Basic Usage¶
Key Interfaces¶
Kibana - https://localhost¶
:warning: We are aware of an issue with macOS Catalina and the most current version of Chrome browser that prevents Chrome from allowing self-signed TLS certificates. We are looking for an answer and will update when we find that. This does not affect Safari or Firefox or other operating systems.
As a workaround, you can manually add and Always Trust the RockNSM TLS certificate to your macOS keychain via Keychain Access and restart Chrome.
The generated credentials are in the home directory of the user created at install:
~/KIBANA_CREDS.README
Docket - https://localhost/app/docket/¶
Docket - web interface for pulling PCAP from the sensor (must be enabled in config)
localhost or IP of the management interface of the box
Functions Checks¶
Cluster Health¶
Check to see that the ES cluster says it's green:
curl -s localhost:9200/_cluster/health?pretty
Document Check¶
See how many documents are in the indexes. The count should be non-zero:
curl -s localhost:9200/_all/_count?pretty
Testing with PCAP¶
You can fire some traffic across the sensor at this point to see if it's collecting. This requires that you upload your own test PCAP to the box. PCAP is typically huge, so if you don't have any just lying around, here's a quick test:
- Download a small test file from the folks who brought us
tcpreplayhere:
curl -LO https://s3.amazonaws.com/tcpreplay-pcap-files/smallFlows.pcap
- Replay the PCAP file across your monitor interface:
sudo tcpreplay -i [your-monitor-interface] /path/to/smallflow.pcap
- After a few moments, the document count should go up. This can again be validated with:
curl -s localhost:9200/_all/_count?pretty
- You should have plain text bro logs showing up in /data/bro/logs/current/:
ls -ltr /data/bro/logs/current/
Rockctl¶
The basic service management functions are accomplished with:
sudo rockctl status - get the status of ROCK services
sudo rockctl start - start ROCK services
sudo rockctl stop - stop ROCK services
sudo rockctl reset-failed - clear the failed states of services