Skip to content

Instantly share code, notes, and snippets.

@nockstarr

nockstarr/Readme.MD

Created March 22, 2020 16:33
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nockstarr/cf8804e34edec0450a74f0ab35c4b677 to your computer and use it in GitHub Desktop.
Save nockstarr/cf8804e34edec0450a74f0ab35c4b677 to your computer and use it in GitHub Desktop.
Download ZIP
Install moloch
Raw
Readme.MD

Install and setup Moloch (Ubuntu 18)

Make sure time is correct if not reconfigure:
sudo dpkg-reconfigure tzdata

1. Install elasticsearch 7.x

https://computingforgeeks.com/install-elasticsearch-on-ubuntu/

sudo apt update
sudo apt -y upgrade
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt -y install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt -y install elasticsearch

# Enable and start ES
sudo systemctl enable elasticsearch.service && sudo systemctl restart elasticsearch.service

2. Download and install Moloch

https://www.pwnthebox.net/moloch/2019/05/22/installing-moloch.html

wget https://files.molo.ch/builds/ubuntu-18.04/moloch_2.2.3-1_amd64.deb
sudo dpkg -i moloch_2.2.3-1_amd64.deb
sudo apt -f install

3. Configuration

Make sure the monitor interface is up

ip a
ip link set dev <iface> up

Configure Moloch stuff

cd /data/moloch/bin  
sudo ./Configure  

Add admin user
/data/moloch/bin/moloch_add_user.sh admin "Admin User" qwerty1234 --admin

# Init ES
sudo /data/moloch/db/db.pl http://localhost:9200 init

# start molochviewer
service molochviewer start
service molochviewer status


# Exclude traffic from capture (optional)  
# go to config.ini
sudo nano nano /data/moloch/etc/config.ini  
# Uncomment bpf and write your filter  
bpf=not host 192.168.1.5 and not host 192.168.1.4 and not host 192.168.1.18 and not host 192.168.1.16

# Check that capture runes without errors (it will exit)
./moloch-capture -c ../etc/config.ini

Start molochcapture
sudo service molochcapture start
sudo service molochcapture status

Open Moloch in browser
http://<moloch_ip>:8005/

Nice to know

Moloch logs is written to /data/moloch/logs

I had some problem getting the monitor interface to to "see" all traffic as I was only getting broadcast traffic.
Had problems verifying my inet config in netplan so installed sudo apt install ifupdown
so I could configure ifaces the "old way" in /etc/network/interfaces.

Monitor iface config:

# Monitor port used for capture
auto ens19
iface ens19 inet manual
up ip link set $IFACE promisc on arp off up
down ip link set $IFACE promisc off down
post-up ethtool –G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro;  do ethtool –K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

# Source https://hydrasky.com/network-security/how-to-install-moloch/

Proxmox Interface config

# Physical interface (mirror traffic in) 
auto enp7s0f1
iface enp7s0f1 inet manual
    up link set $IFACE up
    up link set $IFACE promisc on
#Monitor should be


# Bridge interface used by moloch for monitoring mirror traffic from switch  
auto vmbr4
iface vmbr4 inet manual
        bridge-ports enp7s0f1
        bridge-stp off
        bridge-fd 0
        bridge-ageing 0
        up ip link set $IFACE up
        up ip link set $IFACE promisc on
#IDSmonitor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment