Intrusion Detection

INDP3 – Cyber Security and Defense (CySeD)

Lab
Deployment and Configuration of a SIEM
Solution Using Splunk

Slim Rekhis
[email protected]

October 2024

1
Lab Objective

The aim of this Lab is to configure Splunk and connect it to your IDS/IPS platform Suricata to
better analyze its output. Splunk is a Security Information and Event Management (SIEM)
software. Its main role consists in aggregating relevant data from multiple sources (end-user
devices, servers, network equipment, firewalls, antivirus or intrusion prevention systems),
forwarding all collected events to a centralized management console, and thus, making it easier
for organizations of all sizes to spot patterns that are out of the ordinary.
In this lab, you will be asked to analyze the data generated by Suricata, sending notifications
by mail, creating and scheduling reports, and analyzing a malicious pcap traffic.

Step1: Installing and running Splunk

1. Start by downloading the Splunk package using the following command:

2. Start by downloading the Splunk package (version 8.1)
3. Install the downloaded package using yum command
# yum localinstall splunk-8.1.10.1-8bfab9b850ca-linux-2.6-x86_64.rpm
4. Start Splunk using this command
# /opt/splunk/bin/splunk start

The Splunk software license agreement will be displayed, just type “q” to quit, and then enter “y” to accept it. The
installation process will ask you for a username (enter “admin”) and a password which has to be with a minimum
length of 8 characters that you will use each time you access Splunk. At the end of the installation process, you
can see that the Splunk web interface is active at a given url (e.g., http://127.0.0.1:8000)

5. To access to the splunk web interface, open your browser and go to the given url
6. Enter the username and the password that you used during the installation process. You are
now in the starting page of Splunk web interface.
7. Change the Splunk license to free licenseby going to to Setting --> Licensing - > change
license group. Select free license then you will get 500 MB per day.

Step2: Splunk discovery and Suricata integration

The Splunk Web is the browser-based interface for the Splunk platform. Using the splunk web
interface, you can among other things configure your data inputs, search data and report,
visualize results, investigate problems and manage users.

To integrate Suricata outputs into Splunk, we are going to use the JSON format (eve.json file)
as it integrates more detailed information about each event occurred in the system. For that you
need to:

8. Enable JSON output for Suricata

2
9. Verify that the file eve.json exists under the directory /var/log/suricata/
10. To integrate Suricata output into splunk, go to the Settings menu and choose Data Inputs
11. Click on “Files and directory” -> “New Local File & Directory” and give the complete
path to the eve.json file and then, press Next
12. For the source type, check that it is “_json” and click on Next
13. For each file you integrate into Splunk, it is better to assign a different index to better
differentiate between the collected data. For that, choose “create a new index” and just enter
a specific name as “suricataoutput” and click save
14. From the index menu, choose the new created index
15. Click on “Review” to verify the different entered data. After finishing, click “Submit” and
then “Start Searching”
16. All the data are now displayed in their json format but with clear details. Take your time to
discover the different displayed fields in the left corner of the displayed page.
a. In the search tab, you can type the following line:
Index=“suricataoutput”
b. To extract only the events related to detected alerts, just add the event_type filter as
follows: event_type=alert and change the time picker to “All time”
c. If you need just to search for a specific word, as BlackSun, you can just enter this word
in the search tab “BlackSun”

PS: Each time, you look for a specific data to be extracted from a large amount of collected
data, you have only to enter the right filter and search for the right keywords.

Step3: Create your own Dashboard and add Panels

17. To better analyze the displayed data, we are going to visualize some useful metrics in a
clear charts. But before that, we are going to create our personal Dashboard in which the
different graphs will be displayed.
18. In the “Search & Reporting” menu, choose Dashboard and then click on “Create New
Dashboard”.
19. Assign a title and a description (if you want) to the new created dashboard and hit “Create
Dashboard”.
20. The created Dashboard is now displayed but with no panels.

3
21. To add panels, select “Search” from the Search&Reporting menu. Now, it is time to think
about what are the important information you want to monitor and display clearly in your
dashboard.
It is obvious that presenting the number of generated alerts over times is one of this data.
For that, follow the next steps:
a. In the search tab, enter the following line:
index= “suricataoutput” event_type=“alert” | stats count by _time
b. A number of statistics appears but are not well understandable. To create a visible
chart, click on “Visualization” and select a “column chart” as Splunk visualizations.
c. To add this chart to your created Dashboard, click on “save as” and then choose
“Dashboard Panel”
d. Select “Existing” Dashboard and choose the name of your dashboard, give your
panel a title, click “save” and then click “View Dashboard”
e. You can now see the created column chart in your dashboard. In addition, you can
choose edit to add/ change the title of your panel, change the visualization chart,
change the x-axis title and so the y-axis, the legend and many other parameters.
22. Now, you are asked to add a panel in your Dashboard showing a pie chart presenting
the different alert categories that are generated in your network. But, as this metric isn’t
presented within the displayed fields, you need before generating statistics (using the
keyword stats), to select your searching data through the filter search
index= "suricataoutput" event_type="alert" | search alert.category="*" | stats
count by alert.category
23. Using the same principle, add a new pie chart displaying information about generated alerts
by source IP address.
24. Propose a supplementary set of KPI (Key Performance Indicator) to add to your dashboard,
to better get an overview about the security of your network. Configure these KPIs.

Step4: Sending Notifications From Splunk To Your Mail

25. One of the greatest features of Splunk is its built-in alerting functionality. You can
configure Splunk alerts to do just about anything, from sending an SMS to integrating
them with other applications. In this part, we’ll explore how to configure Splunk to connect
it to your gmail address and thus, send you mail once a specified event is detected.
26. Go to: “Settings > Server Settings > Email Settings”.
27. You will need to fill out 4 fields for your mail server to work with Splunk. For Gmail this
will be as follows

Mail host = smtp.gmail.com:587

Email security = TLS
Username = <YOUR_GMAIL_ADDRESS>
Password = <YOUR_GMAIL_PASSWORD>

28. Click Save

29. To be able to receive the mails from Splunk, you must allow less secure applications to
access your Gmail account (https://myaccount.google.com/lesssecureapps)

4
30. Now all you need to do is to create an alert, or edit an existing one, to set on your email
trigger.
31. To create an alert, go to Apps menu, choose Search&Reporting and search for the alert
events related to BlackSun user agent. You can define the following line:
index="suricataoutput" event_type="alert" BlackSun
32. Go to “Save as” and choose “Alert”
33. Now you are asked to name this alert. For the alert type choose Real-time and trigger alert
per-result
34. In the add actions, select “Send email”, enter the email recipient(s) and change the priority
to “High”.
35. Edit the column chart in your dashboard and change the time picker of the alerts, from all
time, to real time. To do this, go to your dashboard and click on edit. Choose Edit search,
change the Time Range to All time (real time), apply and save the changes.
36. Go back to your machine, run Suricata and send the user-agent BlackSun to www.google.fr
37. Consult your Gmail account and verify the received alert
38. Check your column chart and verify that data are changing in real time manner

Step5: Creating & Saving Reports

Using Splunk, it is possible to create reports about different detected actions, containing the
content of the dashboard for example.
39. Go to your created dashboard, click on export, and then on “schedule pdf delivery”.
40. Schedule the report to be sent by email in pdf format every hour.