网络流量抓包分析工具moloch

1. 安装

操作系统：Centos7.2

配置：4C8G

下载RPM包：wget https://s3.amazonaws.com/files.molo.ch/builds/centos-7/moloch-2.2.3-1.x86_64.rpm

安装依赖包:

yum -y install perl-libwww-perl perl-JSON libyaml-devel perl-LWP-Protocol-https

安装Elasticsearch:

docker pull elasticsearch:7.6.2

docker run -d --name es -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.6.2

运行Configure:

rpm -ivh moloch-2.2.3-1.x86_64.rpm

./Configure

image.png

这边的错误的意思是我们需要申请一个MaxMind的账号：

1. 申请MaxMind Account(https://www.maxmind.com/en/geolite2/signup)
2. 安装geoipupdate工具，yum install geoipupdate
3. 创建一个license key(https://www.maxmind.com/en/accounts/239368/license-key)
4. 下载config文件, 代替 /etc/GeoIP.conf
5. Run genipupdate as root
6. 再次运行./Configure
7. 添加moloch用户

/data/moloch/bin/moloch_add_user.sh admin "Admin User" qwerty1234 --admin

1. 启动molochviewer, molochcapture.service

# systemctl start molochcapture.service
# systemctl status molochviewer.service
molochviewer.service - Moloch Viewer
   Loaded: loaded (/etc/systemd/system/molochviewer.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-05-22 03:15:27 PDT; 4h 45min ago
 Main PID: 7979 (sh)
    Tasks: 11 (limit: 4915)
   CGroup: /system.slice/molochviewer.service
           ??7979 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini  >> /data/moloch/logs/viewer.log 2>&1
           ??7985 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini

1. 编辑config.ini

/data/moloch/etc/config.ini

2. 抓取本地网卡上的流量

./moloch-capture -c ../etc/config.ini

3. 读取PCAP文件

tag号可以自己随意设置

/data/moloch/bin/moloch-capture -c ../etc/config.ini -r /root/dump.pcap --tag test

查找的时候设置好tags == test， 时间选择All就ok了。

4. 参考资料

https://www.pwnthebox.net/moloch/2019/05/22/installing-moloch.html

https://molo.ch/faq#maxmind

https://github.com/aol/moloch