As promised, I am back with the second part of the series, and we will look at ways to enhance visibility at the host and network levels. In summary, this part will look at the following:
- Add a capability that will allow us to capture live network traffic.
First, let’s revisit the existing network configurations in VMWare and pfSense and two new adapters, one for the SOC infrastructure (Arkime, Velociraptor) and another that would allow us to output the traffic from the network we want to monitor.
Note that no DCHP is configured at the VMWare level; we will do that with pfSense if necessary so we can go ahead and add those two networks to the pfSense VM and make them available in the management portal.
Once available, we can configure the SOC interface with a static IPv4 address of 10.10.30.254/24, just like in part I, and create the necessary firewall rules to allow the traffic.
We can enable the interface without any IP address configuration for the Bridge Output. :)
After these changes, the network diagram from part I changed a bit, and now it looks like this.
If you are wondering how that unconfigured Bridge Output interface will help us capture live packets, the answer lies in a small concept named port mirroring. Port mirroring or SPAN (Switch Port Analyzer) allows us to look at specific traffic (in this case, the Workstations and Servers networks) and mirror it on the Bridge Output interface at the data link layer, hence not needing IP addressing.
To support a SPAN port, pfSense has a concept of Bridges in which we can specify member interfaces (the ones we want to monitor) and the SPAN interface (where to mirror the traffic).
The configuration is straightforward by creating a bridge interface based on the above details.
Arkime
According to the project’s website, Arkime (formerly Moloch) is a large-scale, open-source, indexed packet capture and search tool. It can be installed on Arch, CentOS, Ubuntu, etc; for this lab, we will be using the latest server release of Ubuntu.
Get Ubuntu Server | Download | Ubuntu
We’ll create a VM with decent specs to support performance and storage for our traffic captures. Note that the VM includes the SOC interface for management and the Bridge Output for capturing the mirrored traffic.
Once we get to the network portion, we need to manually configure the IP address of the management interface, ens33. Here, I’m pointing to our DNS configured on DC01 and Cloudflare for redundancy.
Add the username and password for management.
Install the OpenSSH server to connect via SSH on the box.
Add a NAT rule to allow management from the host computer.
You should be able to connect via SSH on the WAN port 2222. Once that is successful, update Ubuntu, shut down, remove the CD-ROM as it’s no longer needed and take a snapshot of the VM.
sudo apt-get update && sudo apt-get dist-upgrade -yWith our Ubuntu box installed and updated, we can proceed with the installation process of Arkime. Still, before we do that, it’s important to remember that this software requires either OpenSearch or Elasticsearch for indexing and other stuff.
According to their instructions, which you can find below, you can either let Arkime install Elasticsearch for you, or you can do it yourself, which is the route we’re going to take for the simple reason that we could potentially use that ES instance for other purposes. It’s nice to learn how to deploy it.
raw.githubusercontent.com/arkime/arkime/main/release/README.txt
We will begin by installing ES, and then we can install Arkime. We will use the Debian instructions from their website.
Install Elasticsearch with Debian Package | Elasticsearch Guide [8.12] | Elastic
Get the PGP key, install the apt-transport-https package and add the repository.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.listUpdate repositories and install Elasticsearch & Kibana.
sudo apt-get update && sudo apt-get install elasticsearch kibanaCopy the console output after the Elasticsearch install containing the elastic superuser password.
Change the configuration IP in the elasticsearch.yml config.
Start the service and generate an enrollment token for Kibana.
Set up Kibana with the above token and adjust the config with the public IP address.
Start the Kibana service and add a new NAT entry to connect from the host computer.
Log in with the elastic user and the password from the initial configuration. We now have a working ES instance ready for Arkime and other purposes.
Since we are here, we can also prepare an API that we’ll use for Arkime to connect to the instance.
We can now download and install the Arkime package.
Resolve any dependencies with apt -f install.
Configure the monitoring interface on ens34 and add the Elasticsearch server (I used localhost in my example but changed it afterwards to the actual public IP of 10.10.30.10).
Connect to the ES service using the API key and the insecure flags to ignore certificate validation.
sudo /opt/arkime/db/db.pl --esapikey <base64 apikey> --insecure https://10.10.30.10:9200 initSome necessary configurations before continuing. Copy the ES CA (found in /etc/elasticsearch/certs) and loosen the permissions to make the file readable; I used chmod 777. Include the elasticsearchAPIKey (the one used before) and uncomment the caTrustFile.
/opt/arkime/etc/config.ini
Create the admin user and run the arkime_update_geo.sh (for some reason, if you don’t run this, it will make one of its services start with an error code).
opt/arkime/bin/arkime_add_user.sh Alex "Administrator" P@ssw0rd --admin/opt/arkime/bin/arkime_update_geo.sh We can now start the Arkime services, arkimecapture.service and arkimeviewer.service and add another NAT entry for the web interface.
Arkime should now be accessible from the host computer on the 8005 port.
After we validate that everything works as intended, it’s time to enable all services to start at server boot, shut down the VM and take another snapshot.
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl enable kibana.service
sudo /bin/systemctl enable arkimecapture.service
sudo /bin/systemctl enable arkimeviewer.service
