forked from arkime/arkime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.ini
340 lines (262 loc) · 12.5 KB
/
config.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
# Latest settings documentation: https://github.com/aol/moloch/wiki/Settings
#
# Moloch uses a tiered system for configuration variables. This allows Moloch
# to share one config file for many machines. The ordering of sections in this
# file doesn't matter.
#
# Order of config variables:
# 1st) [optional] The section titled with the node name is used first.
# Moloch will always tag sessions with node:<node name>
# 2nd) [optional] If a node has a nodeClass variable, the section titled with
# the nodeClass name is used next. Sessions will be tagged with
# node:<node class name> which is useful if watching different
# network classes.
# 3rd) The section titled "default" is used last.
[default]
# Comma seperated list of elasticsearch host:port combinations. If not using a
# elasticsearch VIP, a different elasticsearch node in the cluster can be specified
# for each Moloch node to help spread load on high volume clusters
elasticsearch=CHANGEME_ESHOSTNAME:9200
# How often to create a new elasticsearch index. hourly,daily,weekly,monthly
# Changing the value will cause previous sessions to be unreachable
rotateIndex=daily
# Cert file to use, comment out to use http instead
certFile=moloch.cert
# File with trusted roots/certs. WARNING! this replaces default roots
# Useful with self signed certs and can be set per node.
# caTrustFile=roots.cert
# Private key file to use, comment out to use http instead
keyFile=moloch.key
# S2S and Password Hash secret - Must be in default section. Since elasticsearch
# is wide open by default, we encrypt the stored password hashes with this
# so a malicous person can't insert a working new account. It is also used
# for secure S2S communication. Comment out for no user authentication.
# Changing the value will make all previously stored passwords no longer work.
passwordSecret = CHANGEME
# HTTP Digest Realm - Must be in default section. Changing the value
# will make all previously stored passwords no longer work
httpRealm = Moloch
# The base path for Moloch web access. Must end with a / or bad things will happen
# Default: "/"
# webBasePath = /moloch/
# The interface to listen on for traffic
interface=eth1
# The bpf filter
#bpf=not port 9200
# The yara file name
#yara=
## Start wiseService configuration
# Host to connect to for wiseService
#wiseHost=127.0.0.1
# Number of seconds to cache results before asking wiseService again
#wiseCacheSecs=600
# Max number of items to store in the wise cache that is local to each moloch-capture node
#wiseMaxCache=100000
# Number of connections to wiseService, this is also the number of concurrent wise queries.
#wiseMaxConns=10
# Number of oustanding requests to the wiseService
#wiseMaxRequests=100
## End wiseService configuration
# Uncomment to log access requests to a different log file
#accessLogFile = /moloch/logs/access.log
# The directory to save raw pcap files to
pcapDir = /moloch/pcap
# The max raw pcap file size in gigabytes, with a max value of 36G.
# The disk should have room for at least 10*maxFileSizeG
maxFileSizeG = 12
# The max time in minutes between rotating pcap files. Default is 0, which means
# only rotate based on current file size and the maxFileSizeG variable
#maxFileTimeM = 60
# TCP timeout value. Moloch writes a session record after this many seconds
# of inactivity.
tcpTimeout = 600
# Moloch writes a session record after this many seconds, no matter if
# active or inactive
tcpSaveTimeout = 720
# UDP timeout value. Moloch assumes the UDP session is ended after this
# many seconds of inactivity.
udpTimeout = 30
# ICMP timeout value. Moloch assumes the ICMP session is ended after this
# many seconds of inactivity.
icmpTimeout = 10
# An aproximiate maximum number of active sessions Moloch/libnids will try
# and monitor
maxStreams = 1000000
# Moloch writes a session record after this many packets
maxPackets = 10000
# Delete pcap files when free space is lower then this in gigabytes OR it can be
# expressed as a percentage (ex: 5%). This does NOT delete the session records in
# the database. It is recommended this value is between 5% and 10% of the disk.
# Database deletes are done by the db.pl expire script
freeSpaceG = 5%
# The port to listen on, by default 8005
viewPort = 8005
# The host/ip to listen on, by default 0.0.0.0 which is ALL
#viewHost = localhost
# By default the viewer process is https://hostname:<viewPort> for each node.
#viewUrl = https://HOSTNAME:8005
# Path of the maxmind geoip country file. Download free version from:
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
geoipFile = GeoIP.dat
# Path of the maxmind geoip ASN file. Download free version from:
# http://www.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
geoipASNFile = GeoIPASNum.dat
# Path of the rir assignments file
# https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
rirFile = ipv4-address-space.csv
# User to drop privileges to. The pcapDir must be writable by this user or group below
dropUser=nobody
# Group to drop privileges to. The pcapDir must be writable by this group or user above
dropGroup=nobody
# Semicolon ';' seperated list of tags which once capture sets for a session causes the
# remaining pcap from being saved for the session. It is likely that the initial packets
# WILL be saved for the session since tags usually aren't set until after several packets
# Each tag can optionally be followed by a :<num> which specifies how many total packets to save
#dontSaveTags=
# Header to use for determining the username to check in the database for instead of
# using http digest. Use this if apache or something else is doing the auth.
# Might need something like this in the httpd.conf
# RewriteRule .* - [E=ENV_RU:%{REMOTE_USER}]
# RequestHeader set MOLOCH_USER %{ENV_RU}e
#userNameHeader=moloch_user
# Should we parse extra smtp traffic info
parseSMTP=true
# Should we parse extra smb traffic info
parseSMB=true
# Should we parse HTTP QS Values
parseQSValue=false
# Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':'
smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:
# Semicolon ';' seperated list of directories to load parsers from
parsersDir=parsers
# Semicolon ';' seperated list of directories to load plugins from
pluginsDir=plugins
# Semicolon ';' seperated list of plugins to load and the order to load in
# plugins=tagger.so; netflow.so
# Semicolon ';' seperated list of viewer plugins to load and the order to load in
# viewerPlugins=wise.js
# NetFlowPlugin
# Input device id, 0 by default
#netflowSNMPInput=1
# Outout device id, 0 by default
#netflowSNMPOutput=2
# Netflow version 1,5,7 supported, 7 by default
#netflowVersion=1
# Semicolon ';' seperated list of netflow destinations
#netflowDestinations=localhost:9993
# Specify the max number of indices we calculate spidata for.
# ES will blow up if we allow the spiData to search too many indices.
spiDataMaxIndices=3
# Uncomment the following to allow direct uploads. This is experimental
#uploadCommand=/data/moloch/bin/moloch-capture --copy -n {NODE} -r {TMPFILE} -c {CONFIG} {TAGS}
# Title Template
# _cluster_ = ES cluster name
# _userId_ = logged in User Id
# _userName_ = logged in User Name
# _page_ = internal page name
# _expression_ = current search expression if set, otherwise blank
# _-expression_ = " - " + current search expression if set, otherwise blank, prior spaces removed
# _view_ = current view if set, otherwise blank
# _-view_ = " - " + current view if set, otherwise blank, prior spaces removed
#titleTemplate=_cluster_ - _page_ _-view_ _-expression_
# ADVANCED - Semicolon ';' seperated list of files to load for config. Files are loaded
# in order and can replace values set in this file or previous files.
#includes=
# ADVANCED - How is pcap written to disk
# normal = just normal open/writes uses the linux page cache heavily (default)
# probably want to tune vm.dirty_ratio and vm.dirty_background_ratio
# direct = use O_DIRECT with open/write - writes directly to drives, no page cache, increase
# pcapWriteSize (>= 256k, must be multiple of 4096) and packetsPerPoll (>= 100k)
# thread = like normal, but use a thread for all the writes
# thread-direct = like direct, but use a thread for all the writes
pcapWriteMethod=thread-direct
# ADVANCED - Buffer size when writing pcap files. Should be a multiple of the raid 5 or xfs
# stripe size. Defaults to 256k
pcapWriteSize = 262143
# ADVANCED - value for pcap_set_buffer_size, may not be used depending on kernel etc
pcapBufferSize = 30000000
# ADVANCED - Number of bytes to bulk index at a time
dbBulkSize = 300000
# ADVANCED - Number of seconds before we force a flush to ES
dbFlushTimeout = 5
# ADVANCED - Compress requests to ES, reduces ES bandwidth by ~80% at the cost
# of increased CPU. MUST have "http.compression: true" in elasticsearch.yml file
compressES = false
# ADVANCED - Max number of connections to elastic search
maxESConns = 30
# ADVANCED - Max number of es requests outstanding in q
maxESRequests = 500
# ADVANCED - Number of packets to ask libnids/libpcap to read per poll/spin
# Increasing may hurt stats and ES performance
# Decreasing may cause more dropped packets
packetsPerPoll = 50000
# ADVANCED - Moloch will try to compensate for SYN packet drops by swapping
# the source and destination addresses when a SYN-acK packet was captured first.
# Probably useful to set it false, when running Moloch in wild due to SYN floods.
antiSynDrop = true
# DEBUG - Write to stdout info every X packets.
# Set to -1 to never log status
logEveryXPackets = 100000
# DEBUG - Write to stdout unknown protocols
logUnknownProtocols = false
# DEBUG - Write to stdout elastic search requests
logESRequests = true
# DEBUG - Write to stdout file creation information
logFileCreation = true
##############################################################################
# Classes of nodes
# Can override most default values, and create a tag call node:<classname>
[class1]
freeSpaceG = 1200
##############################################################################
# Nodes
# Usually just use the hostname before the first dot as the node name
# Can override most default values
[node1]
nodeClass = class1
# Might use a different elasticsearch node
elasticsearch=elasticsearchhost1
# Uncomment if this node should process the cron queries, only ONE node should process cron queries
# cronQueries = true
[node2]
nodeClass = class2
# Might use a different elasticsearch node
elasticsearch=elasticsearchhost2
# Uses a different interface
interface = eth4
##############################################################################
# override-ips is a special section that overrides the MaxMind databases for
# the fields set, but fields not set will still use MaxMind (example if you set
# tags but not country it will use MaxMind for the country)
# Spaces and capitalization is very important.
# IP Can be a single IP or a CIDR
# Up to 10 tags can be added
#
# ip=tag:TAGNAME1;tag:TAGNAME2;country:3LetterUpperCaseCountry;asn:ASN STRING
#[override-ips]
#10.1.0.0/16=tag:ny-office;country:USA;asn:AS0000 This is an ASN
##############################################################################
# It is now possible to define in the config file extra http/email headers
# to index. They are accessed using the expression http.<fieldname> and
# email.<fieldname> with optional .cnt expressions
#
# Possible config atributes for all headers
# type:<string> (string|integer|ip) = data type (default string)
# count:<boolean> = index count of items (default false)
# unique:<boolean> = only record unique items (default true)
# headers-http-request is used to configure request headers to index
#[headers-http-request]
#referer=type:string;count:true;unique:true
# headers-http-response is used to configure http response headers to index
#[headers-http-response]
#location=type:string;count:true
# headers-email is used to configure email headers to index
#[headers-email]
#x-priority=type:integer
##############################################################################
# If you have multiple clusters and you want the ability to send sessions
# from one cluster to another either manually or with the cron feature fill out
# this section
#[moloch-clusters]
#forensics=url:https://viewer1.host.domain:8005;passwordSecret:password4moloch;name:Forensics Cluster
#shortname2=url:http://viewer2.host.domain:8123;passwordSecret:password4moloch;name:Testing Cluster