Make sure time is correct if not reconfigure:
sudo dpkg-reconfigure tzdata
https://computingforgeeks.com/install-elasticsearch-on-ubuntu/
sudo apt update
sudo apt -y upgrade
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt -y install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt -y install elasticsearch
# Enable and start ES
sudo systemctl enable elasticsearch.service && sudo systemctl restart elasticsearch.service
https://www.pwnthebox.net/moloch/2019/05/22/installing-moloch.html
wget https://files.molo.ch/builds/ubuntu-18.04/moloch_2.2.3-1_amd64.deb
sudo dpkg -i moloch_2.2.3-1_amd64.deb
sudo apt -f install
Make sure the monitor interface is up
ip a
ip link set dev <iface> up
Configure Moloch stuff
cd /data/moloch/bin
sudo ./Configure
Add admin user
/data/moloch/bin/moloch_add_user.sh admin "Admin User" qwerty1234 --admin
# Init ES
sudo /data/moloch/db/db.pl http://localhost:9200 init
# start molochviewer
service molochviewer start
service molochviewer status
# Exclude traffic from capture (optional)
# go to config.ini
sudo nano nano /data/moloch/etc/config.ini
# Uncomment bpf and write your filter
bpf=not host 192.168.1.5 and not host 192.168.1.4 and not host 192.168.1.18 and not host 192.168.1.16
# Check that capture runes without errors (it will exit)
./moloch-capture -c ../etc/config.ini
Start molochcapture
sudo service molochcapture start
sudo service molochcapture status
Open Moloch in browser
http://<moloch_ip>:8005/
Moloch logs is written to /data/moloch/logs
I had some problem getting the monitor interface to to "see" all traffic as I was only getting broadcast traffic.
Had problems verifying my inet config in netplan so installed sudo apt install ifupdown
so I could configure ifaces the "old way" in /etc/network/interfaces
.
Monitor iface config:
# Monitor port used for capture
auto ens19
iface ens19 inet manual
up ip link set $IFACE promisc on arp off up
down ip link set $IFACE promisc off down
post-up ethtool –G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool –K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
# Source https://hydrasky.com/network-security/how-to-install-moloch/
# Physical interface (mirror traffic in)
auto enp7s0f1
iface enp7s0f1 inet manual
up link set $IFACE up
up link set $IFACE promisc on
#Monitor should be
# Bridge interface used by moloch for monitoring mirror traffic from switch
auto vmbr4
iface vmbr4 inet manual
bridge-ports enp7s0f1
bridge-stp off
bridge-fd 0
bridge-ageing 0
up ip link set $IFACE up
up ip link set $IFACE promisc on
#IDSmonitor