Splunk BOTS — Setup
A while back, I tweeted how to setup BOTS on DigitalOcean, but I never blogged it for easier access. Let’s get started.
For $10 (or $5) on DigitalOcean, you can setup a simple Ubuntu instance with Splunk and BOTS (Boss of the SOC) v2 dataset OR BOTSv3 dataset.
Head over to DigitalOcean — http://digitalocean.com
Or use my referral link — m.do.co/c/e6e69f709f5f
Create your account, or login.
Now, make your first droplet -
If you want to build it and performance is not a big issue - $5 instance is perfect. If you want to ensure things perfrom decently — go with with the $10 instance. Of course, the more you throw at it, the better.
From there, nothing else is needed. Pick a location near you, setup SSH keys, name it and tag it. Create that Droplet!
If you have never setup SSH keys, DigitalOcean has a good setup guide. In brief:
ssh-keygenYou will be prompted to save and name the key.
Generating public/private rsa key pair. Enter file in which to save the key (/Users/USER/.ssh/id_rsa):
Next you will be asked to create and confirm a passphrase for the key (highly recommended):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
This will generate two files, by default called id_rsa and id_rsa.pub. Next, add this public key.
Copy and paste the contents of the .pub.pub file, typically id_rsa.pub, into the SSH key content field on the left.
cat ~/.ssh/id_rsa.pubNow the Droplet is ready!
You can see here, there are quite a bit of other options, I’ll leave that to the reader to decide what other items you will want.
ssh -i .ssh/id_rsa ubuntu@134.122.30.24Install Splunk
Now that you have a shell, it’s time to build.
Install Splunk Method 1 — DetectionLab
Original Script here from Detectionlab
I went ahead and modified bootstrap.sh to install Splunk only with the BOTSv2 and v3 Dataset. The modified Splunk Only install script is here:
V3:
And that’s it!
Hit the URL and login:
admin/changeme
Install Splunk Method 2 — Manually
Download Splunk from the normal means, log in or create an account, download via wget (copy and paste into DO Droplet shell).
For the .deb:
dpkg -i /opt/splunk*.deb
/opt/splunk/bin/splunk start — accept-license — answer-yes — no-prompt — seed-passwd changemeFor the .tgz:
tar zxvf /opt/splunk*.tgz
/opt/splunk/bin/splunk start — accept-license — answer-yes — no-prompt — seed-passwd changemeTime to download BOTS:
https://github.com/splunk/botsv2
or
https://github.com/splunk/botsv3
wget --progress=bar:force -P /opt/ https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz
tar zxvf /opt/botsv2_data_set_attack_only.tgz -C /opt/splunk/etc/apps/From here, you can install each app manually via SplunkBase or download them all at once, upload to Droplet, extract into /opt/splunk/etc/apps
Apps:
Restart Splunk
/opt/splunk/bin/splunk restartAnd that’s it!
Hit the URL and login:
admin/changeme
Where’s BOTS?
Start here:
index="botsv2"All time.
Rest of sourcetypes are here:
https://github.com/splunk/botsv2#data-sourcetypes-included
Enjoy!
I hope you found this useful! If you did, feel free to use my DO referral code or buy me a coffee https://ko-fi.com/m_haggis.
I’ll work to keep content fresh! Lots of fun stuff inbound.
