IR 201: Splunk & Suricata (45 pts)

What You Need for This Project


Task 1: Create an Ubuntu Cloud Server (10 pts)

You should already have a Debian Google Cloud Server, which you prepared in a previous project.

Make another Google Cloud server running Ubuntu 18.04, allowing HTTP and HTTPS traffic, as shown below.

Install Apache

On the Ubuntu server, execute these commands:
sudo apt-get update
sudo apt-get install nano apache2 -y

IR 201.1: Ubuntu Server Description (5 pts)

On the Ubuntu server, execute this command:
lsb_release -a
Find the portion of the output shown below. The text covered by the green box in the image below is the flag.


Task 2: Install Splunk

Getting the Download Link

In a Web browser, go to

https://www.splunk.com

At the top right, click the tiny head-and-shoulders icon, outlined in aqua in the image below.

If you have a Splunk account, log in. Otherwise create one now.

At the top right, click the green "Free Splunk" button.

At the lower left of the next page, in the "Splunk Enterprise" sectin, click "Download Free 60-Day Trial", as shown below.

On the next page, click the Linux tab, and, in the ".deb" line, click the "Download Now" button, as shown below.

On the next page, accept the agreement and click the "Start Your Download Now" button, as shown below.

When the download starts, cancel it. At the top right of the next page, click "Command Line (wget)".

Highlight the command in the pop-up box and copy it, as shown below.

Installing the Software

On your Ubuntu machine, in a terminal window, execute the command you just copied. The file downloads, as shown below.

On the Ubuntu server, execute these commands.

sudo dpkg -i splunk*
cd /opt/splunk/bin
sudo ./splunk set web-port 443
sudo ./splunk start
A license agreement fills the screen. Press Q to close it.

Enter y to agree to the license. Enter a username and password of your choice for Splunk. Make a note of the username and password you chose!

Splunk installs, as shown below.

Viewing the Splunk Page

Open this URL, replacing the IP address with the public IP address of your Ubuntu server:
http://34.73.73.12:443

Troubleshooting

The CCSF network blocks this traffic, so you'll need to work around that, using a technique such as:
  • Connecting to "Danger Zone" in S37 or S2145
  • Connecting through your cell phone
  • Working off-campus
  • Using a VPN
The Splunk management opens. Log in with the username and password you specified when installing Splunk, as shown below.


IR 201.2: App Server Port (10 pts)

In the Splunk management page, at the too, click Settings, "Server settings", "General settings".

The text covered by the green box in the image below is the flag.


Task 3: Monitoring the Logs

In the Splunk administration page, click "Add Data", as shown below.

If a box pops up asking you to take a tour, click Skip.

In the next page, scroll down to the "Or get data in with the following methods" section, and click Monitor, as shown below.

In the "Add Data" screen, on the left side, click "Files & Directories".

On the right side, enter a "File or Directory" of

/var/log
as shown below.

At the top right, click the green Next button.

Click Review. Click Submit.

Click "Start Searching".

If a box pops up asking you to take a tour, click Skip.

Splunk shows log entries, as shown below.

Finding the Ubuntu Server's Private IP Address

On your Ubuntu server, execute this command:
ip a
Find your server's private IP address, as highlighted in the image below.

Enabling Password Authentication

On your Ubuntu server, execute this command:
sudo nano /etc/ssh/sshd_config
Enable password authentication, as shown below.

Save the file with Ctrl+X, Y, Enter.

Execute this command to restart SSH:

sudo systemctl restart ssh

Making Login Attempts

On your Debian server, (NOT your Ubuntu server), execute this command, replacing the IP address with the private IP address of your Ubuntu server.
ssh fred@10.142.0.4
Enter incorrect passwords several times, as shown below.

Viewing Recent Events

In the Splunk management page, at the top left, click splunk. The main Splunk page appears, as shown below.

On the left side, click "Search & Reporting".

In the Search page, in the lower right, click the "Data Summary" button, as shown below.

A "Data Summary" box pops up, as shown below.

Click the hostname of your server, which appears in blue letters.


IR 201.3: Record Your Success (10 pts)

In Splunk, find a "Failed password" event for "fred", as shown below.

The text covered by the green box in the image below is the flag.


Task 4: Install Suricata

Installing Suricata from a PPA Repository

On your Ubuntu server, execute these commands, one at a time.
sudo apt install software-properties-common -y
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt-get install suricata -y

Configuring a Test Rule

On your Ubuntu server, execute this command:
sudo nano /etc/suricata/rules/test-ddos.rules
Paste in the code below. This rule fires when there are more than 10 attempted connections within one second.
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 20, seconds 1; sid:1000001; rev:1;)

Save the file with Ctrl+X, Y, Enter.

On your Ubuntu server, execute this command:

sudo nano /etc/suricata/suricata.yaml
Press Ctrl+W and search for "rule-files".
If your browser doesn't let you press Ctrl+W, use the mouse to select it from the on-screen keyboard icon, as shown below.

Adjust the "default-rule-path" and insert a "Custom Test Rule", as shown below.

Use Ctrl+W to find all references to "eth0" and change them to "ens4"

Save the file with Ctrl+X, Y, Enter.

Start Suricata

On your Ubuntu server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Monitor the Suricata Log

On your Ubuntu server, execute this command:
tail -f /var/log/suricata/fast.log

Perform a SYN FLOOD Attack

On the attack server, execute these commands, replacing the IP address in the second command with the address of your Ubuntu server.
sudo apt install hping3
sudo hping3 -c 20 -S -p 80 -i u10000  10.142.0.4
The packet flood runs, as shown below.


IR 201.4: Recording Your Success (10 pts)

An alert appears on the target server.

The text covered by the green box in the image below is the flag.

Troubleshooting

If you see no alerts, check the /etc/suricata/suricata.yaml file and make sure it is exactly as shown above.

Task 5: Updating Suricata Rules

Getting the Rules

On your Ubuntu server, execute this command:
sudo suricata-update
This places a ruleset into the directory highlighted in the image below:

Configuring Suricata to Use the New Rules

On your Ubuntu server, execute this command:
sudo nano /etc/suricata/suricata.yaml
Press Ctrl+W and search for "rule-files".

Adjust the "default-rule-path" and comment out the "Custom Test Rule", as shown below.

Save the file with Ctrl+X, Y, Enter.

Restarting Suricata

On your Ubuntu server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Viewing Suricata Alerts in Splunk

In your Splunk page, at the top left, click splunk>

On the left side, click "Search & Reporting".

In the lower center, click the "Data Summary" button.

In the "Data Summary" box, click the Sources tab. Several Suricata files appear, as shown below.

Click /var/log/suricata/fast.log.

The alert you saw previously appears in Splunk, as shown below.

Perform Another SYN FLOOD Attack

On the attack server, execute this command, replacing the IP address in the second command with the address of your Ubuntu server.
sudo hping3 -c 20 -S -p 80 -i u10000 10.142.0.4

Viewing the Suricata Alert in Splunk

In Splunk, at the top right, click the green magnifying glass button.


IR 201.5: Record Your Success (10 pts)

An alert appears, as shown below.

The text covered by the green box in the image below is the flag.


References

How to Install Drupal CMS on Ubuntu 17.04 / 17.10
MKorostoff/drupalgeddon
Install and Setup Suricata on Ubuntu 18.04

Posted 3-21-19
Install lshw added 5-20-19
Image fixed and software-properties-common added 5-20-19
Point total for 1.1 changed to 10 8-8-19
Update added for Ubuntu 8-8-19
Hint added for missing suricata fast alerts 8-8-19
More PHP extensions added 8-19-19
Note about CCSF blocking the Splunk port 443 traffic added 9-10-19