• 安装 第一步:yum install -y perl-JSON perl-libwww-perl libyaml-devel perl-LWP-Protocol-https 第二步:rpm -ivh moloch-1.6.1-1.x86_64.rpm 第三步:/data/moloch/bin/Configure 参考:https://raw.githubusercontent.com/aol/moloch/master/release/README.txt

Password to encrypt S2S and other things [no-default] zzh

Moloch - Configured - Now continue with step 4 in /data/moloch/README.txt /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04 systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04 #ln -s /app/jdk/jdk1.8.0_201/bin/java /usr/local/bin

  1. Initialize/Upgrade Elasticsearch Moloch configuration a) If this is the first install, or want to delete all data /data/moloch/db/db.pl http://ESHOST:9200 init b) If this is an update to moloch package /data/moloch/db/db.pl http://ESHOST:9200 upgrade
  2. Add an admin user if a new install or after an init /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin /data/moloch/bin/moloch_add_user.sh admin "zzh" zzh --admin
  3. Start everything a) If using upstart (Centos 6 or sometimes Ubuntu 14.04): /sbin/start molochcapture /sbin/start molochviewer b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04) systemctl start molochcapture.service systemctl start molochviewer.service
  4. Look at log files for errors /data/moloch/logs/viewer.log /data/moloch/logs/capture.log
  5. Visit http://MOLOCHHOST:8005 with your favorite browser. user: admin password: THEPASSWORD from step #6
  • 注意点:
  1. moloch 8005端口访问时候,浏览器版本(如chrome)需要较高的版本。
  2. suricata的docker版本 远程pull docker run --rm -it --net=host --cap-add=net_admin --cap-add=sys_nice jasonish/suricata:latest -i eth0 本地生成(本地image:e242ba0cd124) docker run --rm -it --net=host --cap-add=net_admin --cap-add=sys_nice e242ba0cd124 -i eth0
    docker run -it --net=host --cap-add=net_admin --cap-add=sys_nice -v $(pwd)/logs:/var/log/suricata -d e242ba0cd124 -i eth0
  3. crontab #定时删除日志文件 0 */12 * * * find /data/suricata -mtime +10 -type f | xargs rm -rf