1 hour 18 minutes
in this video we will complete our oasis I am server configuration.
we need to power on all of our BM.
This might take a little bit of time depending on your system.
Ah, headless start starts the server without user interaction
to access. The Web interface will be using our colleague machine.
Remember, Default user and password is root and tour T o r.
Now that we have all our vm started, we can start working on our colleague box
to start weaken
thing are their servers to make sure we can activity.
That is our time server.
This is our oasis. I am sensor
and that's our Web server
and navigate to Are those asylum server
might be propped it with security exception because there's no certificate. But you can just accept and bypass that
entering our full name
Given that there's no Internet access, really doesn't matter because it's not gonna be sending any data. Alien vote
log in with our credentials. Just created
alien vault of this. I am has it getting started wizard
for server, but only have one interface. It is our management interface, so there's nothing to do here,
***. That discovery
this is our gateway
One or two will be our colleague machine.
You know, this is a Lennox device.
We know this is a Lennox device.
Also manually added an asset
At this point, we have to enter in our credentials to the servers.
If you have a different set of credentials, you have to do them separately.
I use the same username and password for both my server and sensor.
This deploys a Lennox, his agent,
which can detect security events
locally on a machine and send them back daily involved.
Once that's complete, we could hit next.
We're skipping this step.
Ordinarily, if you're installing this in any kind of production environment, we're really use case you're gonna want to sign up for O T X
ot exes. Alien fall open threat exchange.
It's a community resource
where multiple vendors and community members post IOC's That alien vault will actively scan for
Since this is a live environment and we don't have Internet access, we're gonna skip this step
and we're gonna hit finish,
then explore alien vote Oasis. I am
welcome to the family of all It was signed Web interface.
You're an analyst. This is where you do most of your work.
But for now, we have some more administrative tasks to do.
We have our over configuration.
Good. A deployment
What if the insert are always a science sensor
entering that? Sensors password.
Keep in mind if this is different in the system you're on, you're gonna enter in the password of the sensor and not the server.
Given the system requirements. If I was a sigh am and that we're in a test lab environment,
this will be much slower than it would in a normal production environment.
Okay. You know, we have our sensor link to our server. We can continue.
Go back to the ailing bold center.
Our next objective is to make sure our network intrusion detection system is running.
May take some time to retrieve some data from the sensor.
Now that the data has returned, we can click in a system detail
we're gonna go to since your configuration.
This might also take a bit of time.
Next we click detection,
we can see that Keith wants are listening in her face,
which we set
in our server configuration.
We can see here that the only of alternates is up and running
Beautiful. And it won't use a sir kata as its intrusion detection system
on a lot of sir collar rules rely on external and internal I p addressing.
Given that this lab is entirely internally address, we're gonna have to allow only a vault to recognize internalized dresses as external addresses.
To start with our tests, we can get a configuration
and then directives.
Correlation directors are a set of rules
that only about uses to analyze lugs.
For example, if we start sneaked up,
we could see a nikto where vulnerability assessment, tool usage.
This is a wet vulnerability scanner.
If you look in the rule
we see from and to
exclamation point home, that and home yet
exclamation point home. That is another way to say, not home yet.
We have to add it this to say from home that to home that
to do this,
we can call in this directive to user
this will disable the eligible policy and create our own custom. One
hit plus signed to edit.
As you can see here and for making specific custom rules, you can select specific hosts
for our case where it's gonna click home that
You could see that the exclamation point is gone.
We could reload the directive.
And that's step one to get on. It's working.
we have to go into our lowest time sensor
were refusing an all in one solution. The O S S I n server
Make this well, bigger for ease of Ewing.
We got the jail break into the system
To start, we can go into our Sarah Connor directory.
Now we can add it. Are Sir Kana Yano file
to do that?
sir. Counter that camel.
We have to find our external net variable.
You can hit control. W to search.
You could search for external net.
Here we can see all the variables that are. Sir. Kata installation takes advantage of
instead of not home net for external net
were changes to any.
This helps sir Qatar recognize more threats than just external to internal traffic or internal the external
and the scenario where someone breeches your network and is moving internally.
You have a chance of missing some alarms. That ordinarily would see,
I recommend sitting certain it to any
keep in mind that still create a lot of false positives within your network that you'll have to tune out later.
Given that this is a test environment, it shouldn't be a problem.
now that the file saved with the restart, our sir caught a process
topping and service.
No, that's done.
Go back to our colleague machine.
A bit of our alarm stab,
which at the moment is empty.
We're gonna change that.
Could open up a terminal
by default. Kali has many penetration testing tools installed.
One of these tools is Nick. Go
to scan our Web server
type and nikto Dass H
and then the i p address of our bond to Web server.
But this prompt you could hit No
on. Our scan is complete.
You could see right here
that we have one unresolved alarm.
If it doesn't pop up immediately, you can reload the page.
And here we can see our alarm.
This confirms that our network intrusion detection system is running properly
For more Kali box. We ran a web application vulnerability scanner on our open to Web server.
This traffic was picked up by the nits interface
on Roos Asylum Centre.
You can go into the alarm and see the exact event
We see our nick to the user agent
at this point, are always assigned server, and it's a science sensor are fully configured.