Lab) Splunk Investigation 4 Solution Flashcards
Lab) Splunk Investigation 4 Solution
To get Splunk ready, we’ll open a Terminal using the icon on the bottom toolbar and enter in the following command: sudo systemctl start Splunkd. After a minute we’ll open Firefox and visit 127.0.0.1:8000. Next we’ll click on the ‘Search & Reporting’ app on the left-hand side of the Splunk homepage.
We need to make sure we can see all of the logs as they were generated back in 2020. To do this we’ll click on the timeframe selector on the far right and select OTHER > All time on the right.
Whenever we conduct a search we want to start the query with index=”botsv1” to ensure we are loading the right data.
We’re ready to get started with the lab questions!
Q1
Question 1 - Click on Dashboards and go to Splunk Investigation 4. How many Suricata alerts are there, and how many Fortigate alerts are there?
First we’ll click on Search & Reporting App, then Dashboards at the top of the page. At the top of the Splunk Investigation 4 dashboard we can see two panels being used as counters for both Fortigate alerts and Suricata alerts.
Q2
Question 2 - Edit the dashboard and look at the search query for the Fortigate Alerts counter. What is the full query used to generate this number?
To see the search queries that are powering dashboard panels we first need to Edit the dashboard in the top right corner. Then we can click on the magnifying glass icon of a panel, which is the ‘Edit Search’ option.
Q2 encore
Q3
Question 3 - What is the full query used to generate the Suricata Alerts counter?
We’ll take the same actions as we did for Q2, and click the magnifying glass icon on the Suricata Alerts counter panel to see the search query behind it.
Q4
Question 4 - Click on the Suricata alert titled ‘Information Leak’ to see the associated events. What is the source IP address, and what is the destination IP address?
We can find this alert category on Line 6 of the Suricata Alerts (Categories) table.
Q4 contd
Looking at the 2 events, we can see the dest_ip and src_ip are shown immediately, giving us our answer. The external IP 40.80.148.42 is connecting to our internal system which is hosted internally on 192.168.250.70 on port 80 (HTTP).
Q5
Question 5 - What action did Suricata take after observing these events?
Just looking at the events in the screenshot above, we cannot see any fields that would tell me what actions Suricata took, so we’ll click on ‘Show as raw text’ at the bottom of each event to change the displayed format. We can now see a field called ‘action’!
In this case, both events were allowed by Suricata. If this tool is deployed in Network Intrusion Prevention System mode (NIPS) as opposed to Network Intrusion Detection System (NIDS) then it could take actions to stop malicious connections, such as applying the ‘block’ action to end the connection!
Q6
Question 6 - We know the alert category is ‘Information Leak’, however the specific signature can provide us with more information about this activity. What is the signature shared by both events?
In the below screenshot, we have showed two different ways to view this field within the Suricata logs. This signature is a lot less generic than the category, and can provide context to what is actually happening.
Q7
Question 7 - Based on the logs, combine two fields to understand the full website addresses being accessed by the attacker (Remember, in some logs a “/” character must be escaped by putting a “" in front of it. You should not reference the “")
Looking at the logs we can see two fields that will help us answer this question: hostname and URL. Using these we can see the two targeted full URLs were:
imreallynotbatman. com/phpinfo.php5
imreallynotbatman. com/phpinfo.php
Q8
Question 8 - What HTTP status code is returned to both of these requests, that tells us this attack was not successful?
Looking at the logs we can see a field named ‘status’, where the value is 404 for both event. This tells us that the attacker tried to reach these URLs, but there is nothing there (Error 404, Not Found).
Q9
Question 9 - Return to the Dashboard and click on the Suricata alert titled ‘A Network Trojan was detected’ to load this search. Modify the search query to show count of every signature field within this alert category. How many unique suricata signatures are present?
Looking at the Suricata Security Alerts (Categories) table we can see the category we want on line 3.
We’re being asked to identify how many signatures are found within this category of alerts. To do this we’ll add the following to our search query to get the count of signature values: | stats count by signature. Looking at the Statistics title, we can see there are 12 unique signatures that have been observed within logs for this category.
Q10
Question 10 - Search manually through Suricata logs where the HTTP status code is 200, then perform a count of each signature field to find two signatures that reference a vulnerability CVE identifier. Search this CVE on the National Vulnerability Database.- what is the CVSS Version 3 Score?
Okay - there’s a lot to do in this question, so let’s go step by step. Firstly we’ll build our brand new search query for Suricata logs, specifically alert logs, where the status code is 200. The query will look like this: index=”botsv1” sourcetype=suricata event_type=alert status=200.
Q10 contd
Great, next we need to get the count of values in the signature field. We’ll add the following to our search: | stats count by signature.
Q10 contd
Great, we’ve found the reference to a Common Vulnerability and Exposures identifier, used as an identification method for vulnerabilities. Next we’re asked to find the score of this vulnerability, so we’ll search for it on Google using the search “CVE-2014-6271 national vulnerability database”.
Q10 contd encore
Q11
Question 11 - On the Fortigate Security Alerts dashboard table click on ‘MS.Windows.CMD.Reverse.Shell’. Identify the internal IP within this event, and use your SIEM skills to identify the name of this system.
We can find the associated Fortigate alert category on the final row (13) of the dashboard table.
Q11 contd
Clicking on the row will take us to a single Fortigate_UTM log. We can see that the internal IP address is in the ‘dstip’ field, and is 192.168.250.70. Because this log is from a Firewall, Fortigate has no idea what the hostname is for this system, so we’ll need to use a different log source to find this.
Q11 contd
Let’s be smart about this, this alert is about abuse of the Microsoft Windows Command Prompt. It is possible that the internal system is running Windows, and should have Sysmon logs enabled (xmlwineventlog). Let’s change our search query to look at that sourcetype and free-search the IP (without declaring a field name, as we don’t know what format it will be).
Q12
Question 12 - Go back to the Fortigate Security Events table and click on ‘Apache.Roller.OGNL.Injection.Remote.Code.Execution’. Find the reference field in the log and open the URL on your host machine. What is the Affected Products text, and the CVE identifier?
We can find the relevant Fortigate alert category on the 10th row of the dashboard table.
Q12 contd
Looking at the event we can see there is a field titled ‘ref’ which contains a URL.
Q12 contd
Unfortunately, when trying to visit the URL, we get redirected to FortGuard’s homepage. In the top right we can see there is a search bar, and clicking on it offers us the ability to change it to an ‘ID Lookup’ search. Let’s try that with our VID number!
Q12 contd
Next we want to click on the right search result, based on the name of the category we saw in Splunk:
Q12 contd
Here we can find all the information we need!
Q13
Question 13 - On the dashboard consider the Fortigate category with the highest number of events. Try to find the version of the scanning tool being used, looking at Fortigate logs then Suricata logs.
We can clearly see from the Fortigate alert table that ‘Acunetix.Web.Vulnerability.Scanner’ is the attack type with the most events generated. Let’s see if we can identify what version of this tool is being used!
Q13 contd
Looking at the logs, there’s nothing immediately obvious that tells us the version of this tool. There is a reference field so it’s worth seeing if this will tell us the version.
Q13 contd
However after searching it online, it doesn’t give us any version information.
Q13 contd
As we can’t find anything helpful in the Fortigate logs, let’s pivot to the Suricata logs instead. To do this we’ll change our sourcetype to Suricata and free-search for ‘Acunetix’ as this is the name of the scanner.
Q14
Question 14 - Investigate Suricata ‘alert’ logs to understand how they present the severity of the alert. Create a search query that gets the count of events based on each severity rating. When you having a working query click on ‘Save As > Existing Dashboard’ and select the Splunk Investigation 4 dashboard. Edit the dashboard and click on ‘Select visualization’ on the panel you just added to change it to a pie chart (feel free to add an appropriate title!). Hover your mouse over the ‘High’ section of the pie chart, what is the count%?.
We’re told we need to look at Suricata alert logs, so we’ll perform our first search using: index=”botsv1” sourcetype=suricata event_type=alert.
Q14 contd
Now that we know the severity field is called alert.severity, we could perform a stats count for each severity. Interestingly, there is another field called ‘severity’ that is using low, high, medium ratings, which is easier for us to understand than numbers, so we’ll use this instead.
Q14 contd
Now that our search works, let’s save it to our Splunk Investigation 4 dashboard using the ‘Save As’ button.
Q14 contd
We now see the search at the bottom of our dashboard, however by default it is in the Table visualisation, and we want to change this to a Pie Chart. We’ll click ‘Edit’ in the top right of the dashboard then click on the ‘Select Visualization’ button of our new panel.
Q14 contd
Next we’ll select Pie Chart from the list.
Q14 contd
And we’ll see that the graphic has been updated! We’re going to set a sub-title (2nd title field) as “Suricata Alert Severity”. We can now click ‘Save’ in the top right of the dashboard.
Hovering over the High section of the chart shows us the count% value we need to answer the question.
Q15
Question 15 - Complete the same steps above but for Fortigate_UTM logs, creating a pie chart based on severity. If you want to keep things neat, you can drag your new pie chart next to your Suricata one! What is the count% of critical alerts?
First we need to understand the field name that holds the severity rating for these logs. We’ll perform a generic search for fortigate_utm alert logs, and quickly find a field called ‘severity’ - perfect! Let’s create a search to get the counts per severity value.
Q15 contd
Now we’ll save it to our dashboard and convert it to a Pie Chart, same as before.
While editing the dashboard, we can click on the ::::::::::::::: border of a panel to drag it around and resposition it. Let’s drag our second Pie Chart (fortigate_utm severity) next to our first Pie Chart, and save the dashboard.
Hovering over the Critical section of the chart (or the critical text itself, which is easier!) shows us the count% value we need to answer the question.