Read this page in English. | Leggi questa pagina in English.

Introducing PcapMonkey

PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. 

It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. PcapMonkey uses official docker containers (when available) for most images and aims to be easy and straightforward to use.

Features

  • PcapMonkey let's you run one or multiple pcaps and imports all logs to elasticsearch.
  • PcapMonkey keeps the "official" Zeek and Suricata fields names so you can look them up on the official documentation
  • It let you edit directly Suricata and Zeek configuration and scripts so you can test quickly new features
  • PcapMonkey comes with some very useful Zeek scripts like Ja3 and File extractor
  • It's possible to enable logging in ECS to leverage all ElasticSerch SIEM features
  • Let's you import also windows event files (BETA)

Installation and Basic Usage

Install Docker-CE and docker-compose:

To start Elasticsearch,Logstash and Kibana run the following command:

sudo docker-compose up -d elasticsearch logstash kibana

Use the following command to check if everything is working properly:

sudo docker-compose ps

The output should be the following:

Name                       Command                       State                    Ports         
---------------------------------------------------------------------------------------------------------
pcapmonkey_elasticsearch   /usr/local/bin/docker-entr ...   Up (health: starting)   9200/tcp, 9300/tcp     
pcapmonkey_logstash        /usr/local/bin/docker-entr ...   Up                                             
pcapmonkey_kibana          /usr/local/bin/dumb-init - ...   Up (health: starting)   127.0.0.1:5601->5601/tcp

Kibana and elasticsearch could take a couple of minutes to start. You can monitor the progress by doing "docker-compose ps" and waiting for starting to go away.

Put one pcap file inside the pcap folder.

Start zeek and suricata containers:

sudo docker-compose up zeek suricata

The containers will print the output on the console and exit when they finish processing the pcap. You can see the results on Kibana: http://localhost:5601

Full documentation

You can read the full documentation on the official github page: https://github.com/certego/PcapMonkey

Video Tutorial

Remember to turn on English Subtitles

About the author

Federico Foschini(Twitter)