Splunk BOTS — Setup

Michael Haag
Mar 14 · 3 min read

A while back, I tweeted how to setup BOTS on DigitalOcean, but I never blogged it for easier access. Let’s get started.

For $10 (or $5) on DigitalOcean, you can setup a simple Ubuntu instance with Splunk and BOTS (Boss of the SOC) v2 dataset OR BOTSv3 dataset.

Head over to DigitalOcean — http://digitalocean.com
Or use my referral link — m.do.co/c/e6e69f709f5f

Create your account, or login.

Now, make your first droplet -

Droplet choices

If you want to build it and performance is not a big issue - $5 instance is perfect. If you want to ensure things perfrom decently — go with with the $10 instance. Of course, the more you throw at it, the better.

From there, nothing else is needed. Pick a location near you, setup SSH keys, name it and tag it. Create that Droplet!

If you have never setup SSH keys, DigitalOcean has a good setup guide. In brief:

ssh-keygen

You will be prompted to save and name the key.

Generating public/private rsa key pair. Enter file in which to save the key (/Users/USER/.ssh/id_rsa):

Next you will be asked to create and confirm a passphrase for the key (highly recommended):

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

This will generate two files, by default called id_rsa and id_rsa.pub. Next, add this public key.

Copy and paste the contents of the .pub.pub file, typically id_rsa.pub, into the SSH key content field on the left.

cat ~/.ssh/id_rsa.pub

Now the Droplet is ready!

You can see here, there are quite a bit of other options, I’ll leave that to the reader to decide what other items you will want.

ssh -i .ssh/id_rsa ubuntu@134.122.30.24

Install Splunk

Now that you have a shell, it’s time to build.

Install Splunk Method 1 — DetectionLab

Original Script here from Detectionlab

I went ahead and modified bootstrap.sh to install Splunk only with the BOTSv2 and v3 Dataset. The modified Splunk Only install script is here:

https://gist.github.com/MHaggis/f1e60c1f1d5c8dbeaa29b27f614e8486

V3:

And that’s it!

Hit the URL and login:

admin/changeme

https://134.122.30.24:8000

Install Splunk Method 2 — Manually

Download Splunk from the normal means, log in or create an account, download via wget (copy and paste into DO Droplet shell).

For the .deb:

dpkg -i /opt/splunk*.deb 
/opt/splunk/bin/splunk start — accept-license — answer-yes — no-prompt — seed-passwd changeme

For the .tgz:

tar zxvf /opt/splunk*.tgz
/opt/splunk/bin/splunk start — accept-license — answer-yes — no-prompt — seed-passwd changeme

Time to download BOTS:
https://github.com/splunk/botsv2
or
https://github.com/splunk/botsv3

wget --progress=bar:force -P /opt/ https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz
tar zxvf /opt/botsv2_data_set_attack_only.tgz -C /opt/splunk/etc/apps/

From here, you can install each app manually via SplunkBase or download them all at once, upload to Droplet, extract into /opt/splunk/etc/apps

Apps:

https://github.com/splunk/botsv2#required-software

Restart Splunk

/opt/splunk/bin/splunk restart

And that’s it!

Hit the URL and login:

admin/changeme

https://134.122.30.24:8000

Where’s BOTS?

Start here:

index="botsv2"

All time.

Rest of sourcetypes are here:
https://github.com/splunk/botsv2#data-sourcetypes-included

Enjoy!

I hope you found this useful! If you did, feel free to use my DO referral code or buy me a coffee https://ko-fi.com/m_haggis.

I’ll work to keep content fresh! Lots of fun stuff inbound.

Michael Haag

Written by

I write, sometimes, about InfoSec related topics and I love coffee.

More From Medium

Related reads

Related reads

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade