{"id":591,"date":"2023-10-01T01:23:47","date_gmt":"2023-10-01T01:23:47","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=591"},"modified":"2026-04-19T17:06:31","modified_gmt":"2026-04-19T17:06:31","slug":"enhanced-logging-and-intrusion-detection-deploying-splunk-sysmon-and-snort","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=591","title":{"rendered":"Enhanced Logging and Intrusion Detection: Deploying Splunk, Sysmon and Snort"},"content":{"rendered":"\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained wp-container-1 is-position-sticky\"><div id=\"guten-ra9S7P\" class=\"guten-element guten-nav-menu nav-menu break-point-tablet submenu-click-title \" data-item-indicator=\"fas fa-angle-down\" data-item-indicator-type=\"icon\" data-item-indicator-svg=\"\" data-close-on-click=\"1\" aria-label=\"\">\n\t\t\t<div class=\"gutenverse-hamburger-wrapper\">\n\t\t\t\t<button class=\"gutenverse-hamburger-menu\" aria-label=\"\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\n\t\t\t\t<\/button>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"gutenverse-menu-wrapper\"><div class=\"gutenverse-menu-container\"><ul id=\"menu-splunk-lab\" class=\"gutenverse-menu\"><li id=\"menu-item-685\" class=\"menu-item-685  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=591\/#splunkdeployment\" aria-label=\"Splunk Deployment\">Splunk Deployment<\/a><\/li>\n<li id=\"menu-item-686\" class=\"menu-item-686  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=591\/#sysmon\" aria-label=\"Sysmon Deployment\">Sysmon Deployment<\/a><\/li>\n<li id=\"menu-item-687\" class=\"menu-item-687  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=591\/#snort\" aria-label=\"Snort Deployment\">Snort Deployment<\/a><\/li>\n<li id=\"menu-item-688\" class=\"menu-item-688  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=591\/#showcase\" aria-label=\"Showcase\">Showcase<\/a><\/li>\n<\/ul><\/div>\n\t\t\t\t<div>\n\t\t\t\t\t<div class=\"gutenverse-nav-identity-panel\">\n\t\t\t\t\t\t<div class=\"gutenverse-nav-site-title\">\n\t\t\t\t\t\t\t<a aria-label=\"\" href=\"https:\/\/victorcoil.tech\" class=\"gutenverse-nav-logo\"><\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<button class=\"gutenverse-close-menu\" aria-label=\"\"><i aria-hidden=\"true\" class=\"fas fa-times\"><\/i><\/button>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns has-zeever-bgsoft-background-color has-background is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\" id=\"splunkdeployment\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns has-zeever-bgsoft-background-color has-background is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Splunk Deployment<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Deploying Splunk Enterprise<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-1 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Prerequisite Labs<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\"><a href=\"https:\/\/victorcoil.tech\/?page_id=248\" target=\"_blank\" rel=\"noopener\" title=\"\">Active Directory<\/a><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-3 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Lab Brief Summary<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\">This lab will cover the deployment of Splunk Enterprise and Universal Forwarders onto an Active Directory Environment for Centralized Logging. Enhanced logging will be done using Sysmon. As well as the deployment, Configuration, and integration of the IDS tool Snort into Splunk.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-5 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Splunk Free Trial Download<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.splunk.com\/en_us\/download.html\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.splunk.com\/en_us\/download.html<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>To get started, we need to download Splunk Enterprise and the Universal Forwarder.<\/p>\n\n\n\n<p>We can open our browser inside Client1, search for \u201cSplunk,\u201d or copy the download link above and paste it into your VM, then click Downloads.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"679\" height=\"540\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC1.png\" alt=\"\" class=\"wp-image-594\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC1.png 679w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC1-300x239.png 300w\" sizes=\"(max-width: 679px) 100vw, 679px\" \/><\/figure>\n\n\n\n<p>We will be deploying Splunk Enterprise on Client1. Client1 will be where our logs will be centralized. Click on \u201cGet My Free Trial\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"623\" height=\"639\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC2.png\" alt=\"\" class=\"wp-image-595\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC2.png 623w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC2-292x300.png 292w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><\/figure>\n\n\n\n<p>After clicking the button, fill in the information, then click the button to create an account and move on.<\/p>\n\n\n\n<p>Then, for this case, we\u2019re using Windows 10, so just click on Download Now on the 64-bit Windows version.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"1001\" height=\"368\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC3.png\" alt=\"\" class=\"wp-image-596\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC3.png 1001w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC3-300x110.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC3-768x282.png 768w\" sizes=\"(max-width: 1001px) 100vw, 1001px\" \/><\/figure>\n\n\n\n<p>Once downloaded, the installer will open up automatically. The Browser window might get in the way, so keep an eye on the taskbar.<\/p>\n\n\n\n<p>Accept the License Agreement on the installer box and click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"509\" height=\"476\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC4.png\" alt=\"\" class=\"wp-image-597\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC4.png 509w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC4-300x281.png 300w\" sizes=\"(max-width: 509px) 100vw, 509px\" \/><\/figure>\n\n\n\n<p>After hitting next, you\u2019ll be asked to create some credentials for the Splunk administrator account. For this lab, I\u2019ll use credentials that are easy to remember.<\/p>\n\n\n\n<p>After that, click next, then click install.<\/p>\n\n\n\n<p>If the User Account Control panel pops up, enter a Domain Administrator\u2019s credentials to allow changes.<\/p>\n\n\n\n<p>After giving it some time, Splunk Enterprise should be successfully installed. Click on &#8220;finish&#8221; on the Setup window.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"495\" height=\"386\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC5.png\" alt=\"\" class=\"wp-image-598\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC5.png 495w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC5-300x234.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/figure>\n\n\n\n<p>You can access the Splunk Web interface using&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/127.0.0.1:8000\">http:\/\/127.0.0.1:8000<\/a><\/p>\n\n\n\n<p>Or<\/p>\n\n\n\n<p><a href=\"http:\/\/localhost:8000\">http:\/\/localhost:8000<\/a><\/p>\n\n\n\n<p>Then you\u2019ll be greeted with the login page. Use the credentials you created during the setup.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"637\" height=\"497\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC6.png\" alt=\"\" class=\"wp-image-599\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC6.png 637w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC6-300x234.png 300w\" sizes=\"(max-width: 637px) 100vw, 637px\" \/><\/figure>\n\n\n\n<p>Once logged in, you\u2019ll be greeted with the Splunk Dashboard. Navigate to Settings at the top of the page. Then click on \u201cForwarding and receiving\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC7-1024x535.png\" alt=\"\" class=\"wp-image-600\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC7-1024x535.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC7-300x157.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC7-768x401.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC7.png 1067w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Then click on &#8220;Configure receiving&#8221; as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"456\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC8-1024x456.png\" alt=\"\" class=\"wp-image-601\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC8-1024x456.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC8-300x134.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC8-768x342.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC8.png 1051w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Click the Green button at the top right labeled \u201cNew Receiving Port\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"641\" height=\"243\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC9.png\" alt=\"\" class=\"wp-image-602\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC9.png 641w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC9-300x114.png 300w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><\/figure>\n\n\n\n<p>Plug in 9997. This is the default receiving port. Click save after. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"950\" height=\"246\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC10.png\" alt=\"\" class=\"wp-image-603\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC10.png 950w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC10-300x78.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC10-768x199.png 768w\" sizes=\"(max-width: 950px) 100vw, 950px\" \/><\/figure>\n\n\n\n<p>Once you click save, you will see the same as below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"246\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC11-1024x246.png\" alt=\"\" class=\"wp-image-605\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC11-1024x246.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC11-300x72.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC11-768x184.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC11.png 1041w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After that, the Client1 Machine is set up. We can now switch over to the domain controller and deploy the Universal Forwarder.<\/p>\n\n\n\n<p>Open up a browser and search for \u201cSplunk\u201d just like last time. But this time, click the button under the Universal Forwarder.<\/p>\n\n\n\n<p>You won&#8217;t have to enter your information again; just click Log In.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"429\" height=\"305\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC12.png\" alt=\"\" class=\"wp-image-604\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC12.png 429w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC12-300x213.png 300w\" sizes=\"(max-width: 429px) 100vw, 429px\" \/><\/figure>\n\n\n\n<p>You may need to verify your email address; after that, try again, and it should let you access the downloads page.<\/p>\n\n\n\n<p>For the Domain Controller, click on the Windows 64-bit Download button.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"988\" height=\"441\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC13.png\" alt=\"\" class=\"wp-image-606\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC13.png 988w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC13-300x134.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC13-768x343.png 768w\" sizes=\"(max-width: 988px) 100vw, 988px\" \/><\/figure>\n\n\n\n<p>Accept the Agreements at the bottom of the next page. Then open the file once the download is complete. The Forwarder setup window will appear.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"587\" height=\"333\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC14.png\" alt=\"\" class=\"wp-image-607\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC14.png 587w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC14-300x170.png 300w\" sizes=\"(max-width: 587px) 100vw, 587px\" \/><\/figure>\n\n\n\n<p>Check the box to accept the License Agreement, then click on the \u201cCustomize Option\u201d Button.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"495\" height=\"383\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC15.png\" alt=\"\" class=\"wp-image-608\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC15.png 495w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC15-300x232.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/figure>\n\n\n\n<p>Keep the default install path and click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"494\" height=\"384\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC16.png\" alt=\"\" class=\"wp-image-609\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC16.png 494w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC16-300x233.png 300w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><\/figure>\n\n\n\n<p>When it comes to the certificate information, leave it default.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"492\" height=\"386\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC17.png\" alt=\"\" class=\"wp-image-610\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC17.png 492w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC17-300x235.png 300w\" sizes=\"(max-width: 492px) 100vw, 492px\" \/><\/figure>\n\n\n\n<p>Leave the default local system authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"495\" height=\"386\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC18.png\" alt=\"\" class=\"wp-image-611\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC18.png 495w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC18-300x234.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/figure>\n\n\n\n<p>Check every box to monitor everything, then click the \u201cDirectory\u201d button and select \u201cLocal Disk (C:)\u201d. Then click on OK.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"555\" height=\"527\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC19.png\" alt=\"\" class=\"wp-image-612\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC19.png 555w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC19-300x285.png 300w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><\/figure>\n\n\n\n<p>You should see the \u201cPath to monitor\u201d as \u201cC:\\\u201d.<\/p>\n\n\n\n<p>Click &#8220;Next&#8221; once done.<\/p>\n\n\n\n<p>Then create a forwarder account. I used the name admin for this one.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"493\" height=\"386\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC20.png\" alt=\"\" class=\"wp-image-613\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC20.png 493w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC20-300x235.png 300w\" sizes=\"(max-width: 493px) 100vw, 493px\" \/><\/figure>\n\n\n\n<p>The next window will ask for the IP Address of the Deployment Server. In this case, this is Client1.<\/p>\n\n\n\n<p>The IP address is 172.16.0.100 for Client1, it may be different for you. I will use the default port as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"495\" height=\"386\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC21.png\" alt=\"\" class=\"wp-image-614\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC21.png 495w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC21-300x234.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/figure>\n\n\n\n<p>For the next step, enter Client1\u2019s IP address, use the default port 9997, and click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"497\" height=\"383\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC22.png\" alt=\"\" class=\"wp-image-615\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC22.png 497w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC22-300x231.png 300w\" sizes=\"(max-width: 497px) 100vw, 497px\" \/><\/figure>\n\n\n\n<p>Then click install. Once finished, you\u2019ll see the window shown below. Then you can just click finish.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"494\" height=\"384\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC23.png\" alt=\"\" class=\"wp-image-616\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC23.png 494w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC23-300x233.png 300w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><\/figure>\n\n\n\n<p>You must make firewall rules to allow the DC to send data to Windows 10. Search for \u201cfire\u201d and click on the first option.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"404\" height=\"572\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC33.png\" alt=\"\" class=\"wp-image-618\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC33.png 404w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC33-212x300.png 212w\" sizes=\"(max-width: 404px) 100vw, 404px\" \/><\/figure>\n\n\n\n<p>Then click on advanced settings.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"598\" height=\"289\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC34.png\" alt=\"\" class=\"wp-image-619\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC34.png 598w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC34-300x145.png 300w\" sizes=\"(max-width: 598px) 100vw, 598px\" \/><\/figure>\n\n\n\n<p>Make sure you are in the inbound rules, and on the right side, click New Rule.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"1001\" height=\"186\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC35.png\" alt=\"\" class=\"wp-image-620\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC35.png 1001w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC35-300x56.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC35-768x143.png 768w\" sizes=\"(max-width: 1001px) 100vw, 1001px\" \/><\/figure>\n\n\n\n<p>Click on Port, then Next.<\/p>\n\n\n\n<p>Leave as TCP<\/p>\n\n\n\n<p>For the specific ports, put \u201c8089, 9997, 389, 3268\u201d, then click next.<\/p>\n\n\n\n<p>Allow Connection, which should be the default. Click next<\/p>\n\n\n\n<p>Leave Domain, private, and public checkmarked. Click next.<\/p>\n\n\n\n<p>Then name it. I used \u201cSPLUNK OUT\u201d<\/p>\n\n\n\n<p><strong>Do the same thing on Windows 10, but do an inbound rule instead of an outbound rule.<\/strong><\/p>\n\n\n\n<p>After this, logs will start being sent from the DC to Windows 10. You may have to restart the Splunk Forwarder on the DC.<\/p>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\" id=\"sysmon\">\n<div class=\"wp-block-column has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Integrating Sysmon<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Sysmon for Enhanced Logging<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><\/p>\n\n\n\n<p>In your browser, search for \u201csysmon github\u201d and click on the first link by swiftonsecurity. Inside GitHub, click the file shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"688\" height=\"463\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC24-1.png\" alt=\"\" class=\"wp-image-623\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC24-1.png 688w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC24-1-300x202.png 300w\" sizes=\"(max-width: 688px) 100vw, 688px\" \/><\/figure>\n\n\n\n<p>Click on the download button on the right side of the page.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"691\" height=\"416\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC25.png\" alt=\"\" class=\"wp-image-624\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC25.png 691w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC25-300x181.png 300w\" sizes=\"(max-width: 691px) 100vw, 691px\" \/><\/figure>\n\n\n\n<p>Search for just \u201cSysmon\u201d and click on the top link.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"682\" height=\"563\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC26.png\" alt=\"\" class=\"wp-image-625\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC26.png 682w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC26-300x248.png 300w\" sizes=\"(max-width: 682px) 100vw, 682px\" \/><\/figure>\n\n\n\n<p>Then click on &#8220;Download Sysmon&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"513\" height=\"557\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC27.png\" alt=\"\" class=\"wp-image-626\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC27.png 513w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC27-276x300.png 276w\" sizes=\"(max-width: 513px) 100vw, 513px\" \/><\/figure>\n\n\n\n<p>Once downloaded, open up your Download folder and extract the sysmon.zip. <strong>Once extracted, move the sysmoncong-export file into the Sysmon folder.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"585\" height=\"138\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC28.png\" alt=\"\" class=\"wp-image-627\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC28.png 585w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC28-300x71.png 300w\" sizes=\"(max-width: 585px) 100vw, 585px\" \/><\/figure>\n\n\n\n<p>Then open the terminal as an <strong>administrator<\/strong>, navigate to the Sysmon folder inside the download folder, and run the command shown below.<\/p>\n\n\n\n<p>If successful, it will produce the same output.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"750\" height=\"328\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC29.png\" alt=\"\" class=\"wp-image-628\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC29.png 750w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC29-300x131.png 300w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><\/figure>\n\n\n\n<p>Now open up file explorer at the bottom, and navigate to \u201cC:\\program files\\splunkuniversalforwarder\\etc\\apps\\splunkuniversalforwarder\\local\\inputs.conf\u201d and at the very bottom of the configuration file add the code shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"570\" height=\"120\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC30.png\" alt=\"\" class=\"wp-image-629\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC30.png 570w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC30-300x63.png 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/><\/figure>\n\n\n\n<p>Close and save. Now search for services, as we have to restart the Splunk forwarder.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"460\" height=\"674\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC31.png\" alt=\"\" class=\"wp-image-630\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC31.png 460w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC31-205x300.png 205w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"443\" height=\"388\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC32.png\" alt=\"\" class=\"wp-image-631\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC32.png 443w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC32-300x263.png 300w\" sizes=\"(max-width: 443px) 100vw, 443px\" \/><\/figure>\n\n\n\n<p>If the service stops after restarting and doesn\u2019t restart, just start it again. (This happens if you open Services without Administrator Privileges)<\/p>\n\n\n\n<p>Back on the Splunk Web site. Click on Apps at the top and click on \u201cFind More Apps\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"408\" height=\"341\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC36-1.png\" alt=\"\" class=\"wp-image-632\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC36-1.png 408w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC36-1-300x251.png 300w\" sizes=\"(max-width: 408px) 100vw, 408px\" \/><\/figure>\n\n\n\n<p>Then search for Sysmon and install the first option.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"290\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC37-1024x290.png\" alt=\"\" class=\"wp-image-633\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC37-1024x290.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC37-300x85.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC37-768x217.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC37.png 1131w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After installation, restart the forwarder.<\/p>\n\n\n\n<p>So after all that.<\/p>\n\n\n\n<p>You can go to Windows 10 and test if you\u2019re receiving the DC logs using the search query<\/p>\n\n\n\n<p>Index = \u2018main\u201c<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"464\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC38-1024x464.png\" alt=\"\" class=\"wp-image-634\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC38-1024x464.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC38-300x136.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC38-768x348.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC38.png 1115w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If you\u2019re interested in the Windows 10 logs, you can do&nbsp;<\/p>\n\n\n\n<p>Index = _internal<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"472\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC39-1024x472.png\" alt=\"\" class=\"wp-image-635\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC39-1024x472.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC39-300x138.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC39-768x354.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC39.png 1111w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>To search for the Sysmon logs specifically, you can search for<\/p>\n\n\n\n<p>index=\u201dmain\u201d sourcetype=xmlwineventlog<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC40-1024x579.png\" alt=\"\" class=\"wp-image-636\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC40-1024x579.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC40-300x170.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC40-768x435.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/SSS-SC40.png 1124w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\" id=\"snort\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Deploying Snort<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Integration of the Intrusion Detection System<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><\/p>\n\n\n\n<p>We will now deploy Snort onto the domain controller.<\/p>\n\n\n\n<p>Simply open up a browser inside the DC and search for Snort. Then click Downloads, as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"692\" height=\"512\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-01.png\" alt=\"\" class=\"wp-image-638\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-01.png 692w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-01-300x222.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>Once there, scroll down to the Snort 2 section and click on the .exe file to download Snort.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"781\" height=\"354\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-02.png\" alt=\"\" class=\"wp-image-639\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-02.png 781w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-02-300x136.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-02-768x348.png 768w\" sizes=\"(max-width: 781px) 100vw, 781px\" \/><\/figure>\n\n\n\n<p>Open the downloaded .exe, and it will launch the setup wizard. Agree to the license agreement.<\/p>\n\n\n\n<p>Leave all three components checked and click \u201cNext\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"501\" height=\"390\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-03.png\" alt=\"\" class=\"wp-image-640\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-03.png 501w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-03-300x234.png 300w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/figure>\n\n\n\n<p>Leave the default path and click &#8220;Next&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"496\" height=\"385\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-04.png\" alt=\"\" class=\"wp-image-641\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-04.png 496w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-04-300x233.png 300w\" sizes=\"(max-width: 496px) 100vw, 496px\" \/><\/figure>\n\n\n\n<p>Once completed, click &#8220;Close&#8221;.<\/p>\n\n\n\n<p>We haven\u2019t installed Npcap, so we&#8217;ll download it next. They give you the URL to get it, so let&#8217;s navigate to it.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"497\" height=\"384\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-05.png\" alt=\"\" class=\"wp-image-642\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-05.png 497w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-05-300x232.png 300w\" sizes=\"(max-width: 497px) 100vw, 497px\" \/><\/figure>\n\n\n\n<p>Once at the site, click on &#8220;Download&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"961\" height=\"390\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-06.png\" alt=\"\" class=\"wp-image-643\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-06.png 961w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-06-300x122.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-06-768x312.png 768w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><\/figure>\n\n\n\n<p>Then click on the first link as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"609\" height=\"205\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-07.png\" alt=\"\" class=\"wp-image-644\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-07.png 609w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-07-300x101.png 300w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><\/figure>\n\n\n\n<p>Click the downloaded .exe, then agree to the license agreement when the wizard pops up.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"596\" height=\"489\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-08.png\" alt=\"\" class=\"wp-image-645\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-08.png 596w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-08-300x246.png 300w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><\/figure>\n\n\n\n<p>Leave the defaults and click on install. Once installed, click on Next and finish.<\/p>\n\n\n\n<p>I won\u2019t dive deep into the rules here, but if you want to set up rules.<\/p>\n\n\n\n<p>Go back to the Snort download page, and there will also be a \u201cRules\u201d section. Download the V2.9 Community Rules. You\u2019ll need a tool to open the archived files.<\/p>\n\n\n\n<p>There are community rules where you can easily download, registered rules where you need an account to download, and subscription rules where you will have to pay for more.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"823\" height=\"390\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-01.png\" alt=\"\" class=\"wp-image-646\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-01.png 823w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-01-300x142.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-01-768x364.png 768w\" sizes=\"(max-width: 823px) 100vw, 823px\" \/><\/figure>\n\n\n\n<p>I simply searched for 7-Zip and downloaded the version shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"562\" height=\"350\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-02.png\" alt=\"\" class=\"wp-image-647\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-02.png 562w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-rules-02-300x187.png 300w\" sizes=\"(max-width: 562px) 100vw, 562px\" \/><\/figure>\n\n\n\n<p>Open up the archived folder, and place the community. rules file inside the C:\\Snort\\Rules folder<\/p>\n\n\n\n<p>Let\u2019s go and manually change the Snort config file.<\/p>\n\n\n\n<p>Open up the file explorer, click on \u201cThis PC\u201d, then double-click on the Local Disk (C:).&nbsp;<\/p>\n\n\n\n<p>Navigate to Snort\u2192 etc\u2192 snort.<\/p>\n\n\n\n<p>You may need to change the file permissions to make changes.<\/p>\n\n\n\n<p>Right-click the file and select properties. Then click the Security tab and click Edit. You can click on \u201cFull control\u201d to allow write and modify permissions. Once changed, click Apply, click OK, and open the file.<\/p>\n\n\n\n<p>Once open, go to lines 45 and 48 and replace \u201cany\u201d with the Network IP that we are defending. As well as anything that is considered \u201cexternal\u201d. I just used the \u201c!\u201d or NOT operator, so any IP address that is not 172.16.0.1\/24 is considered external.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"674\" height=\"179\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-09.png\" alt=\"\" class=\"wp-image-648\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-09.png 674w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-09-300x80.png 300w\" sizes=\"(max-width: 674px) 100vw, 674px\" \/><\/figure>\n\n\n\n<p>Replace lines 104 and 106 with what\u2019s shown below. Comment out line 105.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"615\" height=\"131\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-10.png\" alt=\"\" class=\"wp-image-649\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-10.png 615w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-10-300x64.png 300w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/figure>\n\n\n\n<p>Replace lines 113 and 114 with the following content.<\/p>\n\n\n\n<p>These are the paths to our blacklists and whitelists. For now, we can comment these out. But if you were to bring in the other registered rules, you may need to uncomment these lines.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"697\" height=\"154\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-11.png\" alt=\"\" class=\"wp-image-650\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-11.png 697w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-11-300x66.png 300w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><\/figure>\n\n\n\n<p>Uncomment Line 186 and place the directory path shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"396\" height=\"76\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-12.png\" alt=\"\" class=\"wp-image-651\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-12.png 396w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-12-300x58.png 300w\" sizes=\"(max-width: 396px) 100vw, 396px\" \/><\/figure>\n\n\n\n<p>Replace Lines 247 and 250 with the directory paths shown below. Then comment out line 253.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"662\" height=\"256\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-13.png\" alt=\"\" class=\"wp-image-652\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-13.png 662w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-13-300x116.png 300w\" sizes=\"(max-width: 662px) 100vw, 662px\" \/><\/figure>\n\n\n\n<p>Comment out 265 to 269 as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"596\" height=\"214\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-14.png\" alt=\"\" class=\"wp-image-654\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-14.png 596w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-14-300x108.png 300w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><\/figure>\n\n\n\n<p>Uncomment line 418 to allow portscan detection. Also, make the additional changes shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"947\" height=\"65\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-15.png\" alt=\"\" class=\"wp-image-655\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-15.png 947w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-15-300x21.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-15-768x53.png 768w\" sizes=\"(max-width: 947px) 100vw, 947px\" \/><\/figure>\n\n\n\n<p>Comment out lines 507 to 512.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"635\" height=\"236\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-19-After15.png\" alt=\"\" class=\"wp-image-657\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-19-After15.png 635w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-19-After15-300x111.png 300w\" sizes=\"(max-width: 635px) 100vw, 635px\" \/><\/figure>\n\n\n\n<p>I commented out lines 546 to 651. Future projects will dive deeper into Snort rules.<\/p>\n\n\n\n<p>If you plan to use the other rules, make sure to update the rule paths.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"519\" height=\"533\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-16-1.png\" alt=\"\" class=\"wp-image-658\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-16-1.png 519w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-16-1-292x300.png 292w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/><\/figure>\n\n\n\n<p>Uncomment 659 to 661 and swap the forward slashes to backward slashes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"498\" height=\"181\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-17.png\" alt=\"\" class=\"wp-image-659\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-17.png 498w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-17-300x109.png 300w\" sizes=\"(max-width: 498px) 100vw, 498px\" \/><\/figure>\n\n\n\n<p>After that, save and close the file.<\/p>\n\n\n\n<p>Open up the terminal and cd to \u201cSnort\\bin\u201d and run \u201csnort -w\u201d. An error may appear that a vdruntime140.dll isn\u2019t installed. If so, do the following. Otherwise, continue on.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"603\" height=\"528\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-00.png\" alt=\"\" class=\"wp-image-660\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-00.png 603w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-00-300x263.png 300w\" sizes=\"(max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<p>Scroll down until you see the below. Download the X64 version.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"643\" height=\"638\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-01.png\" alt=\"\" class=\"wp-image-661\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-01.png 643w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-01-300x298.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-01-150x150.png 150w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/figure>\n\n\n\n<p>Run the downloaded .exe file.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"486\" height=\"299\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-02.png\" alt=\"\" class=\"wp-image-662\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-02.png 486w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/MS-02-300x185.png 300w\" sizes=\"(max-width: 486px) 100vw, 486px\" \/><\/figure>\n\n\n\n<p>Agree to the license agreement, then click install. Once done, click close.<\/p>\n\n\n\n<p>Open the terminal and run snort -w again. Take note of the interface with the network we are working with. For me, it is interface 5. It may be different for you.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"959\" height=\"425\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-18.png\" alt=\"\" class=\"wp-image-663\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-18.png 959w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-18-300x133.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-18-768x340.png 768w\" sizes=\"(max-width: 959px) 100vw, 959px\" \/><\/figure>\n\n\n\n<p>Then run snort -i 5 -c c:\\Snort\\etc\\snort.conf -T<\/p>\n\n\n\n<p>Replace the \u201c5\u201d with the interface that you will be using.<\/p>\n\n\n\n<p>Once ran you will see the content below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"671\" height=\"457\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-20.png\" alt=\"\" class=\"wp-image-664\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-20.png 671w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-20-300x204.png 300w\" sizes=\"(max-width: 671px) 100vw, 671px\" \/><\/figure>\n\n\n\n<p>So the Snorts configuration file is running successfully, which is great. Let&#8217;s just make some small changes to make the logs more readable.<\/p>\n\n\n\n<p>On the DC VM, navigate to Program Files\\SDplunkUniversalForwarder\\etc\\apps\\SplunkUniversalForwarder\\default\\props.conf<\/p>\n\n\n\n<p>In this file, add the content shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"547\" height=\"353\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-after-20.png\" alt=\"\" class=\"wp-image-665\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-after-20.png 547w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-after-20-300x194.png 300w\" sizes=\"(max-width: 547px) 100vw, 547px\" \/><\/figure>\n\n\n\n<p>Navigate back to Client1 and in the Splunk UI, go to settings, then indexes<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"693\" height=\"599\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-21.png\" alt=\"\" class=\"wp-image-666\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-21.png 693w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-21-300x259.png 300w\" sizes=\"(max-width: 693px) 100vw, 693px\" \/><\/figure>\n\n\n\n<p>Click on the new index.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"500\" height=\"256\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-22.png\" alt=\"\" class=\"wp-image-667\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-22.png 500w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-22-300x154.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<p>Name it snort_ids, then save the index.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"803\" height=\"643\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-23.png\" alt=\"\" class=\"wp-image-668\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-23.png 803w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-23-300x240.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-23-768x615.png 768w\" sizes=\"(max-width: 803px) 100vw, 803px\" \/><\/figure>\n\n\n\n<p>BACK in the DC, navigate to c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\SplunkUniversalForwarder\\Local and open the input.confs file again.<\/p>\n\n\n\n<p>Put the content shown below. Right below the sysmon stuff we added earlier.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"551\" height=\"215\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-24.png\" alt=\"\" class=\"wp-image-669\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-24.png 551w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-24-300x117.png 300w\" sizes=\"(max-width: 551px) 100vw, 551px\" \/><\/figure>\n\n\n\n<p>Then restart the SplunkUniversal Forwarder service. You may have to turn it off and then turn it on.<\/p>\n\n\n\n<p>Because we commented out most of the rules, Snort isn\u2019t very noisy. But we still have the rule that can detect port scans. Additional 3-way handshakes may also get picked up by Snort.<\/p>\n\n\n\n<p>We should be good to run Snort now. Run the command below<\/p>\n\n\n\n<p>Use snort -A console -i 5 -c c:\\snort\\etc\\snort.conf -K ascii<\/p>\n\n\n\n<p>If you want it to run in the background, do this command: snort -D -i 5 -c c:\\snort\\etc\\snort.conf -K ascii<\/p>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\" id=\"showcase\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Showcase<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Showcasing a bit of Sysmon and SNort<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><\/p>\n\n\n\n<p>I brought a Kali machine into the environment and performed an NMAP scan.&nbsp;<\/p>\n\n\n\n<p>A bit of a wide picture, but this shows Snort running on the DC and picking up an NMAP scan. The log is also being pushed into Splunk with the rest of the logs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" width=\"1024\" height=\"419\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished-1024x419.png\" alt=\"\" class=\"wp-image-670\" style=\"width:1262px;height:516px\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished-1024x419.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished-300x123.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished-768x314.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished-1536x628.png 1536w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/09\/snort-finished.png 1824w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>So, a bit of a showcase on why we integrated Sysmon.<\/p>\n\n\n\n<p>Multiple Sysmon events can help detect threat actors&#8217; movements. Here are some notable ones<\/p>\n\n\n\n<p>Event ID 1 &#8211; Process Creation<\/p>\n\n\n\n<p>The image below shows any process creations that contained the word \u201csnort\u201d. When doing things like this, it&#8217;s better to look at the rare items.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"965\" height=\"446\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01.png\" alt=\"\" class=\"wp-image-673\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01.png 965w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-300x139.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-768x355.png 768w\" sizes=\"(max-width: 965px) 100vw, 965px\" \/><\/figure>\n\n\n\n<p>The command below will show if any cmd.exe or PowerShell commands were run.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"930\" height=\"552\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-extended.png\" alt=\"\" class=\"wp-image-674\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-extended.png 930w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-extended-300x178.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-01-extended-768x456.png 768w\" sizes=\"(max-width: 930px) 100vw, 930px\" \/><\/figure>\n\n\n\n<p>Event ID 2 &#8211; Process changed time<\/p>\n\n\n\n<p>The why for this one is if a threat actor is trying to scramble the trail they\u2019re leaving behind. These can help detect defense evasion.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"1007\" height=\"363\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-02.png\" alt=\"\" class=\"wp-image-675\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-02.png 1007w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-02-300x108.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-02-768x277.png 768w\" sizes=\"(max-width: 1007px) 100vw, 1007px\" \/><\/figure>\n\n\n\n<p>Event ID 3 &#8211; Network Connection<\/p>\n\n\n\n<p>In this environment, it wasn\u2019t very noisy, though it can help in the real world. It can detect high network traffic. You would have to filter by source IP.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"731\" height=\"492\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-03.png\" alt=\"\" class=\"wp-image-676\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-03.png 731w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-03-300x202.png 300w\" sizes=\"(max-width: 731px) 100vw, 731px\" \/><\/figure>\n\n\n\n<p>Event ID 8 &#8211; Creating Remote Thread<\/p>\n\n\n\n<p>This one is when a process creates a thread under another process.<\/p>\n\n\n\n<p>The following will help detect any processes trying to steal from other processes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"764\" height=\"352\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-08.png\" alt=\"\" class=\"wp-image-677\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-08.png 764w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-08-300x138.png 300w\" sizes=\"(max-width: 764px) 100vw, 764px\" \/><\/figure>\n\n\n\n<p>Event ID 11 &#8211; File creation or overwritten<\/p>\n\n\n\n<p>The command below will show the path, the target file, whether it\u2019s being modified or created, the host, and the time of change\/creation.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"531\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-11-1024x531.png\" alt=\"\" class=\"wp-image-678\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-11-1024x531.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-11-300x155.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-11-768x398.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-11.png 1131w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Event ID 12 &#8211; Registry Key Object Create and Delete&nbsp;<\/p>\n\n\n\n<p>The command below will detect any registry key being created or deleted.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-12-1024x548.png\" alt=\"\" class=\"wp-image-680\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-12-1024x548.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-12-300x160.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-12-768x411.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-12.png 1049w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Event ID 13 &#8211; Registry Value Set<\/p>\n\n\n\n<p>This Event ID will show the values that are set for a registry key<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"952\" height=\"589\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-13-1.png\" alt=\"\" class=\"wp-image-681\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-13-1.png 952w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-13-1-300x186.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-13-1-768x475.png 768w\" sizes=\"(max-width: 952px) 100vw, 952px\" \/><\/figure>\n\n\n\n<p>Event ID 22 &#8211; DNS Event<\/p>\n\n\n\n<p>The command below will show any DNS events occurring<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"373\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-22-1024x373.png\" alt=\"\" class=\"wp-image-682\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-22-1024x373.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-22-300x109.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-22-768x280.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/Sysmon-22.png 1104w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>So what have we done&#8230;<\/p>\n\n\n\n<p>&#8211; Deployed Splunk Enterprise (SIEM) for Centralized logging<\/p>\n\n\n\n<p>&#8211; Enhanced logging using Sysmon<\/p>\n\n\n\n<p>&#8211; Deployed Snort Intrusion Detection System (IDS) into the environment<\/p>\n\n\n\n<p>&#8211; Forwarded All Logs, including Snort Logs, using Universal Forwarders<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>This concludes the lab.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Splunk Deployment Deploying Splunk Enterprise Prerequisite Labs Active Directory Lab Brief Summary This lab will cover the deployment of Splunk Enterprise and Universal Forwarders onto an Active Directory Environment for Centralized Logging. Enhanced logging will be done using Sysmon. As well as the deployment, Configuration, and integration of the IDS tool Snort into Splunk. Splunk Free Trial Download https:\/\/www.splunk.com\/en_us\/download.html To get started, we need to download Splunk Enterprise and the Universal Forwarder. We can open our browser inside Client1, search for \u201cSplunk,\u201d or copy the download link above and paste it into your VM, then click Downloads. We will be<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-591","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=591"}],"version-history":[{"count":15,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/591\/revisions"}],"predecessor-version":[{"id":1149,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/591\/revisions\/1149"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}