BSidesCharm - 2017 - da667 - The AVATAR Project and You

so just wanted to start that off it's been great so far uh so let's go ahead and get started here and uh take you on a wonderful journey this is uh a slide deck about a book that i've been writing the avatar project so if y'all are busy if you guys got things to do i usually do this as a courtesy if there are other talks you want to see or if you wanted to go grab breakfast or whatever it's early this is the uh too long didn't read version go pick up the book here if you need uh to set up a virtual lab um it's uh hosted on a server in my basement that hasn't died yet so

that's awesome um but for the rest of you poor bastards who want to sit in here and listen to me talk uh this is me my name is tony robinson i go by da667 on social media i've been called twitter infamous um i that's uh my primary social media you can find me on there um feel free to send me messages ask me questions um i'm more than willing to give you an email address if any of you want contact information i also have uh business cards after the talk's all said and done um most of my background is in network security monitoring so flow analysis nsm uh packet capture ids and ips that's my bread and butter

i do a lot of threat intelligence as well so pivoting off of passive dns data http headers you know doing the whole um we found one bad thing how many other bad things can we map out from that and all this and that and the other thing um i do a little bit of malware analysis on the side um i am not a reverse engineer by any stretch of the imagination but uh i do enjoy blowing things up in uh dynamic analysis labs doing the triage and comparing caches all sorts of fun things like that some of my greatest accomplishments i spoke at a number of conferences i've been all over the place hack miami

shmukon fire talks plenty of b-sides first uh b-sides out in columbia i uh did a talk there so i've been around the block a time or two most of my talks in the past focusing on nsm and fun stories i've been told i'm a pretty good storyteller um i have quite a few one of my favorites was when i found a dead drop for data exfiltration by the operation cleaver group just by doing google wax turns out that they left an ftp anonymous ftp server up on a provider and they left their ex filler out there for anybody to grab and uh that was a good time found that uh six months before the app cleaver

investigation went live and uh silence report on it ported on it so that was a good day um i was at one time classified as a social media threat by eset um i would uh post a lot of threat intelligence data this ip address is hosting this irc channel it's using remote file inclusion or shell shock and here's 500 bots sitting in the channel with screenshots and everything and he said apparently didn't like that you know so i don't know how to use a computer obviously because it took us a hell of a good time to get [ __ ] set up up here so uh um that's me in a nutshell so now that

you're here now that you know about me what's this project all about i'm going to regalia with another one of those lovely stories so this uh for this book that i've been writing it isn't my first foray into trying to write a book i've tried writing books two or three times and managed to fail for various reasons either the adhd is caught up to me a's needed killing um you know various other things have happened i tried doing a book in the past about setting up a dynamic malware analysis lab and things just kind of fell off by the wayside so uh last year i just said screw it i'm going to uh i'm going to cast aside a lot of

other things that i was working on conferences and whatnot i just cast it all aside i went down to the basement data center of solitude and i started writing and um right around that time a little bit afterwards i was approached by my boss at my current employer hurricane labs which uh uh this is the only plug you'll hear from i got to give a great amount of thanks to them because they didn't claim this as intellectual property they're letting me work on this on company time and the only thing they said is when it's all done just make sure we get a free copy of it so um anyhow my boss was saying uh we could

use training for our stock analysts and uh i was like i like writing and they're like also we'll give you extra money for it i was like i like money too that's awesome so it started off as a pretty simple book and i was figuring well if i write it here they said that they don't care if i share it in other places this could be something that's beneficial for a lot of people so i started writing the lab was very simple it was just a virtual box here's how you set up pf sense here's how you set up storage or siri kata to bridge virtual networks together and that was about it and then it exploded in complexity

because i was like well i was doing a bunch of what if scenarios what are other common hypervisors that you see out there in the wild you know for running virtual machines uh virtualbox is what i like to call the least common denominator anybody can pick it up and download it it runs on practically everything from vsd to windows any major x86 operating system will run virtualbox so but a lot of our guys had vmware workstation or some of them were a max running fusion what about the guys who wanted to set up a lab on esxi and then i in the middle of all that i discovered client hyper-v as a thing and has become one of my favorite hosted

hypervisors it's freaking awesome uh just a side note if uh any of you aren't microsoft fanboys i'm not necessarily a fanboy but as you can tell by the slide backgrounds and stuff i like playing video games so it's my native platform it's what i always run most of my stuff on so to have a hypervisor that's integrated with the os and is free if you have like education enterprise or ultimate editions of windows 8 or windows 10 that you can just go to programs and features and say yeah i like that i'll take that you know have that integrated in with the os is really nice to discover and of course microsoft they have all

this cool [ __ ] and they never advertise it so word to the y's out there if you're a student or if you are strong for cash it's free and easy to set up so that's just my quick plug for them um in any case so it started off as here's a guy to do it on virtualbox and that is like well here are the five hypervisors that i want to cover because you know in addition to them being the most common hypervisors that we use in our stock with all of our guys those are the ones that you're most unlikely to uh come across or the most likely ones you're going to use in most enterprise

environments are these hypervisors you know most corporations will say we're a hyper-v shop because why the hell not we have the windows licensing why bother paying for uh vmware if we're going to just use hyper-v on our windows servers and call it good um or some people drink the vmware kool-aid entirely and uh you know all of them run vmware or you might be a budget shop or a budget analyst and you all you got this virtual box and a prayer yolo so i to make a very long story short it was initially a tutorial on how to build an ids and ips analysis lab maybe i was gonna do some an introduction to snort or kind

of rule writing later and it turned into this hulking massive uh virtualization book that uh covers a baseline lab across five different hypervisors so i don't know if this i think that might be clear enough for everybody to make out but i show readers of this book how to build this uh this network diagram i'm going to take a couple of minutes and explain what's going on here so uh the this network diagram composes the four networks the different colored areas uh a bridge network one of them is labeled management in the blue there are two that are labeled ips1 and ips2 and if you'll notice in the center between those three networks closer to

the top there's a pfsense firewall that's acting as a gateway and enforcing traffic or access control between those networks you might notice in the green network there is a transparent box and a transparent line this is for the uh users that elect to set up this lab network on a bare metal hypervisor that would represent the jump box or the uh management workstation that you would have to access your vms from so you know to a lot of people who have some experience in the industry this is super basic [ __ ] but to a lot of other folks who are trying to get their bearings in information security these are things that they aren't necessarily introduced to so i

want to make things as clear as humanly possible the other side here if you have a hosted hypervisor that's your that's a physical representation of your workstation on the network and how your vms are getting out of the network if you notice in the management network again there's another transparent box and a transparent line i instruct readers on how to make a host only network adapter that is able to interact with the vms in the network in that way you can take this system on a hosted hypervisor and it's fully portable any place where you have an internet connection and you can bridge you can get internet the entire lab could be um the entire lab could be network

connected to your physical network or as mine is right now i don't even have this connected to the wi-fi and i can guarantee just about everything in the lab is working perfectly fine aside from stuff that requires internet access of course so this right here is like a big complaint you know you see a lot of people say is like uh oh [ __ ] i've uh gone from one network to another my ip addressing scheme has changed how do i access my vms if they're on a bridge network so in this way putting them in on this management network and having it host only um the ip address scheme never changes so it's make it's a really nice way to have

a portable lab to where you can demo things really easily to your friends or you know doing your uh do whatever you want to do wherever you're going to be and have it uh be extremely portable and easy to set up so i've beat that into the ground i have uh two vms in that management network one of them is a sim vm that i instruct readers on how to install splunk and then there's another vm here uh the ips management interface and i clarify on that because if you notice over on the two ips networks there's ips interface one and ips interface two so all together there is one vm that has three network

interfaces um i'll be coming back to that in just a minute so let's go over here and you see that there's a kali linux vm on one of the ips networks and a metasploitable 2vm on the other networks like this is looking super basic so far where's the fun at um that avoidable 2 is super old what's the point well i'm getting to that so we come back to the ips uh network interfaces and you see that uh pink line that's uh kind of dotted between the ips1 and the ips2 networks there um we're going to be i'm going to instruct readers on how to set up af packet bridging uh which is a special function of both

surikata or snort to where you're taking these two disparate uh host only networks and you're bridging them together you're using the vm to patch traffic uh the snort vm or the siricana vm to pass traffic between those two networks so the premise here is you have the cali vm on what network and you have metasploitable 2 on the other and the bridge has to be up in order for anything on these uh top three networks to reach the network at the bottom if the vm is not up then that essentially turns into a host only network and what that allows you this is uh in network terminology this is a fail closed network so not only do you have a

nice portable lab network to work with if there are pieces of malware that you don't want to have internet access or if you're doing other research and you're doing things you want to make sure it's offline at a moment's notice if you just turn this vm off you have a fail closed network you have a host only network and at another point if you need to do network updates or if you want to do malware analysis and you want to see who this thing is calling back to and who it's talking to you just bring the vm back up and i guide readers through setting up snorton's hurricata and bridge mode um have them install a service to where

you can turn the vm right off at any point and take it down and the bridge that goes down you can turn it back on and it's a service and it comes right back up when things brought back up online it's like virtually zero maintenance we're getting that all set up so that's the long and short of the entire network i show readers how to build that and i've reproduced this same network setup across all of these hypervisors um the network that is considered the baseline network that is like the that i show people how to do that and i say from there if you want to modify it i give a couple of suggestions i say

you're mostly on your own but i chose these hypervisors in particular again to reiterate because they're the most common that you're going to encounter out there in the world and to be further honest um these are the ones that i know and if i took any more of them i took any more suggestions or if i wanted to write more i would lose my damn mind because you know i've had people i've heard people say kvm i've heard people say beehive i say why isn't citrix zen server covered to which i said i'm not making a profit off of this and i'm only working off of what i know if you would like to contribute i am

more than welcoming to have you contribute a version of this on kvm on whatever virtualization platform you want but i stayed at 5 because this book is close to 600 pages already so and a lot of people say 600 pages are you [ __ ] crazy that's like a college semester book that's like a book you could kill somebody with man and to which i said it was like the book is interesting because you know covers so many hypervisors i have it set up kind of in a choose your own adventure format so the beginning of the book is here are things that you need to know to get started you need to understand the

command line you need to understand your tcp ip and i want to talk about the command line and say you should probably know a little bit of linux and a little bit of windows you should understand the basics of networking you know what's a static route with cns what are all these things what are common service port numbers and i say if you don't know these things here are free resources to get your bearings and then i say what but or like i make recommendations for uh hardware and you know i say that if you want to get started if you want to be able to build a baseline lab here are the hardware recommendations i say

to get started then i say here's the hypervisor choices i say to choose hyper-v go to this page to choose a virtual box go to this page and the guides lay it out step by step by step with plenty of illustrations so you know what is a 600 book or 600 page book almost at this point is much smaller if all you're doing is building one lab so remember before how i said that this was a basic baseline lab this is um something to get started um what if you wanted to the best thing about this lab network the best thing uh that i love about it is that it's extremely flexible you can put anything behind that uh ips

vm that's setting up your bridge you could turn it into a pen testing network you can turn it into a malware analysis network if you're a asus admin and you wanted to test some configuration management some group policy some devops stuff um containerization all of that stuff you can do all that um this network is both none of these things and at the same time could be any one of these things and that's how i designed it you know to make it easy for any of you to mold it to fit whatever needs you have so i have a couple of uh base ideas or a couple of network diagram deviations and i kind of

hint about these towards the end of the book once uh i say you have the baseline network set up and now that you have the setup here's a couple of things that you can think about depending on what specialization and security the reader is most interested in so one of the examples here might be a pen testing lab as you can tell the top three networks here the bridge the management and ips networks don't change too terribly much but the bottom network in the ips2 network i create like a little scenario and i say we set up another firewall on this network we have one uh system that has a vulnerable web app perhaps you would

set it up to where you have to get a web shell on this box and pivot to it and maybe capture network traffic on the webex box to get ftp creds to another server learn how to do privilege escalation you eventually see that you have credits to go to a windows 7 box and from there you dump hashes on that box and you find out that you have admin access and you take those admin credentials and you ps exact or do whatever you need to do and you hit the domain controller so this is super basic example you know most pen testers would shred me saying this is some basic [ __ ] but you know it's one example on how you can

take this network and you can mold it to fit your needs so you'll notice the magisplatable2vm is gone and i also go over if you wanted to do something like this and add these additional vms here's the resource contention or here's the resources that you're going to be looking at if you want to do it so i talk a little bit about hardware and how it changes because you're adding more vms right so that's one variation and over here we have a uh nsm or malware analysis lab which is again you see those three networks not much changes on them but the uh ips interface we don't have the kali linux vm because kali linux vms are for

pen testers and people who want to join anonymous so if we're doing malware analysis we don't need that i have a box there that's transparent maybe you want to set up a payload vm that you collect your samples on and use that to uh transit to your analysis vms in your uh the lab that's on the fail closed circuit behind the ips but that's about it and then on the other hand i have a linux vm here that i label as a minimal linux vm maybe you just want to use that as your payload delivery and your payload grabbing system in order to uh have that uh distribute malware to a linux vm that i named forensicator

there are guides out there on the internet for setting up a vm with both uh the sans sift and sans remnix uh distributions on a single ubuntu linux box it's uh real easy to have both of those distributions overlaid over an ubuntu linux box and that might be an idea you set up a linux box with all these forensics and malware analysis tools on one side and then you on the other side you have a windows box that's just running windows xp or windows 7 with you know no security whatsoever maybe your favorite analysis tools maybe nothing at all and you execute your malware and maybe on the ips vm you're running tcp dump or

you might have uh surikata doing additional logging like dns headers http headers um ssl certs uh flow analysis sorry kinda can do all of that stuff natively so you can again this is just another variation an idea and in a direction you can take the lab and then the third idea here is you know this is this isn't just a lab for security people to take advantage of this would be something that if you're a sys admin or you want to learn better system administration you want to do configuration management devops all of that crazy stuff you might have a box that you have running wsus and you might set up a small uh a d

domain and uh figure out how uh group policy works um microsoft has been in a way it sucks because things like dream spark and tech next subscriptions are have gotten out of reach but in another way microsoft has become more open about offering evaluation license for their software so it's not out of uh it's not totally out of reach to set up a small windows environment and do a group policy experimentation so you might set up ws you might set up gpos you might work with other software management tools like sccm and figure out how they work on the opposite side for linux you might work with uh salt ansible chef puppets all of those various

config management tools and get a better understanding of how they work and at a moment's notice again if you don't want to risk any of these tools screwing around with anything on your physical network all you got to do is turn the bridge off and it's an incl it's a self-enclosed network and again these are directions you can take it you don't have to take any of these suggestions these are just like well i got this base network that you told me how to build where do i go from here these are just suggestions on how you can change this and do your variations so uh one of the reasons i decided to do this book is um

on occasion you know i in addition to being a very prolific [ __ ] poster i tend to dispense out advice you know once in a while when i'm on social media i was like if you're new to the industry or if you wanted to get some advice just reach out to me and you know true to life a lot of people would say i'm interested how can i get a hold of you you know i will do uh and i'll end up doing conversations over dm or email whatever the whatever the student prefers or whatever the mentee prefers and i'll say what kind of a background do you have what do you know and where do you want

to go and you know more often than not you know i'd have people from a wide variety of backgrounds like people who were in military horses admins who want to transition over to security and i would have people who are like i'm still a student i have no idea what i want to do and i would uh try and dispense the advice to help them out you know uh open security training um the guys at cybury next door like seriously go over there and talk to them because library is freaking awesome like these are free resources that when i was learning this stuff weren't available or weren't easily available that you had to pay tons of

money for and they're doing it for free security tube for god's sake iron geek what up though um but i would keep telling them go to these different places here's good books here's free resources here's resources you might have to pay for but you know as a student they're a bit more affordable and i would eventually come to the point maybe you should learn how to build your own lab as well and they say how do i do that and it would always come down to pick some sort of virtualization software get some hardware and do it and now i could say how do when they say how do i build a lab or what do i do i

could say point them to that is like go do this and it's much easier it's a way for me to get back to the community in a consistent manner to where you know most students can learn to build something complex like this i wanted to give something back because i came out here and you know the founder of this conference forgotten you know he introduced me to the hackerspace community introduced me to conferences out here i learned a lot of stuff when i came out here from my home state of michigan so i wanted to give something back to the community at large and this is my way of doing it i haven't charged any money for this

book it's still a work in progress at some point i'd like to self-publish it because you know just like everybody else i like money but uh you know if somebody said i need a copy of your book and i can't afford it or i'm a student i'd be like yeah sure here's a copy i don't care i just i want to help out so that was the end goal it's just to help students learn something that i also got a lot of when i was building this is like why don't you go into using tools from hashicorp like uh vagrant packer uh terraform why are you doing this in the cloud why aren't you doing all of these automation tools why

aren't you talking about cm to begin with and uh show up hands who have any of you read uh zed shaw's learned python the hard way okay i see a couple of hands not very many but uh that's another great free resource for learning a scripting language is uh zed shaw's learned python the hard way it's free and it's online but uh he has this uh concept of learning [ __ ] the hard way and not doing it the easy way and uh pardon my friends with pitching out you know and the way that i look at it and this could be flawed is if you're using cm and you're using devops you're abstracting out the

build process you're abstracting out the part where you have to know how to size your vms you have to know to remote move certain pieces of virtual hardware to do isolation properly you have to know about you don't get exposed to these things it gets abstracted out and i am a proponent of learning things the hard way and learning how to set up your lab the hard way so that later on when you learn how to use vagrant and you learn how to use these uh config management tools you have an appreciation for what they do and you can perhaps troubleshoot them when they um go into a burst like a flaming pile and don't work perfect example of that is i

tried setting up that exploitable three when it first came out uh and rapid7 had it up it's like okay it wants me to use vagrant and packer so i download them midway through the uh install script just it took a flaming pile and i was just like i would left i would be left in a vm that was in a half finished stance like i have no idea how the [ __ ] to fix this so um again you know trying to do things the hard way or trying to do this um the manual method you're going to learn more about systems administration and how these things interact and how networking works a little bit and that

builds your foundational knowledge and it looks really good i've had three four different people say i've used the avatar project and i built a lab and i said that this is what i use when i'm doing the stuff at home and it's helped them to get jobs and it's helped them to impress their employers so you know that's not me saying that that's other people saying i've used this and this is how i've used it and it's been a a great boon in helping me to get a job so there are some things that i learned along the way the quickest way to learn that you know nothing is to try and write a book

and uh train others you think you have such a grand understanding of how these hypervisors work and how everything comes together and you come to find out that that's not how it works at all so in particular esxi and hyper-v there were a couple of things that i came across that were a bit annoying hyper-v in particular i didn't for both of these uh hypervisors you need to have mac address spoofing on for af packet bridging to work properly and the reason for that is is that af packet makes a one for one copy of the packet as it goes across the bridge doesn't change the mac address so the hypervisor will say uh you're

spoofing that mac address that's not your mac address [ __ ] you i'm dropping this traffic and you have to say no this is working as intended i promise and you have to add promiscuous mode on as well for hyper-v this was something that took me two weeks to troubleshoot i've tried flipping every switch doing every other option other than the little check box that says turn on mac address spoofing and i got redirected through six different uh microsoft support forums before i found the one where this guy says take a look at this blue coat guide that says to turn on mac address spoofing to do h a between two blue coat vms i was like

you know what [ __ ] it i've tried everything else uh let's let's click the check box and see if this works and sure enough i was like oh i'm documenting the [ __ ] out of this um because if it tripped me up it's going to trip all the other readers up who are trying to do the same thing right so another fun fact that isn't listed on the slide deck don't try to run hyper vvms on an exfat partition so if you have an ssd and you have a formatted as x fat it won't work this was an obscure thing that i had to dig around for found something on server 2008 where

somebody said why isn't this working on um an ssd drive that i have formatted for expat and they said no it won't work on xbat at all has to be ntfs so word to the wise that was something else that also tripped me up i blew up my lab one day deleted all my vms and rebuilt it and it still wasn't working i was like why the [ __ ] isn't this working and then i found this one obscure post out there and it's like i'll bet you that's the problem so um in addition to that uh i uh i hate fusion i hate vmware fusion beyond any reasonable doubts um i also i'm not a fan of macs um they're unix i

love unix i love linux systems but for [ __ ] sake um when you go to create a vm and the first thing it does like when you're done creating the vm it doesn't give you the option like what iso do you want to boot from you have to wait until the entire build process is done it tries booting to a uh booting your vm it says hey there's nothing to [ __ ] boot from i was like yeah i didn't put an installer disk on there what the hell are you doing so you have to turn that off and then you have to say here's the iso that you're going to boot from or here's the

disc you're going to boot from to install the os and you had to do that every single time another fun thing was i mentioned that there's a good amount of static routing and uh various other network trickery that i do to make sure that this is all self-contained and easy for the user to consume um every time you turn off uh either virtualbox or fusion on a mac environment it deletes the network cards so you have vboxnet1 or vboxnet whatever or vm net whatever you quit out of fusion or virtualbox those interfaces are gone and it comes back up the interfaces come up if you go into the network manager you know network manager in windows you have

virtual interfaces they just show up there and you can bind it on buying whatever interfaces that i p addresses do what you need to do and everything's hunky-dory on the uh on os x you have to you know use if config on the command line and i had to make scripts to help users rebuild static routes and reset the ip address on build you know to make it easy for them is like i put it in the books like don't freak out but every time you reboot every time you go to patch this your interfaces are going to disappear your ip address settings are going to be completely screwed because this is how os x does networking um the last uh

couple of things here is uh the hdmi html5 interface for esxi as of like uh 6.x 6.5 is really awesome there were a couple of bugs i ran into along the way and those bug those bugs as of 6.0 update 3 and 6.5 which are current versions um have mostly been resolved it was a little buggy but um the html5 interface is awesome because in the past if you wanted to manage an esxi box you needed the windows vsphere client or you needed their vsphere server environment which cost money so if you're a linux person or you like using bsd you can use any os you want so long as you have a modern web browser that supports html5 and it's

great the last point i have here is i do a lot of guidance on i have a vm that's in one format the metasploitable 2bm is my guinea pig and i teach people i have this one vm in one format how the hell do i get it to work on this hypervisor and powershell the microsoft virtual machine converter uh the current version right now is 3.0 it has it's a tool that can convert uh vmdks to vhdx which is the format that uh microsoft uses for their virtual machines um it worked on this ancient uh metasploitable 2 is based on ubuntu 8.04 so it's ancient and it worked perfectly fine um recently i was at

macc dc on the red team and one of my buddies gives me a vm that he built in workstation i was like let's see if it works again there were a couple of things that i had to edit in the vmx file i had to delete a couple of lines and it worked perfectly fine there is the vmware vsphere standalone converter which is another fine tool that allows you to take your vms and upload them just fine not a problem so uh the the main point was is that i i you know people have questions about how do i convert this vm i was like don't worry i got you covered so that was something awesome that i

came across when i was doing this guide so i'm going to try and do a quick demo i'm going to keep this quick because i see the staff back there looking worried like oh my god what time is it um so i'm going to make this relatively fast so before i get started with this i'm gonna bring up uh i'm doing this on client hyper-v um again yeah i'm not necessarily a microsoft fanboy but it's pretty awesome as you can see here i've got five vms metasploitable 2 kali linux the ips vm is running pf sense is doing its firewalling thing which i also teach readers how to build their via or build their networks

and uh do their firewalling and then i have the same vm running splunk so real quick proof of concept here's the cali bm we're going to ping 172.16.6.3 which is the metasploitable 2bm's ip address and we're going to curl it as well we've got 16.6.3 so they're in the same logical network but they're on different physical networks they're different different physical network segments ips one and ips2 they're still in the same slash 24 but different physical networks that the ips vm is bridging so as you can see from this i don't know how to run the sleep command um i still don't know how to run the sleep command god damn it uh okay so you can see that the curl

worked the curl command worked we can reach it and you can see this is the metasploitable 2 uh web interface here's um html that you got back and so from the opposite end i'm going to prove that you know you turn off the ips vm you turn it off right now and there's no way for the metasploitable 2vm at one address to be able to reach it okay apparently i don't know how to run ping either oh i forgot to put a number there my bad yep so you can see that there's no way for this thing to be able to reach out to the vm the bridge is down so again that's proving that fail close functionality

that's really awesome and offers you that isolation that you want in an environment or you may or may not want at will that's the uh one of the lynch pins or one of the unique things about the virtual lab i set up and then i just started the vm back up i started it up and i have snort running as a service and in a second or two i'll give it another one or two seconds here to let it do its boot process but wait for it let's do let's get rid of the c1 here and just let it do its thing or there we go toast unreachable now that's great and there you go it

takes a minute or two to boot up but then the bridge comes back up and they can talk to one another and that's that fail close operation that i was talking about so that was the demo in a nutshell and also as a part of the guide i say you're going to learn how to throw a series of exploits over at the metasploitable 2vm so we're going to show you that the ids rules on the vm are running and that the sim that we set up the splunk that we set up together it's getting events i ran these a little bit further in advance you know just in case of demo fail but you can see that we have a series of

snort ids events here so we can definitely tell that the ids is catching stuff on the wire and it's also logging it over to the uh to the splunk instance you know this is something that we all teach the readers how to set up so that's the environment in a nutshell that was the quick demo and uh these were just a couple of pictures that i put in in case the demo failed you know to kind of show here's events in splunk here's a [ __ ] ton of shells because it's metas available too and i just threw a hail mary at it um here's proof that the curl works um and that's more or less in a nutshell

um i have a ton of people to thank but uh we're looking like we're a little bit limited on time so um what i'd like you guys to do if you got questions or if you want to chat let's go out into the hallway so the next speaker can get set up here and i would like to thank you all for your time