Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search system. It is available at https://arkime.com
Installing Arkime on FreeBSD is not officially supported according to the Arkime page - It can be done, but requires a bit of massaging.
It's fairly straightforward to get it running on FreeBSD. The key elements are to get the configure parameters right, and a few other small modifications. One of the dependencies fails to build on FreeBSD (not an Arkime issue), but that can be worked around very easily.
pkg install wget curl pcre flex bison gettext e2fsprogs-libuuid glib gmake autotools git yara libmaxminddb libyaml node npm pkgconf
From the Git repository
git clone https://github.com/arkime/arkime
cd arkime
autoreconf --verbose --install --force
The Node dependency node-iptrie is broken on FreeBSD. The original Git repo for this has a pending pull request, but the repo has not been updated in quite some time.
I'm not super familiar with Node so there is likely a better way to do this. For now I've just edited package.json to pull a build from a fixed repository (this repository is identical to the original, but with the FreeBSD fix applied) and run npm install to update the package-lock.json file.
The steps are:
- Edit package.json
- Find the line for https://github.com/awick/node-iptrie
- Replace with https://github.com/tribalchicken/node-iptrie
You can also do that with sed:
cd wiseService
sed -i '' 's/\/github.com\/awick\/node-iptrie/\/github.com\/tribalchicken\/node-iptrie/g' package.json
Once package.json has been modified, run:
npm install
Then move back to the original directory:
cd ..
The easybutton-build.sh script usually builds Yara for you. I tried building Arkime with the latest Yara included in the FreeBSD packages (4.0.5), but the linker complained. It's possible that it could be made to work, but I suspect there is also a reason that the Arkime devs specifically call for Yara 4.0.2
Steps adapted from the original build script:
mkdir -p thirdparty/yara
wget https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gz -O thirdparty/yara/yara-4.0.2.tar.gz
cd thirdparty/yara ; tar zxf yara-4.0.2.tar.gz
cd yara-4.0.2; ./bootstrap.sh ; ./configure --enable-static; make
cd ../../../
./configure CFLAGS="-I/usr/local/include -I/usr/local/include/glib-2.0 -I/usr/local/include/glib-2.0/include -I/usr/local/lib/glib-2.0/include" LDFLAGS="-L/usr/local/lib" --with-yara=thirdparty/yara/yara-4.0.2 GLIB2_CFLAGS="-I/usr/local/include -I/usr/local/include/glib-2.0 -I/usr/local/lib/glib-2.0/include" GLIB2_LIBS="-L/usr/local/lib"
Some small modifications to the Makefile are needed to make this work. BSD install doesn't support the -D flag, so we simply remove it.
sed -i '' 's/install -c -D/install -c/g' Makefile
Make sure you use gmake
gmake
If that builds successfully, run gmake install
mkdir -p /opt/arkime
gmake install
All going well you should now be able to configure Arkime as per usual, and point it to your Elasticsearch instance. Follow the install instructions and run /opt/arkime/bin/Configure
I use these init scripts to control arkimecapture and arkimeviewer on startup: https://github.com/tribalchicken/arkime-init-scripts