moloch
네트워크에 트래픽을 모아서 정확한 내용을 볼수 있는 프로그램으로 molo.ch라는 오픈소스가 있다.
설치해서 확인해보자. centos 7을 사용햇다.
moloch이 자동으로 interface의 내용을 캡쳐를해서 저장한다.
router에서 port mirroring을 해서 서버로 보낸다.
conf term
monitor session 1 source interface GigabitEthernet 3/2 rx
monitor session 1 destination interface GigabitEthernet 1/48
show monitor
이제 이 라우터에 1/48번 포트와 서버의 nic에 (em2) 케이블을 연결한다. 주로 업링크에서 오는 포트를 미러링한다.
server에서는 받을 준비를 한다.
vim /etc/sysconfig/network-scripts/ifcfg-em2
PROMISC=yes
네트워크 재시작 하면된다.
이걸 안하면 다음 에러가 /var/log/messages에서 반복된다.
Aug 28 23:42:15 nms03 kernel: device em2 entered promiscuous mode
Aug 28 23:42:16 nms03 kernel: device em2 left promiscuous mode
elastic search
moloch는 elastic search를 사용한다. 설치해보자.
java install
yum update -y
yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
cat <<EOF | sudo tee /etc/profile.d/java8.sh
export JAVA_HOME=/usr/lib/jvm/jre-openjdk
export PATH=\$PATH:\$JAVA_HOME/bin
export CLASSPATH=.:\$JAVA_HOME/jre/lib:\$JAVA_HOME/lib:\$JAVA_HOME/lib/tools.jar
EOF
source /etc/profile.d/java8.sh
cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
yum clean all
yum makecache
install elastic search
yum -y install elasticsearch-oss
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
systemctl status elasticsearch.service
확인해보자.
curl http://127.0.0.1:9200
molo.ch
dependency 설치
yum install perl-JSON -y
yum install libyaml-devel -y
yum install perl-LWP-Protocol-https -y
moloch 설치
wget https://s3.amazonaws.com/files.molo.ch/builds/centos-7/moloch-2.4.0-1.x86_64.rpm
rpm -i moloch-2.4.0-1.x86_64.rpm
moloch configure
/data/moloch/bin/Configure
- 캡쳐를 원하는 Interface를 선택하고
- elastic search는 설치가 되었으므로 no를 선택하고 나머지는 디폴트로 설치한다.
Found interfaces: docker0;em1;em2;lo;virbr0
Semicolon ';' seperated list of interfaces to monitor [eth1] em1
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200]
Password to encrypt S2S and other things [no-default] S2S
Moloch - Creating configuration files
Installing systemd start files, use systemctl
Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days
Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited
Download GEO files? (yes or no) [yes]
Moloch - Downloading GEO files
2020-08-26 17:09:22 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23322/23322] -> "ipv4-address-space.csv" [1]
2020-08-26 17:09:23 URL:https://raw.githubusercontent.com/wireshark/wireshark/master/manuf [1741550/1741550] -> "oui.txt" [1]
Received an unexpected HTTP status code of 401 from https://updates.maxmind.com/app/update_secure?db_md5=00000000000000000000000000000000&challenge_md5=44dcefaeb678437c3b0d0cb4f0d44c20&user_id=0&edition_id=GeoLite2-Country:
Invalid account ID
Moloch - Configured - Now continue with step 4 in /data/moloch/README.txt
/sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04
systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04
5) Initialize/Upgrade Elasticsearch Moloch configuration
a) If this is the first install, or want to delete all data
/data/moloch/db/db.pl http://ESHOST:9200 init
b) If this is an update to moloch package
/data/moloch/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
/data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):
/sbin/start molochcapture
/sbin/start molochviewer
b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)
systemctl start molochcapture.service
systemctl start molochviewer.service
8) Look at log files for errors
/data/moloch/logs/viewer.log
/data/moloch/logs/capture.log
9) Visit http://MOLOCHHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://molo.ch/faq#maxmind
Any configuration changes can be made to /data/moloch/etc/config.ini
See https://molo.ch/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://molo.ch/faq
* https://molo.ch/settings
설치가 되고 나면 초기화를 하자.
/data/moloch/db/db.pl http://localhost:9200 init
웹사이트 비번을 설치하자.
/data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin
service start
systemctl restart molochcapture.service
systemctl restart molochviewer.service
cd /data/moloch/logs/
ls
결과 확인
http://localhost:8005 으로 확인하면 비번을 넣고 보면 패킷이 분석되는것을 볼수가 있다.
자꾸 캡쳐가 죽는 경우가 있다.
/usr/sbin/ethtool -K em2 tx-tcp6-segmentation off
/usr/sbin/ethtool -K em2 tx-tcp-segmentation off
/usr/sbin/ethtool -K em2 tx-tcp-ecn-segmentation off
/usr/sbin/ethtool -K em2 tx-scatter-gather off
/usr/sbin/ethtool -K em2 scatter-gather off
/usr/sbin/ethtool -K em2 generic-segmentation-ffload off
/usr/sbin/ethtool -K em2 generic-segmentation-offload off
/usr/sbin/ethtool -K em2 tx-checksum-ipv6 off
/usr/sbin/ethtool -K em2 tx-checksum-ipv4 off
/usr/sbin/ethtool -K em2 tx-checksumming off
이커맨드를 실행하면 필요없는 내용들은 전부 캡쳐를 안해서 크래스 날 확율이 줄어든다.
em2는 본인에게 맞는걸로 변경
재부팅시 적용이 안되므로
vi /etc/rc.d/rc.local
/usr/sbin/ethtool -K em2 tx-tcp6-segmentation off
/usr/sbin/ethtool -K em2 tx-tcp-segmentation off
/usr/sbin/ethtool -K em2 tx-tcp-ecn-segmentation off
/usr/sbin/ethtool -K em2 tx-scatter-gather off
/usr/sbin/ethtool -K em2 scatter-gather off
/usr/sbin/ethtool -K em2 generic-segmentation-ffload off
/usr/sbin/ethtool -K em2 generic-segmentation-offload off
/usr/sbin/ethtool -K em2 tx-checksum-ipv6 off
/usr/sbin/ethtool -K em2 tx-checksum-ipv4 off
/usr/sbin/ethtool -K em2 tx-checksumming off
에 추가하면 재부팅시에도 사용할수 있다.