A powerful, easily deployable network traffic analysis tool suite
A dedicated network sensor appliance is the recommended method for capturing and analyzing live network traffic when performance and throughput is of utmost importance. Hedgehog Linux is a custom Debian-based operating system built to:
Please see the Hedgehog Linux README for more information.
The options for monitoring traffic on local network interfaces can be configured by running ./scripts/configure
.
Malcolm’s pcap-capture
, suricata-live
and zeek-live
containers can monitor one or more local network interfaces, specified by the PCAP_IFACE
environment variable in pcap-capture.env
. These containers are started with additional privileges to allow opening network interfaces in promiscuous mode for capture.
The instances of Zeek and Suricata (in the suricata-live
and zeek-live
containers when the SURICATA_LIVE_CAPTURE
and ZEEK_LIVE_CAPTURE
environment variables are set to true
, respectively) analyze traffic on-the-fly and generate log files containing network session metadata. These log files are in turn scanned by Filebeat and forwarded to Logstash for enrichment and indexing into the OpenSearch document store.
In contrast, the pcap-capture
container buffers traffic to PCAP files and periodically rotates these files for processing (by Arkime’s capture
utlity in the arkime
container) according to the thresholds defined by the PCAP_ROTATE_MEGABYTES
and PCAP_ROTATE_MINUTES
environment variables in pcap-capture.env
. If for some reason (e.g., a low resources environment) you also want Zeek and Suricata to process these intermediate PCAP files rather than monitoring the network interfaces directly, you can set SURICATA_ROTATED_PCAP
/ZEEK_ROTATED_PCAP
to true
and SURICATA_LIVE_CAPTURE
/ZEEK_LIVE_CAPTURE
to false. The only exception to this behavior (i.e., the creation of intermediate PCAP files by netsniff-ng
or tcpdump
in the pcap-capture
which are periodically rolled over for processing by Arkime) is when running the “Hedgehog” run profile or when using a remote OpenSearch or Elasticsearch instance. In either of these configurations, users may choose to have Arkime’s capture
tool monitor live traffic on the network interface without using the intermediate PCAP file.
Note that Microsoft Windows and Apple macOS platforms currently run Docker inside of a virtualized environment. Live traffic capture and analysis on those platforms would require additional configuration of virtual interfaces and port forwarding in Docker, which is outside of the scope of this document.
Another configuration for monitoring local network interfaces is to use the hedgehog
run profile. During Malcolm configuration users are prompted “Run with Malcolm (all containers) or Hedgehog (capture only) profile?” Docker Compose can use profiles to selectively start services. While the malcolm
run profile runs all of Malcolm’s containers (OpenSearch, Dashboards, LogStash, etc.), the hedgehog
profile runs only the containers necessary for traffic capture.
When configuring the hedgehog
profile, users must provide connection details for another Malcolm instance to which to forward its network traffic logs.
Malcolm’s Logstash instance can also be configured to accept logs from a remote forwarder by running ./scripts/configure
and answering “yes” to “Expose Logstash port to external hosts?
” Enabling encrypted transport of these log files is discussed in Configure authentication and the description of the BEATS_SSL
environment variable in beats-common.env
.
Configuring Filebeat to forward Zeek logs to Malcolm might look something like this example filebeat.yml
:
filebeat.inputs:
- type: log
paths:
- /var/zeek/*.log
fields_under_root: true
compression_level: 0
exclude_lines: ['^\s*#']
scan_frequency: 10s
clean_inactive: 180m
ignore_older: 120m
close_inactive: 90m
close_renamed: true
close_removed: true
close_eof: false
clean_renamed: true
clean_removed: true
output.logstash:
hosts: ["192.0.2.123:5044"]
ssl.enabled: true
ssl.certificate_authorities: ["/foo/bar/ca.crt"]
ssl.certificate: "/foo/bar/client.crt"
ssl.key: "/foo/bar/client.key"
ssl.supported_protocols: "TLSv1.2"
ssl.verification_mode: "none"