Skip to content

1. About

Jump to bottom
Hariom Chaturvedi edited this page Jul 11, 2021 · 4 revisions

About PcapMonkey

PcapMonkey is a Linux based Security tool that provides an easier way to analyze packet captures and Windows Event Logs.

It uses Elastic SIEM along with Suricata, Zeek(formerly Bro) and Filebeat. Filebeat forwards the logs generated by Suricata and Zeek to Elasticsearch in ECS format. The use of Docker containers eliminates the hassle of configuring the ELK stack and makes PcapMonkey much more user-friendly.

Setting up Locally

Docker and Docker Compose are required to set up PcapMonkey and start analyzing logs. Refer these documentation for installation of Docker(ubuntu) and docker compose.

Next, clone the repository, and execute prepare.sh. The script will modify the Suricata and Zeek module configuration files permission (this step is required for filebeat to function properly).

git clone https://github.com/certego/PcapMonkey.git
cd PcapMonkey/
./prepare.sh

Now, pull all the containers required by PcapMonkey, and you are ready to go.

sudo docker-compose pull

Pull Output

Uninstalling

To remove PcapMonkey, remove all the containers.

sudo docker-compose down -v

Delete the images by changing the [image-ID] to the ID of the image you want to remove in the following command. You can check the image ID with sudo docker images -a.

sudo docker rmi [image-ID]

Lastly, delete the repository.

Clone this wiki locally