docker-moloch
docker-moloch copied to clipboard
piesecurity
A Docker container for Moloch based on ubuntu
Docker Moloch container
Image is based on the ubuntu base image
Designed to get up and running quickly. Loads the viewer by default allowing you to parse large PCAPS within minutes.
Built on the excellent work of these 3 projects
https://github.com/MathieM/docker-moloch
https://github.com/MathieM/docker-compose-moloch
https://github.com/danielguerra69
Quick Start - Linux
Step 0 Prerequisites. Install Docker // Docker Compose // Configure Kernel
#Install Docker
curl -fsSL get.docker.com -o get-docker.sh
sudo sh get-docker.sh
#Install Docker Compose
sudo curl -L https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#Increase Max Map Count for Elastic Search
sysctl -w vm.max_map_count=262144
- Clone the repository
git clone https://github.com/piesecurity/docker-moloch.git
cd ./docker-moloch
- Change this line in docker-compose.yml
MOLOCH_PASSWORD=PASSWORDCHANGEME
- Bring up the Moloch Viewer
sudo docker-compose up
- Visit http://127.0.0.1:8005 with your favorite web browser
username: admin
password: Defined in Step #2
Importing PCAPs
- Place all PCAPs in the folder ./tcpdump
- Run the following command with the container running
docker exec docker-moloch_moloch_1 moloch-parse-pcap-folder.sh
Running
Keep ElasticSearch Persistant
Change this line in docker-compose.yml from 'true' to 'false'
INITALIZEDB=
Wipe your ElasticSearch DB but keep all your users and configs
Run the following command with the container running
docker exec docker-moloch_moloch_1 wipemoloch.sh
Configure ElasticSearch to wipe each startup but keep your users and configs
Change this line in docker-compose.yml from 'true' to 'false'
INITALIZEDB=
Change this line in docker-compose.yml from 'true' to 'false'
WIPEDB=
piesecurity