Docket is a web UI that makes it easy for analysts to filter mountains of PCAP down to specific chunks in order to find the baddies.
PCAP is great, but doesn't scale well. There's so much detail that it can be overwhelming to sort through. A great alternate to "following the TCP stream" through an ocean of packets is to use a tool like Docket that allows for easy filtering on key points such as:
- more ...
The NSM community has needed a solution like Docket for a while, and we're excited to see how it empowers the analysis process.
To access Docket point to
https://<sensorip>/app/docket/. Please note the trailing slash. (This is due to Kibana being served from the same proxy and gets greedy with the URL path).
Once into the UI simply add your search criteria and click "Submit".
Once the job is processed, click "Get PCAP" to download to your box locally.
Docket requires the following services to function:
lighttpd- TLS connection
stenographer- tool to write / query pcap
stenographer@<int>- process for each monitor interface
Current status can be checked with the following commands:
sudo systemctl status lighttpd
sudo rockctl status
Changing Lighttpd Credentials¶
For the diligent (paranoid), the credentials that were initially generated at installation can be changed with the following steps:
- create a new shell variable, example:
- append the new user to lighttpd config file:
sudo sh -c "echo -n '$USER_NAME:' >> /etc/lighttpd/rock-htpasswd.user"
- generate new password for new user:
sudo sh -c "openssl passwd -apr1 >> /etc/lighttpd/rock-htpasswd.user"
Here are some important filesystem paths that will be useful for any necessary troubleshooting efforts:
User requested PCAP jobs are saved in:
In a multi-user environment this directory can fill up depending on how much space has been allocated to the
/var partition. Keep this path clean to prevent issues.