Skip to content

Basic Usage

Key Interfaces

Kibana - https://localhost

:warning: We are aware of an issue with macOS Catalina and the most current version of Chrome browser that prevents Chrome from allowing self-signed TLS certificates. We are looking for an answer and will update when we find that. This does not affect Safari or Firefox or other operating systems.

As a workaround, you can manually add and Always Trust the RockNSM TLS certificate to your macOS keychain via Keychain Access and restart Chrome.

The generated credentials are in the home directory of the user created at install:


Docket - https://localhost/app/docket/

Docket - web interface for pulling PCAP from the sensor (must be enabled in config)

localhost or IP of the management interface of the box

Functions Checks

Cluster Health

Check to see that the ES cluster says it's green:

curl -s localhost:9200/_cluster/health?pretty  

Document Check

See how many documents are in the indexes. The count should be non-zero:

curl -s localhost:9200/_all/_count?pretty  

Testing with PCAP

You can fire some traffic across the sensor at this point to see if it's collecting. This requires that you upload your own test PCAP to the box. PCAP is typically huge, so if you don't have any just lying around, here's a quick test:

  • Download a small test file from the folks who brought us tcpreplay here:
curl -LO
  • Replay the PCAP file across your monitor interface:
sudo tcpreplay -i [your-monitor-interface] /path/to/smallflow.pcap  
  • After a few moments, the document count should go up. This can again be validated with:
curl -s localhost:9200/_all/_count?pretty
  • You should have plain text bro logs showing up in /data/bro/logs/current/:
ls -ltr /data/bro/logs/current/  


The basic service management functions are accomplished with:

sudo rockctl status - get the status of ROCK services

sudo rockctl start - start ROCK services

sudo rockctl stop - stop ROCK services

sudo rockctl reset-failed - clear the failed states of services