wireshark
  • All the alerts inform the context which has produced the initial error.

Here is a picture demo of the system that shows the event logs:

Squert:

Squert can be described as a web application which can serve to visualize events and posses the following characteristics:

  • Squert posses an analyst console which complements with Sguil
  • Squert import information about the context of alerts, group of events and creates a timeline to follow each aspect of them
  • It shows the Sguil database but it shows a different perspective of the data.

Elasticsearch

Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elasticsearch

Logstash

Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously transforms it, and then sends it to your favorite “stash”.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash

Kibana

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana

As we have seen, Security Onion is built under a set of tools, each with a specific function, then we will see how to install Security Onion also explore each of the tools described in this lesson.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/