forked from arkime/arkime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.ini
250 lines (192 loc) · 8.7 KB
/
config.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
# Moloch uses a tiered system for configuration variables. This allows Moloch
# to share one config file for many machines. The ordering of sections in this
# file doesn't matter.
#
# Order of config variables:
# 1st) [optional] The section titled with the node name is used first.
# Moloch will always tag sessions with node:<node name>
# 2nd) [optional] If a node has a nodeClass variable, the section titled with
# the nodeClass name is used next. Sessions will be tagged with
# node:<node class name> which is useful if watching different
# network classes.
# 3rd) The section titled "default" is used last.
[default]
# The elasticsearch host:port. If not using a elasticsearch VIP, a different
# elasticsearch node in the cluster can be specified for each Moloch node to
# help spread load on high volume clusters
elasticsearch=CHANGEME_ESHOSTNAME:9200
# How often to create a new elasticsearch index. daily,weekly,monthly
# Changing the value will cause previous sessions to be unreachable
rotateIndex=daily
# Cert file to use, comment out to use http instead
certFile=moloch.cert
# Private key file to use, comment out to use http instead
keyFile=moloch.key
# S2S and Password Hash secret - Must be in default section. Since elasticsearch
# is wide open by default, we encrypt the stored password hashes with this
# so a malicous person can't insert a working new account. It is also used
# for secure S2S communication. Comment out for no user authentication.
# Changing the value will make all previously stored passwords no longer work.
passwordSecret = CHANGEME
# HTTP Digest Realm - Must be in default section. Changing the value
# will make all previously stored passwords no longer work
httpRealm = Moloch
# The base path for Moloch web access. Must end with a / or bad things will happen
# Default: "/"
# webBasePath = /moloch/
# The interface to listen on for traffic
interface=eth1
# The bpf filter
#bpf=not port 9200
# The yara file name
#yara=
# The directory to save raw pcap files to
pcapDir = /moloch/pcap
# The max raw pcap file size in gigabytes, with a max value of 36G.
# The disk should have room for at least 10*maxFileSizeG
maxFileSizeG = 12
# TCP timeout value. Moloch writes a session record after this many seconds
# of inactivity.
tcpTimeout = 600
# Moloch writes a session record after this many seconds, no matter if
# active or inactive
tcpSaveTimeout = 720
# UDP timeout value. Moloch assumes the UDP session is ended after this
# many seconds of inactivity.
udpTimeout = 30
# ICMP timeout value. Moloch assumes the ICMP session is ended after this
# many seconds of inactivity.
icmpTimeout = 10
# An aproximiate maximum number of active sessions Moloch/libnids will try
# and monitor
maxStreams = 1000000
# Moloch writes a session record after this many packets
maxPackets = 10000
# Delete pcap files when free space is lower then this. This does NOT
# delete the session records in the database. It is recommended this value is
# between 5% and 10% of the disk. Database deletes are done by the
# daily.sh script
freeSpaceG = 600
# The port to listen on, by default 8005
viewPort = 8005
# By default the viewer process is https://hostname:<viewPort> for each node.
#viewUrl = https://HOSTNAME:8005
# Path of the maxmind geoip country file. Download free version from:
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
geoipFile = GeoIP.dat
# Path of the maxmind geoip ASN file. Download free version from:
# http://www.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
geoipASNFile = GeoIPASNum.dat
# User to drop privileges to. The pcapDir must be writable by this user or group below
dropUser=nobody
# Group to drop privileges to. The pcapDir must be writable by this group or user above
dropGroup=nobody
# Semicolon ';' seperated list of tags which once capture sets for a session causes the
# remaining pcap from being saved for the session. It is likely that the initial packets
# WILL be saved for the session since tags usually aren't set until after several packets
#dontSaveTags=
# Header to use for determining the username to check in the database for instead of
# using http digest. Use this if apache or something else is doing the auth.
# Might need something like this in the httpd.conf
# RewriteRule .* - [E=ENV_RU:%{REMOTE_USER}]
# RequestHeader set MOLOCH_USER %{ENV_RU}e
#userNameHeader=moloch_user
# Should we parse extra smtp traffic info
parseSMTP=true
# Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':'
smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:
# Plugin directory to load plugins from
pluginsDir=plugins
# Semicolon ';' seperated list of plugins to load and the order to load in
# plugins=tagger.so; netflow.so
# NetFlowPlugin
# Input device id, 0 by default
#netflowSNMPInput=1
# Outout device id, 0 by default
#netflowSNMPOutput=2
# Netflow version 1,5,7 supported, 7 by default
#netflowVersion=1
# Semicolon ';' seperated list of netflow destinations
#netflowDestinations=localhost:9993
# Specify the max number of indices we calculate spidata for.
# ES will blow up if we allow the spiData to search too many indices.
spiDataMaxIndices=3
# Uncomment the following to allow direct uploads. This is experimental
#uploadCommand=/data/moloch/bin/moloch-capture --copy -n {NODE} -r {TMPFILE} -c {CONFIG} {TAGS}
# ADVANCED - Buffer size when writing pcap files. Should be a multiple of the raid 5 or xfs
# stripe size. Defaults to 256k
pcapWriteSize = 262143
# ADVANCED - value for pcap_set_buffer_size, may not be used depending on kernel etc
pcapBufferSize = 30000000
# ADVANCED - Number of bytes to bulk index at a time
dbBulkSize = 300000
# ADVANCED - Number of seconds before we force a flush to ES
dbFlushTimeout = 5
# ADVANCED - Compress requests to ES, reduces ES bandwidth by ~80% at the cost
# of increased CPU. MUST have "http.compression: true" in elasticsearch.yml file
compressES = false
# ADVANCED - Max number of connections to elastic search
maxESConns = 30
# ADVANCED - Max number of es requests outstanding in q
maxESRequests = 500
# ADVANCED - Number of packets to ask libnids/libpcap to read per poll/spin
# Increasing may hurt stats and ES performance
# Decreasing may cause more dropped packets
packetsPerPoll = 50000
# DEBUG - Write to stdout info every X packets.
# Set to -1 to never log status
logEveryXPackets = 100000
# DEBUG - Write to stdout unknown protocols
logUnknownProtocols = false
# DEBUG - Write to stdout elastic search requests
logESRequests = true
# DEBUG - Write to stdout file creation information
logFileCreation = true
##############################################################################
# Classes of nodes
# Can override most default values, and create a tag call node:<classname>
[class1]
freeSpaceG = 1200
##############################################################################
# Nodes
# Usually just use the hostname before the first dot as the node name
# Can override most default values
[node1]
nodeClass = class1
# Might use a different elasticsearch node
elasticsearch=elasticsearchhost1
[node2]
nodeClass = class2
# Might use a different elasticsearch node
elasticsearch=elasticsearchhost2
# Uses a different interface
interface = eth4
##############################################################################
# override-ips is a special section that overrides the MaxMind databases for
# the fields set, but fields not set will still use MaxMind (example if you set
# tags but not country it will use MaxMind for the country)
# Spaces and capitalization is very important.
# IP Can be a single IP or a CIDR
# Up to 10 tags can be added
#
# ip=tag:TAGNAME1;tag:TAGNAME2;country:3LetterUpperCaseCountry;asn:ASN STRING
#[override-ips]
#10.1.0.0/16=tag:ny-office;country:USA;asn:AS0000 This is an ASN
##############################################################################
# It is now possible to define in the config file extra http/email headers
# to index. They are accessed using the expression http.<fieldname> and
# email.<fieldname> with optional .cnt expressions
#
# Possible config atributes for all headers
# type:<string> (string|integer) = data type (default string)
# count:<boolean> = index count of items (default false)
# unique:<boolean> = only record unique items (default true)
# headers-http-request is used to configure request headers to index
#[headers-http-request]
#referer=type:string;count:true;unique:true
# headers-http-response is used to configure http response headers to index
#[headers-http-response]
#location=type:string;count:true
# headers-email is used to configure email headers to index
#[headers-email]
#x-priority=type:integer