Analyse son traffic avec Arkime

Wireshark mais en interface Web

Auteur : Vince NADUS
Date de publication : Dec. 10, 2021
réseaux reverse-proxy elasticsearch arkime sniff nginx

Toujours en partant d'une fresh install de Debian 11 64 Bits

Installation Arkime

apt-get install curl wget gnupg2
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.2.0-1_amd64.deb
apt install ./arkime_3.2.0-1_amd64.deb

Installation Elasticsearch

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elastic.gpg
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
apt update
apt install elasticsearch -y

Démarrer le service Elasticsearch

systemctl enable --now elasticsearch

Test Elasticsearch

curl http://localhost:9200

Configuration Arkime

/opt/arkime/bin/Configure

Selectionner l'interface à sniffer

Found interfaces: lo;enp0s3;enp0s8
Semicolon ';' seperated list of interfaces to monitor [eth1] enp0s8

Sélectionner l'instance Elasticsearch (ici nous serons sur le même serveur) et poursuivre la procédure de configuration

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no [or SIMPLY PRESS ENTER]
 Elasticsearch server URL [http://localhost:9200] ENTER
 Password to encrypt S2S and other things [no-default] votre_mdp
 ...
Moloch - Creating configuration files
Installing systemd start files, use systemctl
Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days
Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited
Download GEO files? (yes or no) [yes] yes
Moloch - Downloading GEO files
...
 Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt

 4) The Configure script can install elasticsearch for you or you can install yourself
 systemctl start elasticsearch.service
 5) Initialize/Upgrade Elasticsearch Arkime configuration
 a) If this is the first install, or want to delete all data
 /opt/arkime/db/db.pl http://ESHOST:9200 init
 b) If this is an update to a moloch/arkime package
 /opt/arkime/db/db.pl http://ESHOST:9200 upgrade
 6) Add an admin user if a new install or after an init

Initialiser Elasticsearch pour les pré-requis Arkime

/opt/arkime/db/db.pl http://ESHOST:9200 init

Créer l'utilisateur/administrateur Arkime/Moloch

/opt/arkime/bin/arkime_add_user.sh admin "Arkime SuperAdmin" votre_mdp --admin

Démarrer les services Arkime/Moloch

Adapter les services Arkime/Moloch afin de démarrer une fois le service Elasticsearch disponible (Ex : Après un redémarrage de la machine)

sed -i 's/network.target/network.target elasticsearch.service/' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
sed -i '/After=/a Requires=network.target elasticsearch.service' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
systemctl daemon-reload

Pour la capture réseau

systemctl enable --now arkimecapture
systemctl start arkimecapture

Pour l'interface Web

systemctl enable --now arkimeviewer
systemctl start arkimeviewer

Aller plus loin

Les fichiers de logs sont disponible ici

/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
/var/log/elasticsearch/*

La configuration d'Arkime/Moloch est ici

/opt/arkime/etc/config.ini

Accès à l'interface

http://ARKIMEHOST:8005

J'utilise pour ma part un Reverse proxy Nginx afin d'y acceder en https via un nom de domaine.

Configuration Reverse-Proxy Nginx

server {
 if ($host = arkime.nadus.fr) {
 return 301 https://$host$request_uri;
 }
 listen 80;
 listen [::]:80;
 server_name arkime.nadus.fr;
 return 404;
 }
server {
 listen [::]:443 ssl;
 listen 443 ssl;
 server_name arkime.nadus.fr;
 access_log /var/log/nginx/arkime.nadus.fr/access.log;
 error_log /var/log/nginx/arkime.nadus.fr/error.log;
 location / {
 proxy_pass http://X.X.X.X:8005;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }
 ssl_certificate /etc/letsencrypt/live/arkime.nadus.fr/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/arkime.nadus.fr/privkey.pem;
 include /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }

Problème rencontré et correction

Sur la machine physique (Proxmox) et sur l'interface physique sur lequel nous envoyons le traffic.

apt-get install ethtool
ethtool -K INTERFACE tx off sg off gro off gso off lro off tso off

Elasticsearch

Effacer toutes les données

curl -X DELETE 'http://localhost:9200/_all'

Résoudre le problème de data exessives

curl -X PUT http://localhost:9200/_settings -H 'Content-Type: application/json' -d '{"index": {"blocks": {"read_only_allow_delete": "false"}}}'

Sources

https://kifarunix.com/install-arkime-moloch-full-packet-capture-tool-on-debian/

https://arkime.com/

Aller encore plus loin

https://www.netresec.com/?page=Blog&month=2020-12&post=Capturing-Decrypted-TLS-Traffic-with-Arkime