W 202: Using Splunk with Suricata (20 pts)

What You Need for This Project

Resizing the Disk

Splunk will run out of space and stop searching with the default 10 G disk, so we need to make it larger.

In the Google Cloud Console, at the top left, click the three-bar "hamburger" icon. Scroll down to the COMPUTE section and click "Compute Engine, Disks.

Click the name of your Ubuntu machine, which is probably ubuntu, as shown below.

On the next page, at the top right, click EDIT. Change the disk size to 20, as shown below.

At the bottom of the page, click Save.

In your Ubuntu machine, in an SSH session, execute this command:

sudo reboot
Click Reconnect. If it fails, click Retry. I had to perform a reset using the Google Cloud VM Instances page to get it to reconnect.

In your Ubuntu machine, in the SSH session, execute these commands:

sudo /opt/splunk/bin/splunk start
df -h
You should see 17 GB free on device /dev/sda1, as shown below.


Task 1: Monitoring Logs with Splunk

In the Splunk Web page, at the top left, click splunk.

In the Splunk administration page, click "Add Data", as shown below.

If a box pops up asking you to take a tour, click Skip.

In the next page, scroll down to the "Or get data in with the following methods" section, and click Monitor, as shown below.

In the "Add Data" screen, on the left side, click "Files & Directories".

On the right side, enter a "File or Directory" of

/var/log
as shown below.

At the top right, click the green Next button.

Click Review. Click Submit.

Click "Start Searching".

If a box pops up asking you to take a tour, click Skip.

Splunk shows log entries, as shown below.

Finding Private IP Address

On your Ubuntu Drupal server, execute this command:
ip a
Find your server's private IP address, as highlighted in the image below.

Enabling Password Authentication

On your Ubuntu Drupal server, execute this command:
sudo nano /etc/ssh/sshd_config
Find the PasswordAuthentication line, as shown below.

Change the value from "no" to yes, as shown below.

Save the file with Ctrl+X, Y, Enter.

Execute this command to restart SSH:

sudo systemctl restart ssh

Making Login Attempts

On your Debian server, execute this command, replacing the IP address with the private IP address of your Ubuntu Drupal server.
ssh fred@10.142.0.4
Enter incorrect passwords several times, as shown below.

Viewing Recent Events

In the Splunk management page, at the top left, click splunk.

On the left side, click "Search & Reporting".

In the Search page, in the lower right, click the "Data Summary" button, as shown below.

A "Data Summary" box pops up, as shown below. Click the Sources tab.

In the Source list, click /var/log/auth.log, as shown below.

Flag W 202.1: User type (10 pts)

In Splunk, find a "Failed password" event for "fred", as shown below.

The text covered by the green box in the image below is the flag.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj W 202.2 from YOUR NAME".


Task 2: Install Suricata

Installing Suricata from a PPA Repository

On your Ubuntu Drupal server, execute these commands:
sudo apt install software-properties-common -y
sudo add-apt-repository ppa:oisf/suricata-stable 
Press Enter to add the repository.

On your Ubuntu Drupal server, execute these commands:

sudo apt update
sudo apt-get install suricata -y

Configuring a Test Rule

On your Ubuntu Drupal server, execute these commands:
sudo mkdir -p /var/lib/suricata/rules/
sudo nano /var/lib/suricata/rules/test-ddos.rules
Paste in the code below. This rule fires when there are more than 10 attempted connections within one second.
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 20, seconds 1; sid:1000001; rev:1;)
Save the file with Ctrl+X, Y, Enter.

On your Ubuntu Drupal server, execute this command:

sudo nano /etc/suricata/suricata.yaml
Press Ctrl+W and search for "rule-files".

Add test-ddos.rules to the list, as shown below.

Use Ctrl+W, Ctrl+R to open the Search and Replace function. Change all occurrences of eth0 to ens4

Save the file with Ctrl+X, Y, Enter.

Start Suricata

On your Ubuntu Drupal server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4
Suricate enters the "running" state, as shown below.

If Suricata doesn't start, and prints out red error messages, go back and check the suricata.yaml file for errors.

Monitor the Suricata Log

On your Ubuntu Drupal server, execute this command:
tail -f /var/log/suricata/fast.log

Perform a SYN FLOOD Attack

On the attack server, execute these commands, replacing the IP address in the second command with the address of your Drupal server.
sudo apt install hping3 -y
sudo hping3 -c 20 -S -p 80 -i u10000 10.128.0.6
The packet flood runs, as shown below.

Flag W 202.2: Suricata alert (5 pts)

An alert appears on the Ubuntu Drupal server.

The text covered by the green box in the image below is the flag.

Troubleshooting

If you see no alerts, check the /etc/suricata/suricata.yaml file and make sure it is exactly as shown above.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj W 202.2 from YOUR NAME".


Task 3: Updating Suricata Rules

Getting the Rules

On your Ubuntu Drupal server, execute this command:
sudo suricata-update
This places a ruleset into the directory highlighted in the image below:

Restarting Suricata

On your Ubuntu Drupal server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Viewing Suricata Alerts in Splunk

In your Splunk page, at the top left, click splunk>

On the left side, click "Search & Reporting".

In the lower center, click the "Data Summary" button.

In the "Data Summary" box, click the Sources tab. In the filter box, type suri

Several Suricata files appear, as shown below.

Click /var/log/suricata/fast.log.

The alert you saw previously appears in Splunk, as shown below.

Perform Another SYN FLOOD Attack

On the Debian server, execute this command, replacing the IP address in the second command with the address of your Drupal server.
sudo hping3 -c 20 -S -p 80 -i u10000 10.142.0.4

Viewing the Suricata Alert in Splunk

In Splunk, at the top right, click the green magnifying glass button.

Flag W 202.3: App server ports (5 pts)

Several new alerts appear. Find the alert , as shown below.

The text covered by the green box in the image below is the flag.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj W 202.2 from YOUR NAME".

Turning in Your Project

Send the images to cnit.129s@gmail.com with a subject of "Proj W 202 from YOUR NAME". Send a Cc: to yourself.


References

How to Install Drupal CMS on Ubuntu 17.04 / 17.10
MKorostoff/drupalgeddon
Install and Setup Suricata on Ubuntu 18.04

Posted 3-21-19
Install lshw added 5-20-19
Image fixed and software-properties-common added 5-20-19
Point total for 1.1 changed to 10 8-8-19
Update added for Ubuntu 8-8-19
Hint added for missing suricata fast alerts 8-8-19
Split into two projects for CNIT 129S 1-25-2020
Project numbers updated 4-7-2020