Posts

Snort on Splunk

Image
Snort configuration on Splunk Snort may be installed on a different server than Splunk but Splunk needs to have access to the MySQL database that stores the Snort events. In our case, we have a dedicated Snort server with a Splunk heavy forwarder installed to send the events to the indexer and the Splunk DB Connect App is installed on the heavy forwarder. Configure Snort 2.9.9.x, Barnyard2, PulledPork and BASE as described in https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf The document describes the installation in full details for both Ubuntu 14 and 16. Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. - https://github.com/firnsy/barnyard2. Barnyard2 also stores

Configure rsyslog to create logs for each device in their own folders

Configuring rsyslog to split the logs by device IP and rotate the logs on daily basis The following steps apply to a new installation of Ubuntu 16, with the default rsyslog settings 1. Modify the rsyslog configuration file, /etc/rsyslog.conf and uncomment the settings for the UDP listener: # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") This will instruct rsyslog to listen on UDP/514 for syslog messages. Adjust these according for other ports or if TCP is needed (see the # provides TCP syslog reception) setting. At the end of the file, after the line: $IncludeConfig /etc/rsyslog.d/*.conf Add: $template DailyPerHost,"/var/log/syslog_devices/%HOSTNAME%/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log" *.* -?DailyPerHost These settings will create individual logs for each logging device under the /var/log/syslog_devices folder. The logs will be rotated on daily basis. For example, a device with hostname

Useful links for common Ubuntu questions

Useful answers for common Ubuntu questions There are quite a few questions that come up (at least for me) every time I install a new Ubuntu server. Unless you are a "Linux guy", you tend to forget how a specific task was done. Here are some of them: Question: When using a terminal window in a Linux graphical interface you may find out that the familiar "tab" used to auto-complete a command is now switching to the next open application, like in Windows. So, how to enable auto-complete in Ubuntu graphical interface terminal? Answer: Open Application Menu > Settings > Window Manager. Click on Keyboard tab. Clear the Switch window for same application setting. Source: https://askubuntu.com/questions/545540/terminal-autocomplete-doesnt-work-properly/545578 Also, the Ctrl-Alt-D shortcut can be used to "show the desktop". Question: How do you verify and install the latest updates in Ubuntu? Answer : In a terminal enter the following c

How to run a Linux graphical application as root

The gksu utility can be used to launch a graphical application using the su permissions. gksu is not installed by default but it can be easily installed using the following command in a terminal (Ubuntu example): sudo apt-get  install gksu Once gksu is installed, start the graphical application using the following command: gksu application_name Examples: gksu firefox - Starts the Firefox browser gksu thunar - Start the Ubuntu File Manager gksu gedit - Start a text editor

Install Splunk on Ubuntu

Splunk offer installation instructions for Debian, Red Hat and generic tar file installation. There are no specific instructions for Ubuntu. Here is a quick way to install Splunk on Ubuntu 14: 1. Download the Debian (.deb) corresponding version of Splunk (32bit or 64 bit). If you cannot tell exactly what version of Ubuntu you have, use the following command to get the information: uname -a The output should be something similar to: Linux UBUNTU02 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux x86_64 indicates a 64bit version If the upgrade is done from a terminal, you can get the right "wget" download link from Splunk (follow the instructions for downloading a Linux version). It should look something like this: wget -O splunk-7.2.5.1-962d9a8e1586-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.5.1&product=splunk&filename=

How to access Ubuntu's graphical interface from Windows

Telnet and SSH would give most users just enough access to manage an Ubuntu server remotely, from a Windows computer. If you wish however to access its graphical interface, you can install xRDP and its dependencies and login remotely using an RDP client. The install xRDP follow these steps (from a terminal window on the Ubuntu machine): Install xRDP sudo apt-get update sudo apt-get install xrdp Install XFCE4: sudo apt-get install xfce4 Configure the .xsession configuration file in the user home folder: echo xfce4-session >~/.xsession Modify the xRDP startup file to include XFCE4: sudo nano /etc/xrdp/startwm.sh Add the following command to the end of the startup file: startxfce4 Save and restart the xRDP service: sudo service xrdp restart If needed, add the corresponding firewall rules: sudo ufw allow 3389 Connect to the remote Ubuntu machine using any RDP client (using the standard RDP port TCP/3389)