同步操作将从 Gitee 极速下载/Moloch 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search system.
Arkime augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Arkime exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Arkime stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.
Arkime is built to be deployed across many systems and can scale to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Metadata retention is based on the Elasticsearch cluster scale. Both can be increased at anytime and are under your complete control.
Arkime was created to replace commercial full packet systems at AOL in 2012. By having complete control of hardware and costs, we found we could deploy full packet capture across all our networks for the same cost as just one network using a commercial tool.
The Arkime system is comprised of 3 components:
Once installed, a user can look at the data Arkime has captured using a simple web interface. Arkime provides multiple views of the data. The primary view is the Sessions page that contains a list of sessions. Each session can be opened to view the metadata and PCAP data.
Another way to view the data is the SPI View page, which allows the user to see all the unique values for each field that Arkime understands.
Most users should use the prebuilt binaries available at our Downloads page and follow the simple install instructions on that page.
For advanced users, you can build Arkime yourself:
git clone https://github.com/arkime/arkime
./easybutton-build.sh --install
downloads all the prerequisites, build, and installmake config
- performs an initial Arkime configurationMost of the system configuration will take place in the /data/arkime/etc/config.ini
file. The variables are documented in our Settings Wiki page.
Once Arkime is running, point your browser to http://localhost:8005 to access the web interface. Click on the Owl to reach the Arkime help page.
Access to Arkime is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the sensors and are only accessed using the Arkime interface or API. Arkime is not meant to replace an IDS but instead work alongside them to store and index all the network traffic in standard PCAP format, providing fast access.
Elasticsearch provides NO security by default, so iptables
MUST be used to allow only Arkime machines to talk to the elasticsearch
machines (ports 9200-920x) and for them to mesh connect (ports 9300-930x). An example with 3 ES machines 2 nodes each and a viewer only machine
for ip in arkimees1 arkimees2 arkimees3 arkimevieweronly1; do
iptables -A INPUT -i eth0 -p tcp --dport 9300 -s $ip -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 9200 -s $ip -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 9301 -s $ip -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 9201 -s $ip -j ACCEPT
done
iptables -A INPUT -i eth0 -p tcp --dport 9300 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 9200 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 9301 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 9201 -j DROP
Arkime machines should be locked down, however they need to talk to each other (port 8005), to the elasticsearch machines (ports 9200-920x), and the web interface needs to be open (port 8005).
Arkime viewer
should be configured to use SSL.
It is possible to set up a Arkime viewer
on a machine that doesn't capture any data that gateways all requests.
A shared password stored in the Arkime configuration file is used to encrypt password hashes AND for inter-Arkime communication.
elasticsearch
directly in case it hasn't been secured.You can learn more about the Arkime API on our API Wiki page.
Please refer to the CONTRIBUTING.md file for information about how to get involved. We welcome issues, feature requests, pull requests, and documentation updates in GitHub. For questions about using and troubleshooting Arkime please use the Slack channels.
The best way to reach us is on Slack. Please request an invitation to join the Arkime Slack workspace here.
This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。