1
00:00:09,100 --> 00:00:13,650
Right on the last lecture, we got this Hirakata stuff set up, which was really, really fun.

2
00:00:14,160 --> 00:00:15,320
Hopefully you're all caught up.

3
00:00:15,730 --> 00:00:16,520
You have any questions?

4
00:00:16,530 --> 00:00:17,210
Just leave a comment.

5
00:00:17,220 --> 00:00:17,790
Reach out to me.

6
00:00:17,790 --> 00:00:21,630
You know, I'll do the best I can to help you get to where you need to be with the cyber age.

7
00:00:22,050 --> 00:00:24,330
But now we're going to set up shop.

8
00:00:24,760 --> 00:00:27,570
I'm going to make sure that the Duchamp logs are being shipped into Splunk.

9
00:00:27,900 --> 00:00:34,730
So the first thing we need to do is, as I say, it's due to shop blocking its route

10
00:00:40,530 --> 00:00:41,880
control.

11
00:00:43,140 --> 00:00:44,760
Then maybe we need to organise to use.

12
00:00:51,800 --> 00:00:52,400
There you go.

13
00:00:53,000 --> 00:00:57,190
All right, so we're logged in here and let's edit the config file.

14
00:00:58,400 --> 00:01:00,230
So we're going to go to the Splunk photo directory.

15
00:01:00,730 --> 00:01:02,310
That's the system.

16
00:01:03,000 --> 00:01:12,440
The local inputs, dot com are going to create this file to create.

17
00:01:13,250 --> 00:01:14,420
I'm going to tell it what to monitor.

18
00:01:14,710 --> 00:01:23,840
So we'll put monitoring brackets, colon woak for that model, e-mail everything in this directory we

19
00:01:23,840 --> 00:01:28,070
want to monitor host equals Duchamp.

20
00:01:29,240 --> 00:01:36,020
Source type equals juice shop index equals network scape shivs.

21
00:01:36,020 --> 00:01:36,440
Easy.

22
00:01:38,090 --> 00:01:44,940
And let's just make sure it looks the way we expect we got that leading forward slash, all right?

23
00:01:44,960 --> 00:01:45,590
It does.

24
00:01:46,270 --> 00:01:52,250
Now, we can just commit those changes by restarting the forwarder and we're going to say restart.

25
00:01:54,430 --> 00:01:59,020
All right, that's good, but we need to make sure everything's still good, so if we look at the images,

26
00:01:59,350 --> 00:02:00,910
you can see we've got our job image.

27
00:02:01,870 --> 00:02:03,340
You look at Dukkha.

28
00:02:03,890 --> 00:02:05,710
Yes, nothing's running.

29
00:02:05,740 --> 00:02:05,980
Right.

30
00:02:05,980 --> 00:02:08,730
So right now, if we try to go to job, nothing's going to happen.

31
00:02:08,740 --> 00:02:12,120
The application is not running and we look at all the processes.

32
00:02:12,130 --> 00:02:12,810
There's nothing here.

33
00:02:13,120 --> 00:02:14,700
So we need to actually pull it down.

34
00:02:15,010 --> 00:02:20,920
That's what we're going to do, is we're going to run Sido Dukkha run privileged.

35
00:02:21,250 --> 00:02:28,360
OK, this means that the container has privileged that is elevated access to our host, in this case,

36
00:02:28,690 --> 00:02:32,140
the juice lutetium, which is bad obviously.

37
00:02:32,470 --> 00:02:33,460
But this is our lab.

38
00:02:33,460 --> 00:02:36,130
We want to make things intentionally vulnerable so we can break and learn.

39
00:02:36,790 --> 00:02:41,410
We're going to put it in demon mode and we're going to use the UID

40
00:02:44,260 --> 00:02:44,980
for the folder.

41
00:02:45,310 --> 00:02:50,050
And everybody, these are the volumes we're going about.

42
00:02:50,050 --> 00:02:54,280
So we're going to set up a persistent volume mounted from our host.

43
00:02:54,880 --> 00:03:04,450
That is our going to the to the shop logs.

44
00:03:05,470 --> 00:03:10,270
The G shop logs directly inside the container will name the container juice container.

45
00:03:10,510 --> 00:03:12,340
If you don't do this, it'll come up with a random name.

46
00:03:13,060 --> 00:03:16,780
And I don't like randomness right now.

47
00:03:16,930 --> 00:03:20,950
If it doesn't have to be random, we shouldn't let it be random and then we'll just put everything in

48
00:03:20,950 --> 00:03:23,740
place or press enter that house means it should be running.

49
00:03:25,270 --> 00:03:27,310
Docker has to see the running containers.

50
00:03:28,150 --> 00:03:29,380
It's running very nice.

51
00:03:30,040 --> 00:03:35,170
You can see that it's mapping the binding to all ipis on the host report.

52
00:03:35,170 --> 00:03:37,990
Three thousand in its mapping that two point three thousand inside the container.

53
00:03:38,590 --> 00:03:41,320
As we're showing you here, it's hard just like this.

54
00:03:41,680 --> 00:03:42,550
That's what I'm showing you here.

55
00:03:43,000 --> 00:03:46,960
And this is the name of our container, just container right now.

56
00:03:47,320 --> 00:03:50,290
It's we start the forwarder again.

57
00:03:53,970 --> 00:03:58,650
And if we look at the of the e-mail directory, you can see there is a log in there, right.

58
00:03:59,850 --> 00:04:03,330
And a timestamp is showing, let's see, 15, 20, two.

59
00:04:04,110 --> 00:04:12,510
If we go into the Docker container Docker exact interactive terminal, which is container giving, shell

60
00:04:14,760 --> 00:04:22,170
juice shop logs can actually tell.

61
00:04:24,290 --> 00:04:29,270
And so we've got these so both of these directories from the container to the hoster, synchronized

62
00:04:29,510 --> 00:04:37,370
exit the container and let's generate some more logs so we go here, should be able to type in the address.

63
00:04:41,990 --> 00:04:47,060
Should anybody get request against that webapp that should write to this log here.

64
00:04:47,420 --> 00:04:49,880
I guess we could have had tell rolling the whole time.

65
00:04:51,270 --> 00:04:55,320
So something really fun you can do as you can type watch.

66
00:04:58,740 --> 00:05:08,010
It's like a type like watch Intervale, I see this works that I can do till

67
00:05:10,620 --> 00:05:11,190
like this.

68
00:05:13,310 --> 00:05:16,600
Right, and then when I refresh, you should see that like update.

69
00:05:18,390 --> 00:05:18,850
There we go.

70
00:05:18,880 --> 00:05:19,890
See, I just updated that.

71
00:05:20,240 --> 00:05:22,380
Now we're seeing the requests coming in real time in the log.

72
00:05:23,320 --> 00:05:26,020
So pretty cool Thanksgiving, if you don't know it now, you know it.

73
00:05:26,260 --> 00:05:28,290
All right, watch now.

74
00:05:28,390 --> 00:05:33,190
Speaking of watch, let's watch the logs and see if it was correctly ingested.

75
00:05:34,330 --> 00:05:39,130
So I'm going to flip over to the Splunk Enterprise logo and I'm going to go into the search and reporting

76
00:05:39,130 --> 00:05:39,370
app.

77
00:05:42,780 --> 00:05:43,950
Suchin reporting.

78
00:05:45,350 --> 00:05:47,850
You guys remember the index and source type we created?

79
00:05:48,770 --> 00:05:50,630
You're about to pop that in now.

80
00:05:52,060 --> 00:05:59,080
Index equals network source type equals juice shop.

81
00:05:59,980 --> 00:06:00,850
Do we have lots?

82
00:06:02,580 --> 00:06:03,060
Nothing.

83
00:06:06,310 --> 00:06:08,540
It's the Coast Eagles shop.

84
00:06:11,540 --> 00:06:14,230
Let's see if we can figure out what is wrong.

85
00:06:15,910 --> 00:06:22,120
So I'm going to go back and I want to look at the data summary to see if we see the Jews host here,

86
00:06:23,260 --> 00:06:24,850
because if we do, we know the lines are getting here.

87
00:06:26,200 --> 00:06:26,950
We do see Jews.

88
00:06:28,650 --> 00:06:29,250
So let's quick at.

89
00:06:32,640 --> 00:06:33,600
I think Jews.

90
00:06:34,850 --> 00:06:35,750
What was the source that.

91
00:06:37,570 --> 00:06:40,260
Access to small access, small.

92
00:06:40,750 --> 00:06:45,320
OK, so maybe that's why we weren't seeing it, because we were using the wrong source type.

93
00:06:46,210 --> 00:06:47,890
Why is the access log to small?

94
00:06:49,750 --> 00:06:51,130
What is the index?

95
00:06:53,820 --> 00:06:57,420
Index's main, so getting here is just not using.

96
00:06:58,540 --> 00:07:04,860
The stuff that we put in for this source type and index, let me quit this for a second.

97
00:07:09,380 --> 00:07:12,590
Let's press let's see, being four for seven.

98
00:07:14,370 --> 00:07:16,840
That looks right, hostages.

99
00:07:17,640 --> 00:07:18,330
OK, so.

100
00:07:19,480 --> 00:07:24,070
You know, I don't it's like it's using it's like it's using a different input's file.

101
00:07:25,340 --> 00:07:37,750
And not the one that we specifying here so we could check that Colin, cute thing to find out Root and

102
00:07:37,820 --> 00:07:43,990
let's just do a search for like input's dotcom type is a file and let's send all the arrows to them.

103
00:07:44,000 --> 00:07:45,890
No, if you have any.

104
00:07:46,460 --> 00:07:53,180
So there's a bunch of input's knockoffs and we probably want to search any of these for I guess we could

105
00:07:53,180 --> 00:07:58,230
cut them out so we can say exactly

106
00:08:01,280 --> 00:08:10,460
grap what will we look for at Sipah Index equals network out there.

107
00:08:13,870 --> 00:08:16,720
Why isn't it carrying out the files?

108
00:08:19,000 --> 00:08:21,660
Because I need that space between the plus and the brace.

109
00:08:22,150 --> 00:08:23,740
OK, go back here.

110
00:08:24,700 --> 00:08:25,480
But this base in.

111
00:08:26,670 --> 00:08:30,720
And we're seeing that in that one file that we created with nowhere else, so here I saying there's

112
00:08:30,720 --> 00:08:33,960
a whole sequel to Jews, so can we just look for that?

113
00:08:37,190 --> 00:08:40,700
Most equal to just see potentially what file that's coming from.

114
00:08:42,030 --> 00:08:47,700
So there is no other file overwriting, this looks like this is the only file and it has the word use

115
00:08:47,700 --> 00:08:51,110
and introduce shop, so I don't know where it's getting this stuff from.

116
00:08:51,120 --> 00:08:52,920
But anyway, we got it to work.

117
00:08:53,070 --> 00:08:54,160
OK, it's not working completely.

118
00:08:54,180 --> 00:08:55,440
Maybe we'll come back and troubleshoot that.

119
00:08:55,680 --> 00:08:58,610
But at this point, you know, we got to a point where we do have our logs here.

120
00:08:58,890 --> 00:09:03,210
Now, you do notice that it's not being passed the way you want it to be, and that's because.

121
00:09:04,250 --> 00:09:10,040
Do you shop doesn't have a right, there's no spunk at produce shop, so we're going to have to manually

122
00:09:10,040 --> 00:09:10,880
pass these logs.

123
00:09:11,600 --> 00:09:13,270
But the point is we have the locks here.

124
00:09:13,640 --> 00:09:17,480
So, you know, we'll be able to look at our attacks and adapt.

125
00:09:18,630 --> 00:09:23,430
All right, so in the next lecture, we are going to finish installing some of the apps that we need

126
00:09:23,780 --> 00:09:26,460
and then should be done with this campus party.

127
00:09:26,460 --> 00:09:27,620
Got it by.