william20111 · June 27, 2021 19:45
diff --git a/gistfile1.txt b/gistfile1.txt
 # Latest settings documentation: https://github.com/aol/moloch/wiki/Settings
 #
 # Moloch uses a tiered system for configuration variables.  This config file has
 # removed any unused elements. refer to docs for more information


 [default]
 # Comma seperated list of elasticsearch host:port combinations.  If not using a
 # Elasticsearch load balancer, a different elasticsearch node in the cluster can be specified
 # for each Moloch node to help spread load on high volume clusters.  For user/password
 # use http://user:pass@host:port
 # This will be added at the bottom of the config.ini by install script.
 #elasticsearch=http://localhost:9200

 # How often to create a new elasticsearch index. hourly,hourly6,daily,weekly,monthly
 # Changing the value will cause previous sessions to be unreachable
 rotateIndex=daily

 # Password Hash and S2S secret - Must be in default section. Since elasticsearch
 # is wide open by default, we encrypt the stored password hashes with this
 # so a malicous person can't insert a working new account.  It is also used
 # for secure S2S communication. Comment out for no user authentication.
 # Changing the value will make all previously stored passwords no longer work.
 # Make this RANDOM, you never need to type in
 passwordSecret = ksjdjasdkjhchpiwherciweirchweiybuqwyy2iyipqwdciwipucniun

 # HTTP Digest Realm - Must be in default section.  Changing the value
 # will make all previously stored passwords no longer work
 httpRealm = Moloch

 # Semicolon ';' seperated list of interfaces to listen on for traffic
 interface=ens5

 # The directory to save raw pcap files to
 pcapDir = /data/moloch/raw

 # The max raw pcap file size in gigabytes, with a max value of 36G.
 # The disk should have room for at least 10*maxFileSizeG
 maxFileSizeG = 5

 # The max time in minutes between rotating pcap files.  Default is 0, which means
 # only rotate based on current file size and the maxFileSizeG variable
 #maxFileTimeM = 60

 # TCP timeout value.  Moloch writes a session record after this many seconds
 # of inactivity.
 tcpTimeout = 20

 # Moloch writes a session record after this many seconds, no matter if
 # active or inactive
 tcpSaveTimeout = 25

 # UDP timeout value.  Moloch assumes the UDP session is ended after this
 # many seconds of inactivity.
 udpTimeout = 10

 # ICMP timeout value.  Moloch assumes the ICMP session is ended after this
 # many seconds of inactivity.
 icmpTimeout = 10

 # An aproximiate maximum number of active sessions Moloch/libnids will try
 # and monitor
 maxStreams = 1000000

 # https://molo.ch/faq#moloch_requires_full_packet_captures_error
 # Fixes error when cloud sends packets >9k
 snapLen=65536

 # Moloch writes a session record after this many packets
 maxPackets = 10000

 # Delete pcap files when free space is lower then this in gigabytes OR it can be
 # expressed as a percentage (ex: 5%).  This does NOT delete the session records in
 # the database. It is recommended this value is between 5% and 10% of the disk.
 # Database deletes are done by the db.pl expire script
 freeSpaceG = 10%

 # The port to listen on, by default 8005
 viewPort = 8005

 # Path of the maxmind geoip country file.  Download free version from:
 #  https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country
 geoLite2Country = /data/moloch/etc/GeoLite2-Country.mmdb

 # Path of the maxmind geoip ASN file.  Download free version from:
 #  https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN
 geoLite2ASN = /data/moloch/etc/GeoLite2-ASN.mmdb

 # Path of the rir assignments file
 #  https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
 rirFile = /data/moloch/etc/ipv4-address-space.csv

 # Path of the OUI file from whareshark
 #  https://raw.githubusercontent.com/wireshark/wireshark/master/manuf
 ouiFile = /data/moloch/etc/oui.txt

 # Should we parse extra smtp traffic info
 parseSMTP=true

 # Should we parse extra smb traffic info
 parseSMB=true

 # Should we parse HTTP QS Values
 parseQSValue=false

 # Should we calculate sha256 for bodies
 supportSha256=false

 # Only index HTTP request bodies less than this number of bytes */
 maxReqBody=64

 # Only store request bodies that Utf-8?
 config.reqBodyOnlyUtf8 = true

 # Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':'
 smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:

 # Semicolon ';' seperated list of directories to load parsers from
 parsersDir=/data/moloch/parsers

 # Semicolon ';' seperated list of directories to load plugins from
 pluginsDir=/data/moloch/plugins

 # Specify the max number of indices we calculate spidata for.
 # ES will blow up if we allow the spiData to search too many indices.
 spiDataMaxIndices=4

 # Number of threads processing packets
 packetThreads=2

 # ADVANCED - How is pcap written to disk
 #  simple          = use O_DIRECT if available, writes in pcapWriteSize chunks,
 #                    a file per packet thread.
 #  simple-nodirect = don't use O_DIRECT.  Required for zfs and others
 pcapWriteMethod=simple

 # ADVANCED - Buffer size when writing pcap files.  Should be a multiple of the raid 5 or xfs
 # stripe size.  Defaults to 256k
 pcapWriteSize = 262143

 # ADVANCED - Number of bytes to bulk index at a time
 dbBulkSize = 300000

 # ADVANCED - Compress requests to ES, reduces ES bandwidth by ~80% at the cost
 # of increased CPU. MUST have "http.compression: true" in elasticsearch.yml file
 compressES = false

 # ADVANCED - Max number of connections to elastic search
 maxESConns = 30

 # ADVANCED - Max number of es requests outstanding in q
 maxESRequests = 500

 # ADVANCED - Number of packets to ask libnids/libpcap to read per poll/spin
 # Increasing may hurt stats and ES performance
 # Decreasing may cause more dropped packets
 packetsPerPoll = 50000

 # ADVANCED - Moloch will try to compensate for SYN packet drops by swapping
 # the source and destination addresses when a SYN-acK packet was captured first.
 # Probably useful to set it false, when running Moloch in wild due to SYN floods.
 antiSynDrop = true

 # DEBUG - Write to stdout info every X packets.
 # Set to -1 to never log status
 logEveryXPackets = 100000

 # DEBUG - Write to stdout unknown protocols
 logUnknownProtocols = false

 # DEBUG - Write to stdout elastic search requests
 logESRequests = true

 # DEBUG - Write to stdout file creation information
 logFileCreation = true
	# Latest settings documentation: https://github.com/aol/moloch/wiki/Settings
	#
	# Moloch uses a tiered system for configuration variables. This config file has
	# removed any unused elements. refer to docs for more information


	[default]
	# Comma seperated list of elasticsearch host:port combinations. If not using a
	# Elasticsearch load balancer, a different elasticsearch node in the cluster can be specified
	# for each Moloch node to help spread load on high volume clusters. For user/password
	# use http://user:pass@host:port
	# This will be added at the bottom of the config.ini by install script.
	#elasticsearch=http://localhost:9200

	# How often to create a new elasticsearch index. hourly,hourly6,daily,weekly,monthly
	# Changing the value will cause previous sessions to be unreachable
	rotateIndex=daily

	# Password Hash and S2S secret - Must be in default section. Since elasticsearch
	# is wide open by default, we encrypt the stored password hashes with this
	# so a malicous person can't insert a working new account. It is also used
	# for secure S2S communication. Comment out for no user authentication.
	# Changing the value will make all previously stored passwords no longer work.
	# Make this RANDOM, you never need to type in
	passwordSecret = ksjdjasdkjhchpiwherciweirchweiybuqwyy2iyipqwdciwipucniun

	# HTTP Digest Realm - Must be in default section. Changing the value
	# will make all previously stored passwords no longer work
	httpRealm = Moloch

	# Semicolon ';' seperated list of interfaces to listen on for traffic
	interface=ens5

	# The directory to save raw pcap files to
	pcapDir = /data/moloch/raw

	# The max raw pcap file size in gigabytes, with a max value of 36G.
	# The disk should have room for at least 10*maxFileSizeG
	maxFileSizeG = 5

	# The max time in minutes between rotating pcap files. Default is 0, which means
	# only rotate based on current file size and the maxFileSizeG variable
	#maxFileTimeM = 60

	# TCP timeout value. Moloch writes a session record after this many seconds
	# of inactivity.
	tcpTimeout = 20

	# Moloch writes a session record after this many seconds, no matter if
	# active or inactive
	tcpSaveTimeout = 25

	# UDP timeout value. Moloch assumes the UDP session is ended after this
	# many seconds of inactivity.
	udpTimeout = 10

	# ICMP timeout value. Moloch assumes the ICMP session is ended after this
	# many seconds of inactivity.
	icmpTimeout = 10

	# An aproximiate maximum number of active sessions Moloch/libnids will try
	# and monitor
	maxStreams = 1000000

	# https://molo.ch/faq#moloch_requires_full_packet_captures_error
	# Fixes error when cloud sends packets >9k
	snapLen=65536

	# Moloch writes a session record after this many packets
	maxPackets = 10000

	# Delete pcap files when free space is lower then this in gigabytes OR it can be
	# expressed as a percentage (ex: 5%). This does NOT delete the session records in
	# the database. It is recommended this value is between 5% and 10% of the disk.
	# Database deletes are done by the db.pl expire script
	freeSpaceG = 10%

	# The port to listen on, by default 8005
	viewPort = 8005

	# Path of the maxmind geoip country file. Download free version from:
	# https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country
	geoLite2Country = /data/moloch/etc/GeoLite2-Country.mmdb

	# Path of the maxmind geoip ASN file. Download free version from:
	# https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN
	geoLite2ASN = /data/moloch/etc/GeoLite2-ASN.mmdb

	# Path of the rir assignments file
	# https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
	rirFile = /data/moloch/etc/ipv4-address-space.csv

	# Path of the OUI file from whareshark
	# https://raw.githubusercontent.com/wireshark/wireshark/master/manuf
	ouiFile = /data/moloch/etc/oui.txt

	# Should we parse extra smtp traffic info
	parseSMTP=true

	# Should we parse extra smb traffic info
	parseSMB=true

	# Should we parse HTTP QS Values
	parseQSValue=false

	# Should we calculate sha256 for bodies
	supportSha256=false

	# Only index HTTP request bodies less than this number of bytes */
	maxReqBody=64

	# Only store request bodies that Utf-8?
	config.reqBodyOnlyUtf8 = true

	# Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':'
	smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:

	# Semicolon ';' seperated list of directories to load parsers from
	parsersDir=/data/moloch/parsers

	# Semicolon ';' seperated list of directories to load plugins from
	pluginsDir=/data/moloch/plugins

	# Specify the max number of indices we calculate spidata for.
	# ES will blow up if we allow the spiData to search too many indices.
	spiDataMaxIndices=4

	# Number of threads processing packets
	packetThreads=2

	# ADVANCED - How is pcap written to disk
	# simple = use O_DIRECT if available, writes in pcapWriteSize chunks,
	# a file per packet thread.
	# simple-nodirect = don't use O_DIRECT. Required for zfs and others
	pcapWriteMethod=simple

	# ADVANCED - Buffer size when writing pcap files. Should be a multiple of the raid 5 or xfs
	# stripe size. Defaults to 256k
	pcapWriteSize = 262143

	# ADVANCED - Number of bytes to bulk index at a time
	dbBulkSize = 300000

	# ADVANCED - Compress requests to ES, reduces ES bandwidth by ~80% at the cost
	# of increased CPU. MUST have "http.compression: true" in elasticsearch.yml file
	compressES = false

	# ADVANCED - Max number of connections to elastic search
	maxESConns = 30

	# ADVANCED - Max number of es requests outstanding in q
	maxESRequests = 500

	# ADVANCED - Number of packets to ask libnids/libpcap to read per poll/spin
	# Increasing may hurt stats and ES performance
	# Decreasing may cause more dropped packets
	packetsPerPoll = 50000

	# ADVANCED - Moloch will try to compensate for SYN packet drops by swapping
	# the source and destination addresses when a SYN-acK packet was captured first.
	# Probably useful to set it false, when running Moloch in wild due to SYN floods.
	antiSynDrop = true

	# DEBUG - Write to stdout info every X packets.
	# Set to -1 to never log status
	logEveryXPackets = 100000

	# DEBUG - Write to stdout unknown protocols
	logUnknownProtocols = false

	# DEBUG - Write to stdout elastic search requests
	logESRequests = true

	# DEBUG - Write to stdout file creation information
	logFileCreation = true