├── README.md ├── indexer ├── docker-compose.yml └── fpc-moloch │ ├── Dockerfile │ ├── etc │ ├── config.ini │ └── supervisor.conf │ └── scripts │ ├── buildmoloch.sh │ ├── startmoloch.sh │ └── startsocat.sh └── sensor ├── Dockerfile ├── docker-compose.yml └── entrypoint.sh /README.md: -------------------------------------------------------------------------------- 1 | # Full Packet Capture for the Masses 2 | This is a simple framework to implement Full Packet Capture in a distributed way. The idea is to have the smaller footprint as possible on sensors. 3 | 4 | The framework is based on two Docker containers: 5 | - a Moloch server 6 | - a sensor 7 | 8 | The sensor collects traffic using tcpdump and uploads collected PCAP files to the central Moloch server via SCP. 9 | 10 | SANSFire Edition: 11 | Containers have been updated to use Socat and transfer PCAP data in realtime. 12 | -------------------------------------------------------------------------------- /indexer/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | 3 | services: 4 | elasticsearch: 5 | image: elasticsearch:5.2.2-alpine 6 | restart: always 7 | hostname: fpc-elasticsearch 8 | container_name: fpc-elasticsearch 9 | volumes: 10 | - /etc/localtime:/etc/localtime:ro 11 | - /data/moloch/elasticsearch:/usr/share/elasticsearch/data 12 | network_mode: bridge 13 | 14 | capture: 15 | build: ./fpc-moloch 16 | image: xme/fpc-moloch:latest 17 | restart: always 18 | hostname: fpc-moloch 19 | container_name: fpc-moloch 20 | depends_on: 21 | - elasticsearch 22 | links: 23 | - elasticsearch:fpc-elasticsearch 24 | volumes: 25 | - /etc/localtime:/etc/localtime:ro 26 | - /data/moloch/core/etc:/data/moloch/etc:rw 27 | - /data/moloch/core/raw:/data/moloch/raw:rw 28 | - /data/pcap:/data/pcap:rw 29 | ports: 30 | - '8443:8443' 31 | - '8005:8005' 32 | network_mode: bridge 33 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER Xavier Mertens 3 | 4 | # Install prerequisites for moloch 5 | 6 | RUN apt-get -qq update 7 | RUN apt-get install -yq curl 8 | RUN curl -sL https://deb.nodesource.com/setup_6.x | bash - 9 | RUN apt-get -qq update && apt-get -qq upgrade 10 | RUN apt-get install -yq wget curl git sudo libyaml-dev xz-utils gcc pkg-config g++ flex bison \ 11 | zlib1g-dev libffi-dev gettext libpcre3-dev uuid-dev libmagic-dev \ 12 | libgeoip-dev make libjson-perl libbz2-dev libwww-perl libpng-dev yara \ 13 | libpcap-dev nodejs phantomjs vim net-tools python supervisor socat openssl \ 14 | tcpdump 15 | 16 | ADD /scripts /data 17 | RUN chmod 755 /data/*.sh 18 | 19 | # Start building Moloch 20 | RUN /data/buildmoloch.sh /data/moloch-git && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 21 | RUN ln -s /usr/bin/nodejs /data/moloch/bin/node 22 | RUN ln -s /data/moloch/bin/moloch-capture /usr/bin/moloch-capture 23 | RUN ln -s /data/moloch/bin/moloch-capture /usr/bin/capture 24 | 25 | RUN touch /.firstboot 26 | 27 | ADD /etc /tmp 28 | 29 | VOLUME ["/data/moloch/etc","/data/moloch/logs","/data/moloch/data","/data/moloch/raw","/data/pcap"] 30 | 31 | # Set expose port for moloch viewer & socat 32 | EXPOSE 8005 33 | EXPOSE 8443 34 | 35 | WORKDIR /data/moloch 36 | 37 | ENTRYPOINT ["/data/startmoloch.sh"] 38 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/etc/config.ini: -------------------------------------------------------------------------------- 1 | # Latest settings documentation: https://github.com/aol/moloch/wiki/Settings 2 | # 3 | # Moloch uses a tiered system for configuration variables. This allows Moloch 4 | # to share one config file for many machines. The ordering of sections in this 5 | # file doesn't matter. 6 | # 7 | # Order of config variables: 8 | # 1st) [optional] The section titled with the node name is used first. 9 | # Moloch will always tag sessions with node: 10 | # 2nd) [optional] If a node has a nodeClass variable, the section titled with 11 | # the nodeClass name is used next. Sessions will be tagged with 12 | # node: which is useful if watching different 13 | # network classes. 14 | # 3rd) The section titled "default" is used last. 15 | 16 | [default] 17 | # Comma seperated list of elasticsearch host:port combinations. If not using a 18 | # elasticsearch VIP, a different elasticsearch node in the cluster can be specified 19 | # for each Moloch node to help spread load on high volume clusters 20 | elasticsearch=elasticsearch:9200 21 | 22 | # How often to create a new elasticsearch index. hourly,daily,weekly,monthly 23 | # Changing the value will cause previous sessions to be unreachable 24 | rotateIndex=daily 25 | 26 | # Cert file to use, comment out to use http instead 27 | # certFile=/data/moloch/etc/moloch.cert 28 | 29 | # File with trusted roots/certs. WARNING! this replaces default roots 30 | # Useful with self signed certs and can be set per node. 31 | # caTrustFile=/data/moloch/etc/roots.cert 32 | 33 | # Private key file to use, comment out to use http instead 34 | # keyFile=/data/moloch/etc/moloch.key 35 | 36 | # S2S and Password Hash secret - Must be in default section. Since elasticsearch 37 | # is wide open by default, we encrypt the stored password hashes with this 38 | # so a malicous person can't insert a working new account. It is also used 39 | # for secure S2S communication. Comment out for no user authentication. 40 | # Changing the value will make all previously stored passwords no longer work. 41 | passwordSecret = MOLOCH_PASSWORD 42 | 43 | # HTTP Digest Realm - Must be in default section. Changing the value 44 | # will make all previously stored passwords no longer work 45 | httpRealm = Moloch 46 | 47 | # The base path for Moloch web access. Must end with a / or bad things will happen 48 | # Default: "/" 49 | # webBasePath = /moloch/ 50 | 51 | # Semicolon ';' seperated list of interfaces to listen on for traffic 52 | interface=eth0 53 | 54 | # The bpf filter 55 | #bpf=not port 9200 56 | 57 | # The yara file name 58 | #yara= 59 | 60 | ## Start wiseService configuration 61 | # Host to connect to for wiseService 62 | #wiseHost=127.0.0.1 63 | 64 | # Number of seconds to cache results before asking wiseService again 65 | #wiseCacheSecs=600 66 | 67 | # Max number of items to store in the wise cache that is local to each moloch-capture node 68 | #wiseMaxCache=100000 69 | 70 | # Number of connections to wiseService, this is also the number of concurrent wise queries. 71 | #wiseMaxConns=10 72 | 73 | # Number of oustanding requests to the wiseService 74 | #wiseMaxRequests=100 75 | ## End wiseService configuration 76 | 77 | # Uncomment to log access requests to a different log file 78 | #accessLogFile = /data/moloch/logs/access.log 79 | 80 | # The directory to save raw pcap files to 81 | pcapDir = /data/moloch/raw 82 | 83 | # The max raw pcap file size in gigabytes, with a max value of 36G. 84 | # The disk should have room for at least 10*maxFileSizeG 85 | maxFileSizeG = 12 86 | 87 | # The max time in minutes between rotating pcap files. Default is 0, which means 88 | # only rotate based on current file size and the maxFileSizeG variable 89 | #maxFileTimeM = 60 90 | 91 | # TCP timeout value. Moloch writes a session record after this many seconds 92 | # of inactivity. 93 | tcpTimeout = 600 94 | 95 | # Moloch writes a session record after this many seconds, no matter if 96 | # active or inactive 97 | tcpSaveTimeout = 720 98 | 99 | # UDP timeout value. Moloch assumes the UDP session is ended after this 100 | # many seconds of inactivity. 101 | udpTimeout = 30 102 | 103 | # ICMP timeout value. Moloch assumes the ICMP session is ended after this 104 | # many seconds of inactivity. 105 | icmpTimeout = 10 106 | 107 | # An aproximiate maximum number of active sessions Moloch/libnids will try 108 | # and monitor 109 | maxStreams = 1000000 110 | 111 | # Moloch writes a session record after this many packets 112 | maxPackets = 10000 113 | 114 | # Delete pcap files when free space is lower then this in gigabytes OR it can be 115 | # expressed as a percentage (ex: 5%). This does NOT delete the session records in 116 | # the database. It is recommended this value is between 5% and 10% of the disk. 117 | # Database deletes are done by the db.pl expire script 118 | freeSpaceG = 5% 119 | 120 | # The port to listen on, by default 8005 121 | viewPort = 8005 122 | 123 | # The host/ip to listen on, by default 0.0.0.0 which is ALL 124 | #viewHost = localhost 125 | 126 | # By default the viewer process is https://hostname: for each node. 127 | #viewUrl = https://HOSTNAME:8005 128 | 129 | # Path of the maxmind geoip country file. Download free version from: 130 | # http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz 131 | geoipFile = /data/moloch/etc/GeoIP.dat 132 | 133 | # Path of the maxmind geoip ASN file. Download free version from: 134 | # http://www.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz 135 | geoipASNFile = /data/moloch/etc/GeoIPASNum.dat 136 | 137 | # Path of the rir assignments file 138 | # https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv 139 | rirFile = /data/moloch/etc/ipv4-address-space.csv 140 | 141 | # User to drop privileges to. The pcapDir must be writable by this user or group below 142 | dropUser=nobody 143 | 144 | # Group to drop privileges to. The pcapDir must be writable by this group or user above 145 | dropGroup=daemon 146 | 147 | # Semicolon ';' seperated list of tags which once capture sets for a session causes the 148 | # remaining pcap from being saved for the session. It is likely that the initial packets 149 | # WILL be saved for the session since tags usually aren't set until after several packets 150 | # Each tag can optionally be followed by a : which specifies how many total packets to save 151 | #dontSaveTags= 152 | 153 | # Header to use for determining the username to check in the database for instead of 154 | # using http digest. Use this if apache or something else is doing the auth. 155 | # Set viewHost to localhost or use iptables 156 | # Might need something like this in the httpd.conf 157 | # RewriteRule .* - [E=ENV_RU:%{REMOTE_USER}] 158 | # RequestHeader set MOLOCH_USER %{ENV_RU}e 159 | #userNameHeader=moloch_user 160 | 161 | # Should we parse extra smtp traffic info 162 | parseSMTP=true 163 | 164 | # Should we parse extra smb traffic info 165 | parseSMB=true 166 | 167 | # Should we parse HTTP QS Values 168 | parseQSValue=false 169 | 170 | # Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':' 171 | smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: 172 | 173 | # Semicolon ';' seperated list of directories to load parsers from 174 | parsersDir=/data/moloch/parsers 175 | 176 | # Semicolon ';' seperated list of directories to load plugins from 177 | pluginsDir=/data/moloch/plugins 178 | 179 | # Semicolon ';' seperated list of plugins to load and the order to load in 180 | # plugins=tagger.so; netflow.so 181 | 182 | # Plugins to load as root, usually just readers 183 | #rootPlugins=reader-pfring; reader-daq.so 184 | 185 | # Semicolon ';' seperated list of viewer plugins to load and the order to load in 186 | # viewerPlugins=wise.js 187 | 188 | # NetFlowPlugin 189 | # Input device id, 0 by default 190 | #netflowSNMPInput=1 191 | # Outout device id, 0 by default 192 | #netflowSNMPOutput=2 193 | # Netflow version 1,5,7 supported, 7 by default 194 | #netflowVersion=1 195 | # Semicolon ';' seperated list of netflow destinations 196 | #netflowDestinations=localhost:9993 197 | 198 | # Specify the max number of indices we calculate spidata for. 199 | # ES will blow up if we allow the spiData to search too many indices. 200 | spiDataMaxIndices=3 201 | 202 | # Uncomment the following to allow direct uploads. This is experimental 203 | #uploadCommand=/data/moloch/bin/moloch-capture --copy -n {NODE} -r {TMPFILE} -c {CONFIG} {TAGS} 204 | 205 | # Title Template 206 | # _cluster_ = ES cluster name 207 | # _userId_ = logged in User Id 208 | # _userName_ = logged in User Name 209 | # _page_ = internal page name 210 | # _expression_ = current search expression if set, otherwise blank 211 | # _-expression_ = " - " + current search expression if set, otherwise blank, prior spaces removed 212 | # _view_ = current view if set, otherwise blank 213 | # _-view_ = " - " + current view if set, otherwise blank, prior spaces removed 214 | #titleTemplate=_cluster_ - _page_ _-view_ _-expression_ 215 | 216 | # Number of threads processing packets 217 | packetThreads=2 218 | 219 | # ADVANCED - Semicolon ';' seperated list of files to load for config. Files are loaded 220 | # in order and can replace values set in this file or previous files. 221 | #includes= 222 | 223 | # ADVANCED - How is pcap written to disk 224 | # simple = use O_DIRECT if available, writes in pcapWriteSize chunks, 225 | # a file per packet thread. 226 | pcapWriteMethod=simple 227 | 228 | # ADVANCED - Buffer size when writing pcap files. Should be a multiple of the raid 5 or xfs 229 | # stripe size. Defaults to 256k 230 | pcapWriteSize = 262143 231 | 232 | # ADVANCED - value for pcap_set_buffer_size, may not be used depending on kernel etc 233 | pcapBufferSize = 30000000 234 | 235 | # ADVANCED - Number of bytes to bulk index at a time 236 | dbBulkSize = 300000 237 | 238 | # ADVANCED - Number of seconds before we force a flush to ES 239 | dbFlushTimeout = 5 240 | 241 | # ADVANCED - Compress requests to ES, reduces ES bandwidth by ~80% at the cost 242 | # of increased CPU. MUST have "http.compression: true" in elasticsearch.yml file 243 | compressES = false 244 | 245 | # ADVANCED - Max number of connections to elastic search 246 | maxESConns = 30 247 | 248 | # ADVANCED - Max number of es requests outstanding in q 249 | maxESRequests = 500 250 | 251 | # ADVANCED - Number of packets to ask libnids/libpcap to read per poll/spin 252 | # Increasing may hurt stats and ES performance 253 | # Decreasing may cause more dropped packets 254 | packetsPerPoll = 50000 255 | 256 | # ADVANCED - Moloch will try to compensate for SYN packet drops by swapping 257 | # the source and destination addresses when a SYN-acK packet was captured first. 258 | # Probably useful to set it false, when running Moloch in wild due to SYN floods. 259 | antiSynDrop = true 260 | 261 | # DEBUG - Write to stdout info every X packets. 262 | # Set to -1 to never log status 263 | logEveryXPackets = 100000 264 | 265 | # DEBUG - Write to stdout unknown protocols 266 | logUnknownProtocols = false 267 | 268 | # DEBUG - Write to stdout elastic search requests 269 | logESRequests = true 270 | 271 | # DEBUG - Write to stdout file creation information 272 | logFileCreation = true 273 | 274 | 275 | ############################################################################## 276 | # Classes of nodes 277 | # Can override most default values, and create a tag call node: 278 | [class1] 279 | freeSpaceG = 10% 280 | 281 | ############################################################################## 282 | # Nodes 283 | # Usually just use the hostname before the first dot as the node name 284 | # Can override most default values 285 | 286 | [node1] 287 | nodeClass = class1 288 | # Might use a different elasticsearch node 289 | elasticsearch=elasticsearchhost1 290 | 291 | # Uncomment if this node should process the cron queries, only ONE node should process cron queries 292 | # cronQueries = true 293 | 294 | [node2] 295 | nodeClass = class2 296 | # Might use a different elasticsearch node 297 | elasticsearch=elasticsearchhost2 298 | # Uses a different interface 299 | interface = eth4 300 | 301 | ############################################################################## 302 | # override-ips is a special section that overrides the MaxMind databases for 303 | # the fields set, but fields not set will still use MaxMind (example if you set 304 | # tags but not country it will use MaxMind for the country) 305 | # Spaces and capitalization is very important. 306 | # IP Can be a single IP or a CIDR 307 | # Up to 10 tags can be added 308 | # 309 | # ip=tag:TAGNAME1;tag:TAGNAME2;country:3LetterUpperCaseCountry;asn:ASN STRING 310 | #[override-ips] 311 | #10.1.0.0/16=tag:ny-office;country:USA;asn:AS0000 This is an ASN 312 | 313 | ############################################################################## 314 | # It is now possible to define in the config file extra http/email headers 315 | # to index. They are accessed using the expression http. and 316 | # email. with optional .cnt expressions 317 | # 318 | # Possible config atributes for all headers 319 | # type: (string|integer|ip) = data type (default string) 320 | # count: = index count of items (default false) 321 | # unique: = only record unique items (default true) 322 | 323 | # headers-http-request is used to configure request headers to index 324 | #[headers-http-request] 325 | #referer=type:string;count:true;unique:true 326 | 327 | # headers-http-response is used to configure http response headers to index 328 | #[headers-http-response] 329 | #location=type:string;count:true 330 | 331 | # headers-email is used to configure email headers to index 332 | #[headers-email] 333 | #x-priority=type:integer 334 | 335 | 336 | ############################################################################## 337 | # If you have multiple clusters and you want the ability to send sessions 338 | # from one cluster to another either manually or with the cron feature fill out 339 | # this section 340 | 341 | #[moloch-clusters] 342 | #forensics=url:https://viewer1.host.domain:8005;passwordSecret:password4moloch;name:Forensics Cluster 343 | #shortname2=url:http://viewer2.host.domain:8123;passwordSecret:password4moloch;name:Testing Cluster 344 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/etc/supervisor.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | logfile=/var/log/supervisor.log 4 | 5 | [group:moloch] 6 | programs=moloch_viewer,moloch_capture,moloch_socat 7 | 8 | [program:moloch_socat] 9 | command=/data/startsocat.sh 10 | stdout_logfile=/data/moloch/logs/socat-stdout.log 11 | stderr_logfile=/data/moloch/logs/socat-stderr.log 12 | logfile_maxbytes = 1000000 13 | logfile_backups = 10 14 | directory=/data/pcap 15 | autorestart=true 16 | 17 | [program:moloch_viewer] 18 | command=node viewer.js 19 | directory=/data/moloch/viewer 20 | autorestart=true 21 | 22 | [program:moloch_capture] 23 | command=/data/moloch/bin/moloch-capture -m -R /data/pcap --copy --delete --flush 24 | stdout_logfile=/data/moloch/logs/capture-stdout.log 25 | stderr_logfile=/data/moloch/logs/capture-stderr.log 26 | logfile_maxbytes = 1000000 27 | logfile_backups = 10 28 | autorestart=true 29 | user=root 30 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/scripts/buildmoloch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mkdir -p /data/pcap 4 | 5 | if [ -z $1 ]; then 6 | BUILDDIR=/data/moloch-git 7 | else 8 | BUILDDIR=$1 9 | fi 10 | 11 | echo "git clone" 12 | git clone --branch v0.18.2 --recursive https://github.com/aol/moloch.git $BUILDDIR 13 | echo "cd to dir and build" 14 | cd $BUILDDIR 15 | USEPFRING=no ESMEM="512M" DONOTSTART=yes MOLOCHUSER=daemon GROUPNAME=daemon PASSWORD=0mgMolochDockerRules5 INTERFACE=eth0 BATCHRUN=yes ./easybutton-build.sh 16 | make 17 | make install 18 | cd /data/moloch/viewer 19 | npm install 20 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/scripts/startmoloch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | MOLOCHDIR=/data/moloch 4 | 5 | # set PATH 6 | echo "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/data/moloch/bin\"" > /etc/environment 7 | 8 | #source /etc/profile 9 | 10 | if [ -r /.firstboot ]; then 11 | # Install the original config files 12 | mv /tmp/config.ini /data/moloch/etc 13 | mv /tmp/supervisor.conf /data/moloch/etc 14 | 15 | # set write permissions for moloch 16 | chmod a+rwx /data/moloch/raw /data/moloch/logs /data/moloch/data 17 | 18 | # wait for Elasticsearch 19 | echo "Giving ES time to start..." 20 | sleep 5 21 | until curl -sS 'http://elasticsearch:9200/_cluster/health?wait_for_status=yellow&timeout=5s' 22 | do 23 | echo "Waiting for ES to start" 24 | sleep 1 25 | done 26 | echo 27 | 28 | # intialize moloch 29 | echo INIT | /data/moloch/db/db.pl http://elasticsearch:9200 init 30 | /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin 31 | /data/moloch/bin/moloch_update_geo.sh 32 | 33 | rm /.firstboot 34 | fi 35 | 36 | echo "Starting viewer. Go with https to port 8005 of container." 37 | /usr/bin/supervisord -c /data/moloch/etc/supervisor.conf 38 | -------------------------------------------------------------------------------- /indexer/fpc-moloch/scripts/startsocat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /usr/bin/socat OPENSSL-LISTEN:8443,reuseaddr,pf=ip4,fork,cert=/etc/socat.pem,verify=0 \ 3 | SYSTEM:"tcpdump -n -r - -s 0 -G 50 -W 100 -w /data/pcap/dump-%Y%m%d%H%M%S.pcap not port 8443" 4 | -------------------------------------------------------------------------------- /sensor/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER xavier@rootshell.be 3 | 4 | RUN apt-get update && apt-get -y -q install tcpdump openssl socat 5 | RUN rm -rf /var/lib/apt/lists/* 6 | 7 | COPY entrypoint.sh / 8 | RUN chmod a+x /entrypoint.sh 9 | 10 | ENTRYPOINT [ "/entrypoint.sh" ] 11 | -------------------------------------------------------------------------------- /sensor/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | 3 | services: 4 | fpc-sensor: 5 | build: . 6 | image: xme/fpc-sensor:latest 7 | restart: always 8 | hostname: fpc-sensor 9 | container_name: fpc-sensor 10 | network_mode: host 11 | environment: 12 | - INDEXER=moloch.company.com:8443 13 | - PCAP_INTERFACE=eth0 14 | - PCAP_SNAPLEN=0 15 | - PCAP_BPF_FILTER=not port 65522 and not port 1194 and not port 8443 16 | -------------------------------------------------------------------------------- /sensor/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Start the FPC sensor (tcpdump + socat) 4 | # 5 | if [ -z "$PCAP_INTERFACE" ]; then 6 | export PCAP_INTERFACE=any 7 | fi 8 | 9 | if [ -z "$PCAP_SNAPLEN" ]; then 10 | export PCAP_SNAPLEN=0 11 | fi 12 | 13 | if [ -z "$PCAP_BPF_FILTER" ]; then 14 | export PCAP_BPF_FILTER="" 15 | fi 16 | 17 | # Generate a self-signed certificate for Socat 18 | openssl genrsa -out /sensor.key 1024 19 | openssl req -new \ 20 | -key /sensor.key \ 21 | -x509 \ 22 | -days 365 \ 23 | -subj "/C=BE/ST=Brussels/L=Brussels/O=SOC/CN=fpc-sensor" \ 24 | -out /sensor.crt 25 | cat /sensor.key /sensor.crt >/sensor.pem 26 | chmod 600 /sensor.key /sensor.pem 27 | 28 | while true 29 | do 30 | echo "Sniffing packets on $PCAP_INTERFACE..." 31 | /usr/sbin/tcpdump -n -Z nobody -i $PCAP_INTERFACE -s $PCAP_SNAPLEN -w - $PCAP_BPF_FILTER \ 32 | | /usr/bin/socat - OPENSSL:$INDEXER,cert=/sensor.pem,verify=0,forever,retry=10,interval=5 33 | echo "Restarting..." 34 | done 35 | --------------------------------------------------------------------------------