From 35015390010dd92528bb79278028d8fa6fc1dac9 Mon Sep 17 00:00:00 2001 From: SG Date: Fri, 18 Nov 2022 10:08:50 -0700 Subject: [PATCH] implement idaholab/Malcolm#128, have install.py prompt for Arkime to manage PCAP or not --- docs/ubuntu-install-example.md | 2 ++ scripts/install.py | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 635190d40..fa35730b8 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -192,6 +192,8 @@ Capture packets using netsniff-ng? (Y/n): y Capture packets using tcpdump? (y/N): n +Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y + Should Malcolm analyze live network traffic with Suricata? (y/N): y Should Malcolm analyze live network traffic with Zeek? (y/N): y diff --git a/scripts/install.py b/scripts/install.py index 50ff7c608..0f6c7c7d4 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -696,12 +696,17 @@ def tweak_malcolm_runtime( pcapIface = 'lo' tweakIface = False pcapFilter = '' + arkimeManagePCAP = False if InstallerYesOrNo( 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False ): pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=(not pcapNetSniff)) + arkimeManagePCAP = InstallerYesOrNo( + 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + default=False, + ) liveSuricata = InstallerYesOrNo('Should Malcolm analyze live network traffic with Suricata?', default=False) liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False) @@ -880,6 +885,12 @@ def tweak_malcolm_runtime( r'(PCAP_ENABLE_TCPDUMP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(pcapTcpDump)}", line ) + elif 'MANAGE_PCAP_FILES' in line: + # Whether or not Arkime is allowed to delete uploaded/captured PCAP + line = re.sub( + r'(MANAGE_PCAP_FILES\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(arkimeManagePCAP)}", line + ) + elif 'ZEEK_LIVE_CAPTURE' in line: # live traffic analysis with Zeek line = re.sub(