Moloch网络回溯分析系统

2018-10-13  本文已影响0人  猪蹄胖

Moloch 是一个由AOL开源的,能够大规模的捕获IPv4数据包(PCAP)、索引和数据库系统,由以下三个部分组成:

  • capture :绑定interface运行的单线程C语言应用
  • viewer :运行在capture主机上的node.js web应用
  • elasticsearch : moloch的数据检索驱动

Moloch git地址 git主页上README有较为详细的安装说明,以下是参照官方说明,我的安装记录,本章只为了快速搭建Moloch,都是使用RPM包安装。

系统要求和环境搭建

image.png

安装elasticsearch

yum install -y wget curl perl-JSON  perl-libwww-perl libyaml-devel   ##依赖组件
wget http://iso.epoint.com.cn/JDK/jdk-8u65-linux-x64.rpm ##下载jdk
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.6.rpm  ##下载elasticsearch
rpm -ivh jdk-8u65-linux-x64.rpm  ##安装jdk
rpm -ivh elasticsearch-5.6.6.rpm  ##安装elasticsearch
systemctl daemon-reload  ##重载修改过的配置文件
systemctl enable elasticsearch.service ##开机启动elasticsearch
systemctl start  elasticsearch.service  ##启动elasticsearch

安装Moloch

先去官网下载安装包Downloads,我下载的是Nightly版本,获取最新特性

下载地址 
wget https://files.molo.ch/builds/centos-7/moloch-nightly.x86_64.rpm ##下载moloch
rpm -ivh moloch-nightly.x86_64.rpm ##安装moloch

配置Moloch

/data/moloch/bin/Configure  ##moloch基本配置
Found interfaces: lo;ens160
Semicolon ';' seperated list of interfaces to monitor [eth1] ens160 ##选择监听网卡,多个网卡用;隔开
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no  ##本机寻找elasticsearch
Elasticsearch server URL [http://localhost:9200] http://localhost:9200 ##本机的elasticsearch的URL
Password to encrypt S2S and other things [no-default] moloch  ##配置密码
Moloch - Creating configuration files
Not overwriting /data/moloch-nightly/etc/config.ini, delete and run again if update required (usually not), or edit by hand
Installing systemd start files, use systemctl
Moloch - Downloading GEO files
2018-02-07 19:29:06 URL:http://www.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz [2513493/2513493] -> "GeoIPASNum.dat.gz" [1]
2018-02-07 19:29:16 URL:http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz [2896577/2896577] -> "GeoIPASNumv6.dat.gz" [1]
2018-02-07 19:29:22 URL:http://www.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz [700469/700469] -> "GeoIP.dat.gz" [1]
2018-02-07 19:29:28 URL:http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz [1110013/1110013] -> "GeoIPv6.dat.gz" [1]

初始化、升级 Elasticsearch Moloch配置

/data/moloch-nightly/db/db.pl  http://localhost:9200  init    ##第一次安装初始化、或者想删除所有数据
/data/moloch-nightly/db/db.pl  http://localhost:9200 upgrade  ##升级moloch 数据包

添加admin账户

/data/moloch-nightly/bin/moloch_add_user.sh admin "Admin User" moloch --admin  ##新增admin账户,密码是moloch

开启所有服务

systemctl enable molochcapture.service ##开机启动Capture
systemctl start molochcapture.service  ##启动Capture
systemctl enable molochviewer.service  ##开机启动Viewer
systemctl start molochviewer.service   ##启动Viewer

日志查看

tail -f /data/moloch-nightly/log/capture.log
tail -f /data/moloch-nightly/log/viewer.log

数据清理

ES的数据增长根据流量大小决定,如果不定期清理ES数据,总有一天空间会写满,所以要定期清理ES数据

cd /data/moloch-nightly/db
vim daily.sh
#ES服务端口
ESHOSTPORT=127.0.0.1:9200
#保留ES日志七天
RETAINNUMDAYS=7
crontab -e 
0 1 * * *  sh /data/moloch-nightly/db/daily.sh >> /var/log/moloch/daily.log 2>&1

登入Moloch系统

访问http://molochhost:8005
user : admin
password : moloch

moloch

FAQ

上一篇 下一篇

猜你喜欢

热点阅读