Showing posts with label splunk. Show all posts
Showing posts with label splunk. Show all posts

Tuesday, May 15, 2018

Bejtlich Joining Splunk


Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity.

Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk team. I will be Senior Director for Security and Intelligence Operations, reporting to our CISO, Joel Fulton. I will help build teams to perform detection and monitoring operations, digital forensics and incident response, and threat intelligence. I remain in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn Virginia area and will align with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk presence in Tyson's Corner.

I'm very excited by this opportunity for four reasons. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas for which I will be responsible are my favorite aspects of security. Long-time blog readers know I'm happiest detecting and responding to intruders! Second, I already know several people at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company, one of whom began this journey by Tweeting about opportunities at Splunk! These colleagues are top notch, and I was similarly impressed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people I met during my interviews in San Francisco and San Jose.

Third, I respect Splunk as a company. I first used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products over ten years ago, and when I tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m again recently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y worked spectacularly, as I expected. Fourth, my new role allows me to be a leader in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas I know well, like enterprise defense and digital operational art, while building understanding in areas I want to learn, like cloud technologies, DevOps, and security outside enterprise constraints.

I'll have more to say about my role and team soon. Right now I can share that this job focuses on defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk enterprise and its customers. I do not expect to spend a lot of time in sales cycles. I will likely host visitors in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tyson's areas from time to time. I do not plan to speak as much with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press as I did at Mandiant and FireEye. I'm pleased to return to operational defense, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than advise on geopolitical strategy.

If this news interests you, please check our open job listings in information technology. As a company we continue to grow, and I'm thrilled to see what happens next!

Monday, May 07, 2018

Trying Splunk Cloud

I first used Splunk over ten years ago, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud.

Splunk Cloud is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.

If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)

I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.

First I registered for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk Cloud trial online.

After I had a Splunk Cloud instance running, I consulted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation for Forward data to Splunk Cloud from Linux. I am running a "self-serviced" instance and not a "managed instance," i.e., I am cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator in this situation.

I learned that I needed to install a software package called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Universal Forwarder on my Linux VM.

I downloaded a 64 bit Linux 2.6+ kernel .deb file to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /home/Downloads directory on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux VM.

richard@debian:~$ cd Downloads/

richard@debian:~/Downloads$ ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

With elevation permissions I created a directory for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb, changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory, and installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb using dpkg.

richard@debian:~/Downloads$ sudo bash
[sudo] password for richard: 

root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarder

root@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/

root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/

root@debian:/opt/splunkforwarder# ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

root@debian:/opt/splunkforwarder# dpkg -i splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb 

Selecting previously unselected package splunkforwarder.
(Reading database ... 141030 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb ...
Unpacking splunkforwarder (7.1.0) ...
Setting up splunkforwarder (7.1.0) ...
complete

root@debian:/opt/splunkforwarder# ls
bin        license-eula.txt
copyright.txt  openssl
etc        README-splunk.txt
ftr        share
include        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb
lib        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest

Next I changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bin directory, ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunk binary, and accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EULA.

root@debian:/opt/splunkforwarder# cd bin/

root@debian:/opt/splunkforwarder/bin# ls

btool   copyright.txt   openssl slim   splunkmon
btprobe   genRootCA.sh   pid_check.sh splunk   srm
bzip2   genSignedServerCert.sh  scripts splunkd
classify  genWebCert.sh   setSplunkEnv splunkdj

root@debian:/opt/splunkforwarder/bin# ./splunk start

SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING SPLUNK
SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS

...

Splunk Software License Agreement 04.24.2018

Do you agree with this license? [y/n]: y

Now I had to set an administrator password for this Universal Forwarder instance. I will refer to it as "mypassword" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples that follow although Splunk does not echo it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen below.

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

With that done, I had to return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site, and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to "Download Universal Forwarder Credentials" to download a splunkclouduf.spl file. As noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation, splunkclouduf.spl is a "credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credentials that you use to log into Splunk Cloud."

After downloading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunkclouduf.spl file, I installed it. Note I pass "admin" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user and "mypassword" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password here. After installing I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder.

root@debian:/opt/splunkforwarder/bin# ./splunk install app /home/richard/Downloads/splunkclouduf.spl -auth admin:mypassword

App '/home/richard/Downloads/splunkclouduf.spl' installed 

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

It's time to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final steps to get data into Splunk Cloud. I need to forwarder management in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site. Observe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input-prd-p-XXXX.cloud.splunk.com in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command. You obtain this (mine is masked with XXXX) from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL for your Splunk Cloud deployment, e.g., https://prd-p-XXXX.cloud.splunk.com. Note that you have to add "input-" before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fully qualified domain name used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud instance.

root@debian:/opt/splunkforwarder/bin# ./splunk set deploy-poll input-prd-p-XXXX.cloud.splunk.com:8089

Your session is invalid.  Please login.
Splunk username: admin
Password: 
Configuration updated.

Once again I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder. I'm not sure if I could have done all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se restarts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end.

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

Finally I need to tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder to watch some logs on this Linux system. I tell it to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /var/log directory and restart one more time.

root@debian:/opt/splunkforwarder/bin# ./splunk add monitor /var/log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/var/log'.

root@debian:/opt/splunkforwarder/bin# ./splunk restart

Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...............
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

At this point I return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web interface and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "search" feature. I see Splunk is indexing some data.


I run a search for "host=debian" and find my logs.


Not too bad! Have you tried Splunk Cloud? What do you think? Leave me a comment below.

Update: I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Universal Forwarder on FreeBSD 11.1 using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method above (except with a FreeBSD .tgz) and everything seems to be working!

Saturday, March 02, 2013

Mandiant APT1 Report: 25 Best Commentaries of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of our APT1 report.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 twelve days that followed publication on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evening of Monday cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 18th, I've been very pleased by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of constructive commentary and related research published online.

In this post I'd like to list those contributions that I believe merit attention, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event you missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time around.

These sorts of posts are examples of what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community can do to advance our collective capability to counter digital threats.

Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.

They are listed in no particular order.

  1. Seth Hall (Bro): Watching for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT1 Intelligence
  2. Jason Wood (SecureIdeas): Reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mandiant APT1 Report
  3. Chris Sanders: Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mandiant APT1 Report Actionable
  4. Symantec: APT1: Q&A on Attacks by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Comment Crew
  5. Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
  6. Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
  7. Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
  8. OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
  9. Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
  10. Adam Segal: Hacking back, signaling, and state-society relations
  11. Snorby Labs: APT Intelligence Update
  12. Wendy Nacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r: Exercises left to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader
  13. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
  14. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
  15. Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
  16. Cyb3rsleuth: Chinese Threat Actor Part 5
  17. David Bianco: The Pyramid of Pain
  18. Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
  19. Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
  20. Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
  21. Brandon Dixon: Mandiant APT2 Report Lure
  22. Seculert: Spear-Phishing with Mandiant APT Report
  23. PhishMe: How PhishMe addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top attack method cited in Mandiant’s APT1 report
  24. Rich Mogull (Securosis): Why China's Hacking is Different
  25. China Digital Times: Netizens Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Evidence of PLA Hacking

M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.

I'd also like to cite Verizon for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir comments and mention of IOCExtractor and Symantec for publishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir indicators via Pastebin after I asked about it.

Thank you to those who took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.


Thursday, December 09, 2010

Splunk 4.x on FreeBSD 8.x using compat6x Libraries

Two years ago I posted Splunk on FreeBSD 7.0 showing how to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD compat6x libraries to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest Splunk on an amd64 FreeBSD system.

As you can see below, it took me only a few minutes to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system running thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 precompiled compat6x-amd64 package. If I needed to install on i386, I could have used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree.

r200a# uname -a

FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49
UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done.

*******************************************************************************
* *
* Do not forget to add COMPAT_FREEBSD6 into *
* your kernel configuration (enabled by default). *
* *
* To configure and recompile your kernel see: *
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
* *
*******************************************************************************

r200a# pkg_add splunk-4.1.6-89596-freebsd-6.2-amd64.tgz
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command:
/opt/splunk/bin/splunk start

To use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Web interface, point your browser at:
http://r200a.taosecurity.com:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------

r200a# /opt/splunk/bin/splunk start --accept-license
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
/opt/splunk/etc/auth/audit/private.pem
/opt/splunk/etc/auth/audit/public.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/audit/private.pem', '1024']
/opt/splunk/etc/auth/audit/private.pem generated.
/opt/splunk/etc/auth/audit/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.........++++++
............................++++++
e is 65537 (0x10001)
writing RSA key

/opt/splunk/etc/auth/distServerKeys/private.pem
/opt/splunk/etc/auth/distServerKeys/trusted.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/distServerKeys/private.pem', '1024']
/opt/splunk/etc/auth/distServerKeys/private.pem generated.
/opt/splunk/etc/auth/distServerKeys/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.............++++++
............................................++++++
e is 65537 (0x10001)
writing RSA key


This appears to be your first time running this version of Splunk.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Creating: /opt/splunk/var/lib
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket, history, main, sample, summary

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket, history, main, sample, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... /opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
............++++++
.................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=r200a.taosecurity.com/O=SplunkUser
Getting CA Private Key
writing RSA key
Done.

If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation

The Splunk web interface is at http://r200a.taosecurity.com:8000

And that's it! I pointed my Web browser to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD server and I accessed Splunk. Kudos to Splunk for providing a free version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product to run in this manner!

Postscript: I realized Splunk installs to /opt, which on this system lives in /, which is small. So, I made this change after stopping Splunk:

r200a# mv /opt /nsm/
r200a# ln -s /nsm/opt/ /opt

That put Splunk in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 larger /nsm partition. I should have created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 symlink before installing, but no real harm was done anyway.

Wednesday, December 30, 2009

Difference Between Bejtlich Class and SANS Class

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010, a reader asked:

I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth.

Would you be able to provide some advice?


That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. It doesn't make sense to me to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same topics, or use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r trainers.

Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS folks, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own platform to justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir approach. The two classes are very different, each with a unique focus. It's up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student to decide what sort of material he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't see anything specifically "wrong" with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS approach, but I maintain that a student will learn skills more appropriate for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environment in my class.

  • TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class.

    When you attend my class you get three handouts: 1) a workbook explaining how to analyze digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's guide answering all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 15 cases. There are no slides aside from a few housekeeping items and a diagram or two to explain how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class is set up.

    When you attend SANS you will receive several sets of slide decks that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructor will show during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. You will also have labs but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class.

  • I designed TWS2 to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 needs of a wide range of students, from beginners to advanced practitioners. TWS2 attendees typically finish 5-7 cases per class, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remainder suitable for "homework." Students can work at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own pace, although we cover certain cases at checkpoints during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. A few students have completed all 15 cases, and I often ask if those students are looking for a new opportunity with my team!

  • TWS2 is about investigating digital evidence, primarily in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of network traffic, logs, and some memory captures. The focus is overwhelmingly on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content and not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container. SANS spends more time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container and less on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content.

    For example, if you look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS course overview, you'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first three days on TCP/IP headers and analysis with Tcpdump. Again, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's nothing wrong with that, but I don't care so much about what bit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP header corresponds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RST flag. That was mildly interesting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 1990s when that part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS course was written, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of a network conversation has been more important this decade. Therefore, my class focuses on what is being said and less on how it was transmitted.

  • TWS2 is not about Snort. While students do have access to a fully-functional Sguil instance with Snort alerts, SANCP session data, and full content libpcap network traffic, I do not spend time explaining how to write Snort alerts. SANS spends at least one day talking about Snort.

  • TWS is not about SIM/SEM/SIEM. Any "correlation" between various forms of evidence takes place in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student's mind, or using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk instance containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs collected from each case. If you consider dumping evidence into a system like Splunk, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n querying that evidence, to be "correlation," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we have "correlation." (Please see Defining Security Event Correlation for my thoughts on that subject.) SANS spends two days on fairly simple open source options for "correlation" and "traffic analysis."

  • TWS cases cover a wide variety of activity, while SANS is narrowly focused on suspicious and malicious network traffic. I decided to write cases that cover many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of activities I expect an enterprise incident detector and responder to encounter during his or her professional duties.

    I also do not dictate any single approach to investigating each case. Just like real life, I want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student to produce an answer. I care less about how he or she analyzed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data to produce that answer, as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chain of reasoning is sound and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student can justify and repeat his or her methodology.


I hope that helps prospective students make a choice. I'll note that I don't send any of my analysts to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS "intrusion detection" class. We provide in-house training that includes my material but also focuses on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of decision-making and evidence sources we find to be most effective in my company. Also please note this post concentrated on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences between my class and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS "intrusion detection" class, and does not apply to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r SANS classes.

Saturday, December 12, 2009

Thanks for a Great Incident Detection Summit

We had a great SANS WhatWorks in Incident Detection Summit 2009 this week! About 100 people attended. I'd like to thank those who joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event as attendees; those who participated as keynotes (great work Ron Gula and Tony Sager), guest moderators (Rocky DeStefano, Mike Cloppert, and Stephen Windsor), speakers, and panelists; Debbie Grewe and Carol Calhoun from SANS for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir excellent logistics and planning, along with our facilitators, sound crew, and staff; our sponsors, Allen Corp., McAfee, NetWitness, and Splunk; and also Alan Paller for creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two-day "WhatWorks" format.

I appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 feedback from everyone who spoke to me. It sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mix of speakers and panels was a hit. I borrowed this format from Rob Lee and his Incident Repsonse and Computer Forensics summits, so I am glad people liked it. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sweet spot for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of panelists might be 4 or 5, depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic. If it's more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical, with a greater chance of audience questions, a smaller number is better. If it's more of a "share what you know," like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools and techniques panel, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n a bigger number is ok.

Probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best news from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that SANS already scheduled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second edition -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS WhatWorks in Incident Detection Summit 2010, 8-9 December 2010 in DC. I still need to talk to SANS about how it will work. They've asked me to combine log management with incident detection. I think that is interesting, since I included content on logs in this year's incident detection event. I'd like to preserve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single-track nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit, but it might be useful to have a few break-outs for people who want to concentrate on a single technology or technique.

I appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog coverage from Tyler Hudak and Matt Olney so far. Please let me know what you thought of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last event, and if you have any requests for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next one.

Before December 2010, however, I'm looking forward to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS What Works in Forensics and Incident Response Summit 2010, 8-9 July 2010, also in DC.

The very next training event for me is my TCP/IP Weapons School 2.0 at Black Hat in DC, 31 Jan - 1 Feb. Regular registration ends 15 January, so sign up while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are still seats left! This class tends to sell out due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of defense industry participants in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Capitol Region.

Saturday, February 28, 2009

Sample Lab from TCP/IP Weapons School 2.0 Posted

Several of you have asked me to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006, and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences, with an added bonus.


  1. I have retired TWS, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class I taught from 2006-2008. I am only teaching TWS2 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreseeable future.

  2. TWS2 is a completely brand-new class. I did not reuse any material from TWS, my older Network Security Operations class, or anything else.

  3. TWS2 offers zero slides. Students receive three handouts and a DVD. The handouts include an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide. The DVD contains a virtual machine with all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools and evidence needed to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs, along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network and memory evidence as stand-alone files.

  4. TWS2 is heavily lab-focused. I've been teaching professionally since 2002, and I've recognized that students prefer doing to staring and maybe listening! Everyone who leaves TWS2 has had hands-on experience investigating computer incidents in an educational environment.

  5. TWS2 is designed for beginner-to-intermediate attendees. Some advanced people will like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material too, although I can't promise to please everyone. I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest people could learn by trying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs, but follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide (which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y receive) if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need extra assistance. More advanced students are free to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs any way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y see fit, preferably never looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs are done. This system worked really well in DC last week.

  6. TWS2 uses multiple forms of evidence. Solving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs relies heavily on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network traffic provided with each case, but some questions can only be answered by reviewing Snort alerts, or session data, or system logs provided via Splunk, or even memory captures analyzed with tools like Volatility or whatever else cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student brings to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case.

  7. TWS2 comes home with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student and teaches an investigative mindset. Unlike classes that dump a pile of slides on you, TWS2 essentially delivers a book in courseware form. I use (*gasp*) whole sentences, even paragraphs, to describe how to solve labs. By working cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student learns how to be an investigator, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than just watching or listening to investigative cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories. I am using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same material to teach analysts on my team how to detect and respond to intrusions.


To provide a better sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, I've posted materials from one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs here. The .zip contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student workbook for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual network trace file for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case. There is no way for me to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4 GB compressed VM that students receive, but by reviewing this material you'll get some idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of this class.

My next session of TCP/IP Weapons School 2.0 will take place in Amsterdam on 14-15 April 2009 at Black Hat Europe 2009. Seats are already filling.

The last sessions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year will take place in Las Vegas on 25-26 and 27-28 July 2009 at Black Hat USA 2009. Registration for training at that location will open this week, I believe.

I am not teaching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class publicly anywhere else in 2009. I do not offer private classes to anyone, except internally within GE (and those are closed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public).

If you have any questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se classes, please post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here. Thank you.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Tuesday, November 25, 2008

Splunk on FreeBSD 7.0

Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is not a version of Splunk compiled natively for FreeBSD 7.0, I was told to try using Splunk 3.4.1 on FreeBSD 7.0 via FreeBSD's compat6x libraries.

I did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

freebsd70:/usr/local/src# pkg_add -v splunk-3.4.1-45588-freebsd-6.1-intel.tgz
Requested space: 106458852 bytes, free space: 1565927424 bytes in
/var/tmp/instmp.HhNhQk
Running pre-install for splunk-3.4.1-45588-freebsd-6.1-intel..
extract: Package name is splunk-3.4.1-45588-freebsd-6.1-intel
extract: CWD to /opt
extract: /opt/splunk/README.txt
extract: /opt/splunk/bin/btool
extract: /opt/splunk/bin/bunzip2
...edited...
extract: /opt/splunk/splunk-3.4.1-45588-FreeBSD-i386-manifest
extract: CWD to .
Running post-install for splunk-3.4.1-45588-freebsd-6.1-intel..
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command:
/opt/splunk/bin/splunk start

To use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Web interface, point your browser at:
http://freebsd70.localdomain:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------
Attempting to record package into /var/db/pkg/splunk-3.4.1-45588-freebsd-6.1-intel..
Package splunk-3.4.1-45588-freebsd-6.1-intel registered in
/var/db/pkg/splunk-3.4.1-45588-freebsd-6.1-intel

If you try to start Splunk at this point you'll get an error like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

freebsd70:/usr/local/src# /opt/splunk/bin/splunk start
/libexec/ld-elf.so.1: Shared object "libc.so.6" not found, required by "splunk"

To fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem I installed compat6:

freebsd70:/usr/local/src# pkg_add -vr ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
packages-7.0-release/misc/compat6x-i386-6.3.602114.200711.tbz
scheme: [ftp]
user: []
password: []
host: [ftp.freebsd.org]
port: [0]
document: [/pub/FreeBSD/ports/i386/packages-7.0-release/misc/
compat6x-i386-6.3.602114.200711.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready.
>>> USER anonymous
<<< 331 Guest login ok, send your complete e-mail address as password.
>>> PASS analyst@freebsd70.localdomain
<<< 230-You are user #147 of 800 simultaneous users allowed.
<<< 230-
<<< 230 Logged in anonymously.
>>> PWD
<<< 257 "/" is cwd.
>>> CWD pub/FreeBSD/ports/i386/packages-7.0-release/misc
<<< 250 "/pub/FreeBSD/ports/i386/packages-7.0-release/misc" is new cwd.
>>> MODE S
<<< 200 Mode okay.
>>> TYPE I
<<< 200 Type okay.
setting passive mode
>>> PASV
<<< 227 Entering Passive Mode (62,243,72,50,214,227)
opening data connection
initiating transfer
>>> RETR compat6x-i386-6.3.602114.200711.tbz
<<< 150 Data connection accepted from 24.126.62.67:61531; transfer starting for compat6x-
i386-6.3.602114.200711.tbz (3164256 bytes).
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/misc/compat6x-
i386-6.3.602114.200711.tbz...x +CONTENTS
x +COMMENT
...edited...
extract: CWD to /usr/local
extract: /usr/local/libdata/ldconfig/compat6x
extract: CWD to .
Running mtree for compat6x-i386-6.3.602114.200711..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Attempting to record package into /var/db/pkg/compat6x-i386-6.3.602114.200711..
Package compat6x-i386-6.3.602114.200711 registered in
/var/db/pkg/compat6x-i386-6.3.602114.200711

*******************************************************************************
* *
* Do not forget to add COMPAT_FREEBSD6 into *
* your kernel configuration (enabled by default). *
* *
* To configure and recompile your kernel see: *
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
* *
*******************************************************************************

Then I could start Splunk:

freebsd70:/usr/local/src# /opt/splunk/bin/splunk start
Splunk Free Software License Agreement
...edited...
Do you agree with this license? [y/n]: y
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default'
to '/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/opt/splunk/etc/openldap/ldap.conf.default'
to '/opt/splunk/etc/openldap/ldap.conf'.
Copying '/opt/splunk/etc/modules/distributedSearch/config.xml.default'
to '/opt/splunk/etc/modules/distributedSearch/config.xml'.
/opt/splunk/etc/auth/audit/private.pem
/opt/splunk/etc/auth/audit/public.pem
/opt/splunk/etc/auth/audit/private.pem generated.
/opt/splunk/etc/auth/audit/public.pem generated.

/opt/splunk/etc/auth/audit/private.pem
/opt/splunk/etc/auth/audit/public.pem
/opt/splunk/etc/auth/audit/private.pem generated.
/opt/splunk/etc/auth/audit/public.pem generated.


This appears to be your first time running this version of Splunk.
Validating databases...
Creating /opt/splunk/var/lib/splunk/audit/thaweddb
Creating /opt/splunk/var/lib/splunk/blockSignature/thaweddb
Creating /opt/splunk/var/lib/splunk/_internaldb/thaweddb
Creating /opt/splunk/var/lib/splunk/fishbucket/thaweddb
Creating /opt/splunk/var/lib/splunk/historydb/thaweddb
Creating /opt/splunk/var/lib/splunk/defaultdb/thaweddb
Creating /opt/splunk/var/lib/splunk/sampledata/thaweddb
Creating /opt/splunk/var/lib/splunk/splunkloggerdb/thaweddb
Creating /opt/splunk/var/lib/splunk/summarydb/thaweddb
Validated databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket,
history, main, sampledata, splunklogger, summary

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Verifying configuration. This may take a while...
Finished verifying configuration.
Checking index directory...
Verifying databases...
Verified databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket,
history, main, sampledata, splunklogger, summary

Checking index files
All index checks passed.
All preliminary checks passed.
Starting splunkd...
Starting splunkweb.../opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
..................................++++++
.............................................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=freebsd70.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key

Splunk Server started.

The Splunk web interface is at http://freebsd70.localdomain:8000

I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n able to connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Web interface, add a directory (/var/log) to monitor, and access results.

Documentation for FreeBSD installation is also available. Thanks Splunk!


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Thursday, October 23, 2008

Windows Syslog Agents Plus Splunk

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist.

  1. Deploy Splunk in forwarding mode on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows system.

  2. Deploy a Syslog agent on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows system.

  3. Deploy OSSEC on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows system and sending OSSEC output to Splunk.

  4. Deploy Windows Log Parser to send events via Syslog on a periodic basis.

  5. Retrieve Windows Event Logs periodically using WMIC.

  6. Retrieve Windows Event Logs using anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r application, like LogLogic Lasso or DAD.


I'd done number 2 before using NTSyslog, so I decided to see what might be newer as far as deploying Syslog agents on Windows goes.

I installed DataGram SyslogAgent, a free Syslog agent onto a Windows XP VM.



It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.



I noticed some odd characters inserted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log messages, but nothing too extraordinary.

Next I tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r modern free Syslog agent for Windows, SNARE. Development seems very active. I configured it to point to my Splunk server.



Next I checked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk server for results.



As you can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 messages appear to be formatted a little better (i.e., no weird characters).

I was able to find logon messages recorded at different times by different Syslog agents. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following screen capture, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top message is from SNARE and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom is from SyslogAgent.



I think if I decide to use a Syslog agent on Windows, I'll spend more time validating SNARE.

Monday, September 29, 2008

Wanted: Incident Handler with Mentoring Skills

Previously I posted Wanted: Incident Handler with Reverse Engineering/Malware Analysis Skills. That article noted our GE Careers job posting (843369). We received several great candidates with reverse engineering and malware skills, but none in Cincinnati. Therefore, I am shuffling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 positions a bit. The RE/malware person does not need to reside in Cincinnati, but now I need a different incident handler definitely located in Cincinnati.

The incident handler in Cincinnati should meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following requirements.

  1. Strong incident handling skills. I want this person to be able to speak authoritatively and confidently when dealing with internal business partners. (This is not a job supporting external customers.)

  2. Strong mentoring skills. This candidate will interact daily with our Command Center personnel. The Command Center will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24x7 component of our Incident Response Center. This incident handler will need to be a mentor and coach for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Command Center analysts, although not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir manager.

  3. Be an ambassador. This incident handler will be our in-person representative to two crucial groups: our Infrastructure businesses and our local IT staff. I need a candidate who represents our interests well and collaborates with partner organizations in a professional manner.

  4. Intermediate host forensics skills. We need a person who has traditional host-centric forensic experience.

  5. Introductory-to-intermediate log analysis skills. We need a person who can support ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team who do log analysis. Experience with or intense willingness to learn Splunk is crucial.


To reiterate, this is a GE employee position in Cincinnati. Please apply if you believe you fit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bill. Thank you.

Friday, August 29, 2008

Splunk on Ubuntu 8.04

I've been using Splunk at work, so I decided to try installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free version on a personal laptop. Splunk is a log archiving and search product which I recommend security professionals try. Once you've used it you will probably think of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ways to leverage its power. Anyone can use a free version that indexes up to 500 MB per day, so it's perfect for a personal laptop's logs. This machine runs Ubuntu 8.04.

By default Splunk installs into /opt. Unfortunately when I built this system, I didn't create a /opt partition, and / is too small. So, I decided to create a symlink in /var/opt and accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defaults when installing Splunk.
 
root@neely:/usr/local/src# ls -d /opt
/opt
root@neely:/usr/local/src# rmdir /opt
root@neely:/usr/local/src# ln -s /var/opt /opt

Next I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb that Splunk provides. I've also used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .rpm on Red Hat Enterprise Linux.

root@neely:/usr/local/src# dpkg -i splunk-3.3.1-39933-linux-2.6-intel.deb
Selecting previously deselected package splunk.
(Reading database ... 142815 files and directories currently installed.)
Unpacking splunk (from splunk-3.3.1-39933-linux-2.6-intel.deb) ...
Setting up splunk (3.3.1-39933) ...
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command:
/opt/splunk/bin/splunk start

To use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Web interface, point your browser at:
http://neely:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------

That was easy. Next I start Splunk.

root@neely:/usr/local/src# /opt/splunk/bin/splunk start

Splunk Free Software License Agreement
THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PR
...edited...
ditions of this Agreement will remain in full force and effect.
Do you agree with this license? [y/n]: y
Copying '/var/opt/splunk/etc/myinstall/splunkd.xml.default'
to '/var/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/var/opt/splunk/etc/modules/distributedSearch/config.xml.default'
to '/var/opt/splunk/etc/modules/distributedSearch/config.xml'.
/var/opt/splunk/etc/auth/audit/private.pem
/var/opt/splunk/etc/auth/audit/public.pem
/var/opt/splunk/etc/auth/audit/private.pem generated.
/var/opt/splunk/etc/auth/audit/public.pem generated.

/var/opt/splunk/etc/auth/audit/private.pem
/var/opt/splunk/etc/auth/audit/public.pem
/var/opt/splunk/etc/auth/audit/private.pem generated.
/var/opt/splunk/etc/auth/audit/public.pem generated.


This appears to be your first time running this version of Splunk.
Validating databases...
Creating /var/opt/splunk/var/lib/splunk/audit/thaweddb
Creating /var/opt/splunk/var/lib/splunk/blockSignature/thaweddb
Creating /var/opt/splunk/var/lib/splunk/_internaldb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/fishbucket/thaweddb
Creating /var/opt/splunk/var/lib/splunk/historydb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/defaultdb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/sampledata/thaweddb
Creating /var/opt/splunk/var/lib/splunk/splunkloggerdb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/summarydb/thaweddb
Validated databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket, history, main,
sampledata, splunklogger, summary

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Verifying configuration. This may take a while...
Finished verifying configuration.
Checking index directory...
Verifying databases...
Verified databases: _audit, _blocksignature, _internal, _cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fishbucket, history, main,
sampledata, splunklogger, summary

Checking index files
All index checks passed.
All preliminary checks passed.
Starting splunkd...
Starting splunkweb.../var/opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.......++++++
...............................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=neely/O=SplunkUser
Getting CA Private Key
writing RSA key

Splunk Server started.

The Splunk web interface is at http://neely:8000
If you get stuck, we're here to help. Feel free to email us at 'support@splunk.com'.

Now I point Firefox to port 8000 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local machine.



Cool. I need to tell Splunk to log something, so I select Index Files and point it to /var/log.



Returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main screen, within seconds Splunk has indexed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 measly 8 MB or so of logs I have in /var/log.



Now I'm ready to start searching. For fun I start typing 'samba' in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 search box, and decide to look at 'sambashare' as Splunk shows me what's been indexed.



That's it. The big caveat here is that you need to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web and administration ports (8000 and 8089 TCP) yourself -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk doesn't even have aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication. There are several tutorials on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web about that, mainly about firewalling those ports and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n using a Web proxy or similar to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports locally.