Welcome back guys,
In this article, we will explore how to set up a SIEM (Security Information and Event Management) lab environment where we will extract various log data and send it to our deployed SIEM for further analysis. This lab walks through the process of configuring, optimizing, and securing an IT infrastructure. This emulates a real-life analysis in a SOC environment, where critical logs and events within a network are continuously monitored.
Topology
This tutorial builds upon my earlier blog posts about Windows Server and Active Directory. Remember to refer to my previous write-up, which details the installation and configuration steps.
In this lab, our choice of SIEM is Splunk for this activity. I will walk you guys through installing and configuring Splunk and integrating the log sources on Linux and Windows OS. We will retrieve logs from our pfSense firewall, Snort IDS (intrusion detection system) installed on the Windows Server, and Windows Event logs from our Windows Server. I will be using VMware Workstation 16 Pro as my hypervisor for this lab.
Table of Content
- Installing Windows Server
- Installing Ubuntu
- Installing pfSense
- Installing Snort
- Setting up Splunk
- Collecting Data
Installing Windows Server
An Active Directory domain with a Windows 2019 Server as the Domain Controller is used in this lab. This lab portion is rather simple to set up. To avoid this post from being extremely long, I’ll skip a few parts; you can check my previous blog post covering the installation and setup here.
Installing Ubuntu
Access to both the pfsense firewall & SIEM web interface will be primarily done from an Ubuntu Desktop, simulating a SOC/Security Analyst accessing a SIEM or any other tool from their device.
To do this, you’ll first have to configure an Ubuntu Desktop. This is a very easy process and I’ll not be covering it in this write-up but it is covered in this post. Be sure to use all the default settings for the Ubuntu Desktop configuration.
After this installation, run the ifconfig or ip a command on the Ubuntu Machine and take note of its IP Address.
For me, it is 192.168.1.3
Installing pfSense
A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.
In this lab, pfsense will be configured as our firewall to protect the network and access the internet.
pfSense is a firewall/router computer software distribution based on FreeBSD. pfSense is a free and open-source firewall and router that also features unified threat management, load balancing, multi-WAN, and more. pfSense® software offers a user-friendly system that is easy to manage with its uncomplicated interface.
It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface and requires no knowledge of the underlying FreeBSD system to manage. pfSense is mostly used as a router and firewall software and typically configured as a DHCP server, DNS server, Wi-Fi access point, and VPN server, all running on the same hardware device. It has been growing in popularity as one of the favorite home and business router operating systems.
- First, on our host machine. Download the pfsense ISO file from https://www.pfsense.org/download/
- Download pfSense Community Edition
- Click on Architecture dropdown box and select “AMD64 (64-bit)”, Click on Installer dropdown box and select “CD Image (ISO) Installer”. click download button.
- Click “Create a New Virtual Machine” on VMware Workstation home screen.
- Make sure “Typical (recommended)” is selected and click Next. Click “Browse” and navigate to the folder where your pfsense file is located. Click Next.
- Rename your Virtual Machine. Preferably “pfsense”
- Click Next.
- 20GB disk size is sufficient for this VM.
- Ensure that the “Split virtual disk into multiple files” option is selected.
- Click Next.
- Click “Customize Hardware”.
- Increase the memory to 1GB.
- Enable network adapters for both our LAN and WAN interfaces. The WAN interface (NAT) will have access to the internet, while the LAN interface (Host-only) will be for our local private network. Then click Finish
- The pfsense machine will power on and start with this screen. Accept all the defaults. pfsense will configure and reboot.
- You should end up with a screen similar to this.
- Enter option 1
- Should VLANS be set up now [y:n]?: n
- Enter em0, em1 respectively for each consecutive question
- Do you want to proceed [y:n]?: y
- Enter option 2
- We’ll start with the LAN interface (2)
- The IP address 192.168.1.1 is going to be used to access the pfsense Web GUI via the Kali Machine
- Use the configuration below for the Lan interface.
This ends the configuration of the pfsense VM
The pfsense Web Configurator can be accessed to make some changes to the pfsense interface and firewall rules.
- On the Ubuntu machine, navigate to the web browser and search for 192.168.1.1
- Select “Advanced…” at this screen, Enter “admin” as username and “pfsense” as password. (Default value)
You’ll be greeted with a “Wizard/pfSense Setup/” page
- Click Next till you get to Step 2 of 9.
- Add 8.8.8.8 as your Primary DNS Server
- At Step 3 of 9, Choose your Timezone
- Click Next.
Setup completion!
We complete all the configurations and then check the latest updates of the pfsense application
- Then, we go back to the Windows server and specify our host-only adapter default gateway. We will put the IP address that belongs to pfsense
- Input 192.168.1.1.
- We can go ahead and disable the NAT adapter on our server.
Let’s check for network connectivity on our server after setting the configurations. So, we have access to google.com aka the internet through pfSense.
On our Ubuntu machine, we will also put the IP address belonging to pfSense.
- Input 192.168.1.1
Installing Snort
Snort is a popular free and open-source IDS/IPS system that is used to perform traffic/protocol analysis, and content matching and can be used to detect and prevent various attacks based on predefined rules. Snort has 3 main operational modes:
- Packet Sniffing: Collects and displays network traffic
- Packet Logging: Collects and logs network traffic into a file
- Network Intrusion Detection: Analyzes packets and matches traffic against signatures
Snort rules are similar to firewall rules, they are used to match network activity against specific patterns or signatures, and consequently make a decision as to whether to send an alert or drop the traffic. Snort has a bunch of predefined rules, but in this lab, we will write our own rules to detect potentially malicious traffic directed to the Windows Server
Installing and configuring Snort
I will not cover the setup of Snort here, but you can find a detailed guide on installing and configuring Snort on Windows in this post
So, I have Snort downloaded, installed, setup, and ready to go
Now, we will review the network interfaces in snort with the command snort -W. In my case, I’ll be using Interface 4
We will also test our config file to ensure it is functional, use the command snort -T -c C:\directory_you_saved_snort_in\Snort\etc\snort.conf -i 4
Writing Snort Rules
Go back to the config file and comment on the rules to temporarily disable them.
Navigate to your local rules. I created a rule that creates alerts when the server receives ICMP pings.
I launched a shell on the pfsense machine and pinged the server. We can see the alerts popping up, our rule works!
Anytime we run snort and alerts are generated, log files are created in the log folder
Setting up Splunk
Splunk is one of the most widely used SIEMs in the Cybersecurity industry. Splunk essentially aggregates logs and datasets from various data sources and correlates all that information for easy searching, parsing & indexing.
This room will cover installing Splunk on Linux/Windows and configuring different log sources into Splunk. We will cover the following:
- Install Splunk on Ubuntu
- Install and integrate Universal Forwarder on Windows Server
- Collecting Logs from important logs sources/files and ingest into Splunk
Installing Splunk on Ubuntu
On your Ubuntu Server, Navigate to Splunk.com
- Click on “Free Splunk“
- Create an account or log in
- Under “Splunk Core Products” >> Splunk Enterprise >> Download Free 60-Day Trial
- Select the Linux package and download the .deb package:
Installing the Splunk package doesn’t take long. There are five steps to follow before you can start using your web interface.
Each step shouldn’t take more than one minute so follow through and you’ll be ready to go (we’re still on the terminal):
Also, make sure to use the sudo command for superuser privileges. You should see something like this, which means Splunk was installed correctly:
- Move the .deb file to your /tmp folder, where you can safely proceed with the Splunk installation
- Run the sudo dpkg -i ~(Splunk Filename) in Ubuntu to install
- After the package is installed, run sudo /opt/splunk/bin/splunk enable boot-start
- Agree with license (Y), and setup your administrator username & password
- Now you simply need to start Splunk and you’re ready to go.
- To start the Splunk service
- [terminal]sudo service splunk start[/terminal]
- Copy down the Splunk web interface provided after installation to access the Splunk Enterprise on your browser
Installing Universal Forwarder on Windows Server
First, we will configure the receiver on Splunk so the forwarder knows where to send the data.
To log the activities on endpoints, Splunk uses a mechanism called the universal forwarder. The universal forward can be installed on Windows, *nix & mac agents to forward logs to your Splunk instance. Installing Splunk Forwarder is very straightforward. First, we will download the latest forwarder from the official website here. Download the Universal Forwarder.
Now install the forwarder:
Accept the License Agreement & click Next
- Create a preferred username and password
- Enter the IP Address of your Splunk server and the default ports as prompted (8089 & 9997)
- Install
- Once your Ubuntu IP Address is verified, enter it as the Deployment Server at 8089 as the port
- Enter the same address for the Receiving Indexer, but with 9997 as the port Click Yes and Finish
Let’s set things up in our Splunk server as well
- Navigate to Settings >> Forwarding and Receiving >> New Receiving Port
- Enter port 9997 and save
Splunk Index Setup
Before we get any further, we need to configure Splunk to receive our data. The index is the repository for Splunk Enterprise data. Splunk Enterprise transforms incoming data into events, which it stores in indexes.
To make things simple, we are going to create three indexes. One for pfSense called firewall, another for Snort called ids, and another for wineventlog. I recommend you create and keep a table of indexes handy so you know where to look for your data within Splunk. This will solve future headaches when you’re looking for certain events.
- Navigate to Settings >> Indexes >> New index
- Name the index ids and save
- You can leave the rest of the settings alone
Repeat this process for the other indexes needed. Check the indexes created
Collecting Data
We have installed the forwarder and set up the listener on Splunk. It’s time to configure Splunk to receive logs.
Ingesting Windows Event Logs
We will configure the forwarder to collect Event Logs from the host and send them to the Splunk Indexer. Let’s go through this step by step.
- Navigate back to your Splunk Instance >> Settings >> Add Data (It shows all the options to add data from different sources)
- Select “Forward”, We will choose the Forward option to get the data from Splunk Forwarder
- In the Select Forwarders section, Click on the host shown in the Available host(s) tab, and it will be moved to the Selected host(s) tab (in my case, Windows Server PC is my host). Then, click Next
- Select the Domain Controller (Windows Server) >> Enter a Server Class Name e.g “Domain Controller” >> Next
It’s time to select the log source that we need to ingest. The list shows many log sources to choose from. Select Local Events Logs and choose your desired event logs >> Next
Select wineventlog as the index >> Review >> Submit
Click Review in the Input Settings Window, which summarizes the settings we just did to configure Splunk. then click Submit
Click Apps > Search & Reporting
Depending on the logs you chose to monitor in the initial install, you can query those under New Search
Let’s test it. We will delete a user in our domain, we will review if it reflects in Splunk.
Go to your Windows server, go to Active Directory, and delete a user (create a user if you have not already). I deleted a user I created called testuser
We can review this action in the event viewer, the Event ID for deleted user is 4726
If we go over to our Splunk server, navigate to the search app, and parse through the wineventlog index, we can see the event.
Great! We have successfully configured Splunk to receive Event Logs from the Windows host. Let’s move on to the next task
Ingesting Firewall Logs
First, we gonna have to enable remote log forward on pfSense.
- Navigate to Status > System Logs > Settings
- Scroll down to Remote Logging Options, then click to enable Remote Logging.
- Enter the IP Address of the Splunk followed by the port number on Remote log servers. (e.g. : <Splunk IP>: 514)
- Click on Save to enable log forwarding to the Splunk server.
Splunk Data Inputs
We need to configure a UDP receiving port on the Splunk Server to receive pfSense logs. This can be achieved by going to Settings > Data Inputs. Click “+ Add New” next to UDP.
We will be taken to the add data page within Splunk. Let’s go ahead and add a port to receive our logs. I am going to use port 514
In the source type drop-down, type pfsense. We need to select pfsense without the “:” as seen in the image below.
The next setting we need to change is the host field. Select “Custom” and type in the hostname of your pfSense router. Once that’s complete, select the index drop-down and select the firewall index we created earlier.
Continue to the next page by clicking “Review,” verify your new data input settings, and click “Submit.”
If we have configured everything correctly, we should be able to see the logs generated in Splunk. However, the logs may need proper parsing and normalizing, which will be discussed in upcoming posts.
Configuring Snort Logs
Okay, we have pfSense logs inside Splunk. Now we need to get our IDS setup and then get the logs shipped to Splunk. Let’s get started! Since we installed Snort previously, we just need to configure it.
We will log files into the alert log file, which is created by Snort when a scan is done using fast or full mode. Full mode will print Snort alert messages with full packet headers; Fast mode is a faster alerting method than full alerts because it doesn’t need to print all of the packet headers to the output file. Lets test it out, we will run the command.
We can see the alert.ids log file has been created
Let’s go to the Splunk forwarder folder and configure our outputs.
The outputs.conf file tells the Splunk forwarder where to send the data to.
If there isn’t an output.conf file in the folder, let’s create one with the following content. Our Splunk server will receive two types of data from our forwarder, Event viewer logs and Snort alert logs via ports 9997 and 6666 respectively. While 9997 is the standard network port for receiving data from forwarders, you can specify any network port above 1024 to receive data.
Create an Input Configuration File
The inputs.conf file in Splunk is a configuration file used to define and configure data inputs. It specifies how to collect data from various sources and what to do with that data.
Data inputs are the sources of data that Splunk indexes, such as log files, network ports, message queues, and scripted inputs. By configuring the inputs.conf file, we can specify the location, format, and type of data that Splunk should index.
we will tell Splunk forwarder which logs files to monitor. Here, we tell Splunk Forwarder to monitor the alert log file
monitor://C:\Snort\log\alert.ids
index = ids
source = snort
sourcetype = snort__alert_fast
[splunktcp://:6666]
disabled = 0
Once file created, Splunk needs to be restarted to apply the settings
NMAP COMMANDS
Before we check out our new logs in Splunk; let’s generate logs aside from ICMP alerts. We will execute some popular network recon techniques and practice writing Snort rules for their detection.
For this exercise, we will make use of Nmap. Nmap is by far one of the most popular tools in the world of information security. This popularity can be attributed to many factors. One of which is the fact that it is extremely effective. Nmap was introduced as a port scanner, but it’s far outgrown that title at this point. Nmap is a powerful network discovery and security auditing utility that is free, open-source, and easy to install. Nmap scans for vulnerabilities on your network, performs inventory checks, and monitors host or service uptime, alongside many other useful features. I installed nmap on our Ubuntu system (using sudo apt-get install nmap). This exercise will use it to make a basic Network Discovery.
NMAP PING SCAN
IT pros and cybercriminals typically use tools like Nmap to discover hosts on a network and carry out several network recon analyses. I want us to create a rule that will raise an alert when our host receives Nmap ping requests.
We will use the command sudo nmap -sP 192.168.1.0 –-disable-arp-ping. These options tell Nmap to use ICMP Echo requests (-PE) and disable ARP pinging. Typically, Nmap sends out ARPs and not pings. This is because Nmap is smart enough to know that ARPs will work since we’re scanning the same layer two network.
Next, we create the Snort Rule. A regular pin packet and an Nmap ping packet vary a little. The packet length is 60 for the ping that came from Nmap and 74 for the regular one. Nmap also generates no payload (Data) in the ICMP Echo request packet. We can use that to create our rule. Bring up the local.rules file, and input the new rule as follows:
alert icmp any any -> $HOME_NET any (msg:”Possible Nmap ping sweep”; dsize:0; sid:1000005; rev:1;)
Remote Desktop Protocol (RDP) Scanning
Port scanning involves systematically scanning a computer network for open ports, which can then be exploited by threat actors to gain unauthorized access or gather information about the system’s vulnerabilities. Cybercriminals typically conduct reconnaissance on the target port before using what are called dictionary attacks, entering and trying out known usernames and passwords to see if any of the combinations grant access.
Cybercriminals typically conduct reconnaissance on the target port before using what are called dictionary attacks, entering and trying out known usernames and passwords to see if any of the combinations grant access. One of the most common detections of compromised IP addresses are systems scanning for open RDP (Remote Desktop Protocol) ports.
Remote Desktop Protocol is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were sitting behind it—which is what makes it so dangerous in the wrong hands. One of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). RDP port scanners can scan the internet and internal networks for hosts with open RDP ports by trying the default port for RDP, TCP 3389. They can then try to brute-force their way in, repeatedly entering common username and password combos to find RDP login credentials. Gaining access through RDP and other network protocols allows attackers to infiltrate systems, deploy various malware, and use them as pivots to compromise other systems, networks, and users on the network.
To monitor and manage this threat on the Windows Server host, we will create a rule that detects an attempted TCP connection with the open 3389 port.
alert tcp any any -> 192.168.1.2 3389 (msg:”Remote Desktop Connection Attempt”; sid:1000003; rev:1;)
We will use Nmap on the Ubuntu machine to execute an RDP port scan.
sudo nmap -sT 192.168.1.2 -p 3389
The scan results state that the status of the port is filtered; this can mean that the port is protected by a firewall. A firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
NMAP Port Scanning
As seen in the previous section; a port scan is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an organization.
When hackers send a message to a port, the response they receive determines whether the port is being used and if any potential weaknesses could be exploited. Businesses can also use the port scanning technique to send packets to specific ports and analyze responses for any potential vulnerability. They can then use tools like Nmap to ensure their network and systems are secure. Commonly hacked TCP port numbers include port 21 (FTP), port 22 (SSH), port 23 (Telnet), port 25 (Simple Mail Transfer Protocol or SMTP), port 110 (POP3), and port 443 (HTTP and Hypertext Transfer Protocol Secure or HTTPS). Commonly targeted TCP and UDP ports include port 53 (DNS), ports 137 to 139 (Windows NetBIOS over TCP/IP), and 1433 and 1434 (Microsoft SQL Server).
Cybercriminals search through networks to assess how ports react, which enables them to understand the business’s security levels and the systems they deploy. For security professionals to ensure a strong security posture, they must either prevent or be capable of monitoring and detecting a port scan attack within their network.
We will use Snort to detect port scanning by alerting us when there is an unusual number of connection requests within a short period. For that, we can use Snort’s detection_filter rule option. Bring up the local.rules file. Copy our last “TCP Port Scanning” rule and paste it into a new line. Now modify it as follows:
alert tcp any any -> $HOME_NET any (msg:”TCP Port Scanning”; detection_filter:track by_src, count 30, seconds 60; sid:1000006; rev:2;)
Here we are using a detection filter to generate an alert whenever there are more than 30 TCP connections attempted within a 60-second interval.
We will use Nmap on the Ubuntu machine to execute a port scan, we will scan the first 100 ports
sudo nmap -sT 192.168.1.2 -p 1-100
The scan results show that we have two ports open
Below are the Snort rules we created. We have run the nmap scans and also have Snort running
Let’s head over to Splunk and see what we have
Nice! We can see Splunk has the logs.
Great, We have successfully installed and configured Splunk Forwarder to get the logs from the alert log file into Splunk. These are just some basic techniques that can be done using Snort rules for recon detection
Wrapping It Up
This brings us to the end of this homelab. Pat yourself on the back you did it!
In this lab, we installed and launched Windows Server 2019, Ubuntu, and pfSense firewall machines via VMware. The Windows Server is running Active Directory and an intrusion detection/prevention system aka Snort, and the Ubuntu machine is running Splunk. Both systems have internet access through the pfSense firewall. We secured the Windows Server on the network by monitoring traffic that came in for potential threats with Snort IDS. Also, collected logs through Splunk SIEM for analysis and investigations.
Where do you go from here? Well, now that you have these logs and the data is normalized, you can start building out alerts, reports, and beautiful dashboards around your newly imported data. Understanding the process of installation and configuration of any SIEM solution and then ingesting logs from various sources is a very important concept for a SOC analyst. This was fun and exciting to work on and I hope you found value in this process.