Time
1 hour 18 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Hello and welcome to our final configuration video.
00:05
Our goal for this video is to enable SIS lock forwarding on our Web server
00:10
to start,
00:11
let's go into our Web server
00:16
and again
00:28
we'll be going toe, etc.
00:31
RCIs Aug dot d.
00:35
I will be editing the 50 dash default dot com file
00:50
going down to the very bottom. We can edit the little comment.
01:04
The first piece.
01:10
This town is just solid to grab all the logs regardless of file, name or file extension
01:17
next week, the point where he wants a slug to send the locks too.
01:26
In my case, I'll be sending them directly to the Oasis Time server
01:32
over port 514
01:34
which is usually reserved for CeCe Log
01:40
Control X.
01:41
Why and enter To save the file,
01:52
we could do a quick tale to make sure if I was safe.
01:57
Once we've confirmed the file is safe, we have to restart the service.
02:06
It will ask you for your admin credentials.
02:09
The service has been restarted
02:14
to confirm this activity. We can go into our oasis. I am server
02:23
jailbreak.
02:27
We will be using a program called TCP Dump.
02:30
DCP Dump allows us to monitor network interface in a certain port for traffic.
02:39
Our interface on our server is zero.
02:43
That be
02:45
Doc W
02:50
Deb. No
02:51
SRC
02:53
filed by the I p
02:54
of our Web server
02:59
hand port 514
03:07
You can see got zero.
03:09
This means that the O side server has not received any logs yet.
03:15
We can help this along.
03:16
To get some locks going. We could go into our colleague machine,
03:22
open up a terminal
03:30
and create some sshh failed bargain alerts.
03:46
Okay,
03:49
Going back to our server,
03:51
we could see got 66
03:54
for a live example.
03:57
Go back our Web server.
04:00
Log on with the wrong password.
04:12
As you can see, the value increases
04:15
as the Web server creates the long and sends it over
04:27
perfect.
04:33
They should also have great. It's mainly about alarms
04:45
going at the alarms. We can see some
04:46
sssh brute force activity sourcing from our Colin machine.
04:59
We could see all our failed passwords
05:04
going into the event. Specifically,
05:08
you could see the Web server is the origin of this log.
05:18
This concludes our video on how to forward locks over sis log to R osa Science server

Up Next

AlienVault OSSIM

This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.

Instructed By

Instructor Profile Image
Anthony Isherwood
Instructor