socat issue

[ghost]

Thanks for the build!!

Wondering if you could help?

I have an indexer running per your build and the logs show these errors for moloch_socat.

7/19/2018 8:20:22 PM2018-07-19 16:20:22,491 INFO spawned: 'moloch_viewer' with pid 77
7/19/2018 8:20:22 PM2018-07-19 16:20:22,495 INFO spawned: 'moloch_capture' with pid 78
7/19/2018 8:20:22 PM2018-07-19 16:20:22,498 INFO spawned: 'moloch_socat' with pid 79
7/19/2018 8:20:22 PM2018-07-19 16:20:22,631 INFO exited: moloch_socat (exit status 1; not expected)

Should I just ignore? I cant find the call to the moloch_socat in the Dockerfile.. (?)

I tried running the startsocat script in the container shell and met with this:

root@fpc-moloch:/data# ./startsocat.sh
2018/07/19 17:16:16 socat[181] E SSL_CTX_use_certificate_file(): error:02001002:system library:fopen:No such file or directory

Also, on the Sensor last bit of logs...

7/19/2018 8:48:35 PMGenerating RSA private key, 1024 bit long modulus
7/19/2018 8:48:35 PM.................++++++
7/19/2018 8:48:35 PM........................++++++
7/19/2018 8:48:35 PMe is 65537 (0x10001)
7/19/2018 8:48:35 PMSniffing packets on eth1...
7/19/2018 8:48:35 PMdropped privs to nobody
7/19/2018 8:48:35 PMtcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

There is no pcaps being sent to the indexer, the indexer sits idle.

Any ideas? Something I missed?

Thank you!

[ghost]

the ES image I am using is elasticsearch:5.6.7-alpine

[ghost]

figured it out... Though I can't post my code, I can post my edits to your fork that fills in "the gaps":::

##################start of Readme edit:

Build a Sensor first - as it creates an SSL cert that needs to be copied over to the indexer.

• SoCat Reference

• Create both host instances and be ready to initiate an SSH session to both.
• After creating the sensor via the provision script - open a putty session to both hosts.

On the Sensor:

cat /data/moloch/cert/sensor.pem

• Now, copy the conents of the file that is displayed.

On the indexer:

sudo mkdir -p /data/moloch/cert
sudo vi /data/moloch/socat.pem

• Now, paste the contents of the copied sensor.pem file into the terminal.
• hit Esc, then s, then :wq, then Enter

Then,

- sudo chmod 600 /data/molock/socat.pem

At this point you should build the indexer..

########################end of Readme edit

IMPORTANT file preperations:

in both the docker compose files:::: Add the following:

volumes:
      - /data/moloch/cert:/etc/cert:Z

in the INDEXER startsocat.sh, change to:

#!/bin/bash
/usr/bin/socat OPENSSL-LISTEN:8443,reuseaddr,pf=ip4,fork,cert=/etc/cert/socat.pem,verify=0 \
	SYSTEM:"tcpdump -n -r - -s 0 -G 50 -W 100 -w /data/pcap/dump-%Y%m%d%H%M%S.pcap not port 8443"

in the SENSOR entrypoint.sh while loop, change to:

while true
do
        echo "Sniffing packets on $PCAP_INTERFACE..."
        /usr/sbin/tcpdump -n -Z nobody -i $PCAP_INTERFACE -s $PCAP_SNAPLEN -w - $PCAP_BPF_FILTER \
		| /usr/bin/socat - OPENSSL:$INDEXER,cert=/etc/cert/sensor.pem,verify=0,forever,retry=10,interval=5
        echo "Restarting..."
done

... I had to payback for the good work on the initial build. thank you!!!!