Moloch FPC

Moloch is an open source project providing full packet capture. It's been around for a while now and has matured to the point where deployment is simple and it pretty much manages itself. Moloch has an amazingly good UI and search is powered by the hugely capable Elasticsearch.
In this post I'm going to run through the installation and configuration on a CentOS 7 VM using the Moloch 0.18.2 RPM available here


Requirements

For a small lab environment such as I have a VM based solution will work just fine. Moloch will scale; more information can be found on the Readme and in the FAQ. I use a SPAN port on a Cisco switch that sends traffic into a virtual switch on VMware allowing any VM Guest with an interface on that vswitch to sniff traffic. I created a VM Guest with the following specification:
  • CentOS 7 minimal install
  • 8 Cores
  • 400GB Disk 1
  • 100GB Disk 2
  • 12GB Ram
  • 2 NICs

Build

First I installed CentOS on a 50GB logical volume and then created a second logical volume of 350GB mounted on /data. Next, I created another logical volume from the second drive and mounted that on /var/lib/elasticsearch ready to store all the indexes related to the packet captures.

Disk layout

Once the disks are sorted, the next task is to install Java. The easiest way is to download the latest the Server JRE from Oracle. The one I used for this build was server-jre-8u131-linux-x64.tar.gz. To install and configure follow these few simple steps.
  1. Download the file and copy over to the target machine
  2. Create a directory to store the Server JRE
    • mkdir /usr/java
  3. Untar and uncompress in the directory created above
    • tar zxvf server-jre-8u131-linux-x64.tar.gz
  4. Add the following lines to the /etc/environment file
    • export JAVA_HOME=/usr/java/jdk1.8.0_131
    • export JRE_HOME=/usr/java/jdk1.8.0_131/jre
  5. Add a java.sh file to the /etc/profile.d directory with following in it
    • export PATH=$PATH:/usr/java/jdk1.8.0_131/bin:/usr/java/jdk1.8.0_131/jre/bin

Once Java is installed it's time to install the Elasticsearch RPM. The recommended one for Moloch 0.18.2 release is Elasticsearch 5.2.2. Follow these steps to install Elasticsearch
  1. Edit the /etc/security/limits.conf file and add the following lines 
  2. Reboot the server for the changes to take effect.
  3. Install the Elasticsearch rpm using yum
    • yum install elasticsearch-5.2.2.rpm
Once the Elasticsearch RPM is installed a few settings need to be tweaked before starting the service. At a minimum edit the /etc/elasticsearch/elasticsearch.yml and set a node name and a cluster name. There are potentially other settings that might need changing, check out the installation instructions. For this install I decided I didn't need any other changes except to configure the /etc/elasticsearch/jvm.options file.
  1. Adjust the amount of RAM allocated to JAVA.
  2. Add the -XX:+UseCompressedOops to the jvm.options file.
Edit the JAVA_HOME in the file /etc/sysconfig/elasticsearch

Start the service
  • systemctl start elasticsearch
Next, install 'wget' as this is used by the configure script to download the the latest GeoIP and RIR data files:
  • yum install wget
I used the most recent stable release of Moloch for CentOS 7 (0.18.2 at the time of writing) Download from here
  • yum install moloch-0.18.2-1.x86_64.rpm
Run the Moloch configure utility to setup some initial configuration.
  • /data/moloch/bin/Configure

/data/moloch/bin/Configure
Interface to monitor: eno33557248
Password to encrypt S2S and other things [no-default]: ************

Follow the rest of the steps to to initialise the Elasticsearch and create the first admin user
Initialise Elasticsearch with the following command:
  • /data/moloch/db/db.pl http://localhost:9200 init
Add an initial admin user account (more users can be added later via the web UI):
  • /data/moloch/bin/moloch_add_user.sh admin "Admin User" ********* --admin
Adjust the retention period for the daily cleanup of Elasticsearch:
  • vi /data/moloch/db/daily.sh

Schedule the daily.sh script to run during quiet hours using cron.
  • crontab -e

If you want to change the percentage of disk space that should be available before PCAP files are deleted edit the /data/moloch/etc/config.ini file and set the value you want. The default is 5% and seems to work well for me.
Add a firewall rule to allow remote access to Moloch on 8005 port.
  • firewall-cmd --zone=public --add-port=8005/tcp
  • firewall-cmd --zone=public --permanent --add-port=8005/tcp
Start the Moloch capture and the viewer
  • systemctl start molochcapture.service
  • systemctl start molochviewer.service
Hopefully you can point your browser to the hostname used for installation, which in my case is http://moloch:8005. If everything started OK login to Moloch and start exploring the user interface.

Comments

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Hom...
Read more

Squid Proxy with SOF-ELK Part 2 Analysis

Image
Firstly, I’m happy to report that I received a SANS SEC530 Red Challenge Coin for submitting a blog post that builds upon the SEC530 course subject matter for Squid Proxy with SOF-ELK Part 1 . Thank you very much  Justin Henderson and Ismael Valenzuela for the coin. Analysis In this post I wanted to go a little deeper into how to analyse Squid logs collected in SOF-ELK and develop some potential security use cases.  In Part 1 we configured Squid to use OpenDNS Home edition to block access to sites that were undesirable such as Gambling site and sites known to serve Malware. We also configured Kibana to show meaningful block codes rather than just the IP address that OpenDNS redirected them to when a user visited a blocked site. From the users perspective they will see a blocked message from OpenDNS like this: On SOF-ELK we can see the details of the block browsing as shown here: We can use the block type to create a visualisation to examine which type of block is prevalent ...
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv...
Read more