1
00:00:06,140 --> 00:00:13,830
All right, so in the last lecture, we set up Sensage and now we're going to instrumented open sets,

2
00:00:14,220 --> 00:00:21,600
so we need to ship our logs into them so that we can look at Alert's we look at the rhetoric and monitor

3
00:00:21,600 --> 00:00:25,560
our tax time and learn and find ways to respond and adapt.

4
00:00:26,010 --> 00:00:30,690
So we're going to do is we're going to go to Splunk, you go to Spike dot com and you go to products,

5
00:00:31,530 --> 00:00:37,800
you scroll down to free trials and downloads to take you here.

6
00:00:38,220 --> 00:00:41,530
And you just go down to the bottom and you click on the Universal Floetry.

7
00:00:41,530 --> 00:00:45,370
You could download now and then it's going to lock you up.

8
00:00:46,350 --> 00:00:48,360
Well, you need to login with your credentials, which is free.

9
00:00:48,360 --> 00:00:51,000
If you don't have them, just click free Splunk and create an account.

10
00:00:51,340 --> 00:00:54,570
And when you get to this page, are we going to go over to FreeBSD?

11
00:00:55,140 --> 00:00:59,700
Because that's what open since users and we're going to download the state zip file.

12
00:01:00,000 --> 00:01:01,170
So we click download now.

13
00:01:03,020 --> 00:01:08,900
And then we can copy this command so we can click here and we can pull this down from the appliance.

14
00:01:10,160 --> 00:01:10,420
Right.

15
00:01:10,480 --> 00:01:14,870
Let's flip over to the appliance or we can do it here as we open up the command line and we can, as

16
00:01:14,870 --> 00:01:18,710
I say, Jen, as Route 10, 100, 01.

17
00:01:22,760 --> 00:01:30,470
Right, well, press eight to go into the shell, right, and then we should just be able to right.

18
00:01:30,470 --> 00:01:32,980
Click to paste this in just right.

19
00:01:32,990 --> 00:01:34,040
Click inside the window present.

20
00:01:34,040 --> 00:01:36,100
Presenter We getting that out.

21
00:01:36,320 --> 00:01:37,430
That's interesting and good.

22
00:01:37,700 --> 00:01:39,620
That means that open senses hardened by default.

23
00:01:39,620 --> 00:01:39,890
Right.

24
00:01:39,890 --> 00:01:45,890
Because a lot of times attackers will use tools on the victim workstation, such as you get and Kearl

25
00:01:45,900 --> 00:01:51,350
to copy over their attack tools from the attacker machine into the victim post.

26
00:01:51,800 --> 00:01:58,220
And so by removing Weskit and Kearl and similar tools, you are essentially making more difficult for

27
00:01:58,220 --> 00:02:01,480
an attacker to compromise your appliance.

28
00:02:02,290 --> 00:02:05,300
So I'm happy to see that open since has a disabled by default.

29
00:02:05,300 --> 00:02:10,490
But what we're going to do is we're going to install a package install we get.

30
00:02:13,330 --> 00:02:19,000
All right, Jeff, we want to install it very good now we can press up twice and we should work and

31
00:02:19,000 --> 00:02:19,420
it does.

32
00:02:19,420 --> 00:02:19,870
Beautiful.

33
00:02:21,000 --> 00:02:25,890
All right, now that we've got that in our root directory, this is the directory for the user root

34
00:02:27,060 --> 00:02:31,980
nut slash, which is the root of the file system, if you need to know the difference and you can look

35
00:02:31,980 --> 00:02:37,290
at my LERN Linux fast course, which goes into the details of the differences between root and root.

36
00:02:37,500 --> 00:02:41,490
I know it sounds it sounds ambiguous and it kind of is, but it's not that complicated.

37
00:02:41,820 --> 00:02:42,110
All right.

38
00:02:42,120 --> 00:02:47,090
So now that we've got this downloaded right here, you can see I can read file against it.

39
00:02:47,580 --> 00:02:49,200
So it's an XY compressed data.

40
00:02:50,280 --> 00:02:51,200
So what do I want to do?

41
00:02:51,210 --> 00:02:59,610
I want to extract it to extract the zip beever both for this file has tapped to complete.

42
00:03:00,630 --> 00:03:02,370
And where is it going?

43
00:03:03,240 --> 00:03:06,480
It's going into root directory.

44
00:03:09,190 --> 00:03:17,860
So now I can going to opt yes, and it's there, so I should be able to go in this punk band and from

45
00:03:17,860 --> 00:03:19,180
here we can run the executable.

46
00:03:19,540 --> 00:03:26,930
So I'll type Splunk start except license test for that.

47
00:03:26,950 --> 00:03:27,160
Right.

48
00:03:27,460 --> 00:03:31,030
I think I did just like to license.

49
00:03:32,290 --> 00:03:32,590
All right.

50
00:03:32,610 --> 00:03:34,260
My administrator username will be adamant.

51
00:03:34,270 --> 00:03:38,770
This is for the universal voter type in a default password.

52
00:03:39,360 --> 00:03:40,750
It's relatively weak.

53
00:03:41,800 --> 00:03:43,390
How would you like to change the ports?

54
00:03:43,780 --> 00:03:45,950
No, I would not make.

55
00:03:45,970 --> 00:03:47,020
Port has already bonded.

56
00:03:48,740 --> 00:03:56,420
Eighty eighty nine, so it's in us that's that panel grep eighty, eighty nine

57
00:03:59,230 --> 00:03:59,570
that's dead.

58
00:04:01,010 --> 00:04:01,520
It is.

59
00:04:04,580 --> 00:04:07,280
All right, grab eighty, eighty nine.

60
00:04:08,810 --> 00:04:09,770
Not showing their.

61
00:04:20,960 --> 00:04:21,980
So I found it here.

62
00:04:24,220 --> 00:04:26,740
And let's see if we can kill this process pide.

63
00:04:29,360 --> 00:04:30,830
Seven, six, three, 29.

64
00:04:35,800 --> 00:04:43,090
Now, will it work as both except license wrong, too, except license?

65
00:04:46,620 --> 00:04:48,840
All right, it looks like.

66
00:04:51,960 --> 00:04:54,510
It kind of work, did it done?

67
00:04:57,470 --> 00:04:59,460
So I still talk about something, but he's still completed.

68
00:04:59,480 --> 00:05:00,320
I don't know what's up there.

69
00:05:00,940 --> 00:05:02,450
All right, so we got past that part.

70
00:05:02,660 --> 00:05:12,420
Let's go ahead and set Splunk to start one boot and evil boot start get access to Ask.com.

71
00:05:12,860 --> 00:05:14,690
No such file or directory.

72
00:05:15,380 --> 00:05:16,460
OK, I'll make it.

73
00:05:18,390 --> 00:05:20,030
And then you have to be a little creative.

74
00:05:21,470 --> 00:05:22,220
Now let's try it.

75
00:05:25,280 --> 00:05:26,550
Yeah, it looks like it did it.

76
00:05:27,950 --> 00:05:33,490
I don't understand Linux and spunk sometimes, but we got around that so that we can look in that file.

77
00:05:36,050 --> 00:05:38,360
It should say like Splunk started here.

78
00:05:39,210 --> 00:05:40,670
Oh see

79
00:05:43,400 --> 00:05:44,660
there's a lot of text in here.

80
00:05:50,960 --> 00:05:51,590
Yeah.

81
00:05:52,190 --> 00:05:52,670
So.

82
00:05:53,570 --> 00:05:58,940
Yes, OK, so generated by smoking, able to start, so we are good there, and if you're wondering

83
00:05:58,940 --> 00:06:03,230
how I'm doing all this great magic and all that stuff, don't worry, that's in my spot in my Linux

84
00:06:03,500 --> 00:06:04,760
world, Linux fast core.

85
00:06:04,770 --> 00:06:05,820
So I'm not going to get into all that.

86
00:06:05,840 --> 00:06:10,010
This, of course, is complicated enough for me to teach you the ground basics of my next right.

87
00:06:10,050 --> 00:06:11,000
So let me check out that course.

88
00:06:11,000 --> 00:06:17,480
If you want to go deep with Linux itself right now that we've got that, let's clear the screen and

89
00:06:17,750 --> 00:06:21,050
let's now what should we do next with Eddie Forwarder?

90
00:06:21,880 --> 00:06:34,820
So speak at forward forward server 10 100 zero ninety nine nine nine seven is the default port and the

91
00:06:34,820 --> 00:06:38,900
credentials will set up for me at least quadripartite password.

92
00:06:39,050 --> 00:06:41,120
What do you think should be wired?

93
00:06:42,020 --> 00:06:44,720
This all makes sense in later lessons when we set up Splunk.

94
00:06:47,960 --> 00:06:48,800
All right, what's this thing?

95
00:06:49,040 --> 00:06:55,770
Oh, you know what, it timed out because it couldn't actually make the ATP Request to the server.

96
00:06:55,790 --> 00:07:00,580
I think that's why it's valid, because it's like, you know, trying to ping an address.

97
00:07:01,280 --> 00:07:02,090
It doesn't exist.

98
00:07:02,960 --> 00:07:05,690
So we might not be able to go all the way forward with this.

99
00:07:05,690 --> 00:07:09,710
What we'll do is we'll leave off here for the limitation and then we'll pick up the rest of this.

100
00:07:10,280 --> 00:07:16,250
Once we actually get our indexers up to in the next lecture, we're going to move into setting up our

101
00:07:16,250 --> 00:07:18,320
juice shop virtual machine.

102
00:07:18,410 --> 00:07:19,860
This is our portable webcam.

103
00:07:20,270 --> 00:07:23,060
And then after we get that set up, we put smoke on it.

104
00:07:23,240 --> 00:07:27,330
Then we will set up our Splunk index indexer and everything will come together as one big piece.

105
00:07:27,350 --> 00:07:30,470
OK, so I'll see you guys in the next lecture by.