MOLOCH Usage
Packet Forensics and Analytics

Moloch Usage

Project Name: Moloch Usage
Description: Moloch Usage includes understanding packet with respect to system level components, GUI views of MOLOCH Packet Analytics and MOLOCH Use Case.

Author: Rohit D Sadgune

Summary of Content

  • System Level Concepts of MOLOCH
  • Important Files & Folders
  • Working with MOLOCH
  • USE cases of MOLOCH

System Level Concepts of MOLOCH

  1. Default Folder of Moloch :- The default folder of MOLOCH is

# cd moloch-master

Moloch Usage-1
Moloch Usage-1
  1. The db folder contains elasticsearch.yml file. This file is very crucial from clustering & node perspective. Here you can see that there are 2 script file one is db.pl & dails.sh. The db.pl interacts with elasticsearch for node & indexing.
Molocu Usage - DB
Moloch Usage – DB

All majority of network changes need to be done in this file. As you will perform respective changes it will get populated on dashboard.

Moloch Usage- Main View
Moloch Usage- Main View

 

  1. Moloch is having so many dependencies & it requires 3rd party plugins to process input data.

#cd thirdparty

This folder contains following plugins & dependencies.

  • GeoIP :- This package is used for tracking all src & dst data with Geological location.
  • Glib :- contains a low-level libraries useful for providing data structure handling.
  • Nodejs :- Java script.
  • Yara :- This package is used for filtering all results.
  • Curl :- It is commanded injector. Curl is used as a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.
  • Elasticsearch :- Packet analytical engine & db.
Moloch Usage-2
Moloch Usage-2
  1. Moloch is a packet analytics open source technology but it has plenty of test which moloch perform on packets.

# cd tests

#cd pcap

This is the location where you will find all test-cases for PCAP analytics.

 

  1. Moloch works on predefined parser so as to interpret data on dashboard

#cd /capture

#cd parser

#ls

Here you will find all the parser’s of MOLOCH

Molch Usage -Parser
Moloch Usage -Parser

6.As we have discussed earlier MOLOCH has 3 main component out of which 2 are located in

# cd /moloch-master/single-host/bin

Here you can see that run_capture.sh & run-viewer.sh files. Capture file actually captures the traffic of network in real time & viewer is graphical component for traffic analysis.

Moloch Usag Viewer
Moloch Usage Viewer

Other Important Files & Folders for Moloch Packet Analytics

  • ststus :- It is file which is used to configure that status of MOLOCH instance. After successful installation configuration status changes
  • GEO-IP :- This folder contains the scripts which are associated for locating source & destination IP location in real time.
Moloch Usage GeoIP
Moloch Usage GeoIP
  • YARA: – This folder where all his script are rested. YARA works on binaries & context of files so as to classify malware.
Moloch Usage Yara
Moloch Usage Yara
  • Viewer :- This directory is present in /data/moloch/viewer. This gives GUI format


WORKING WITH MOLOCH

URL :- https://IP:8005

Moloch Usage- Main View
Moloch Usage- Main View

 

Elasticsearch Head :- Elasticsearch-head is a web front end for browsing and interacting with an Elastic Search cluster.

 

There are 5 main views of MOLOCH .

  • Session – Landing Dashboard where you can see all the traffic of network infrastructure.
  • SPI View: – This analytical view is very deep diving i.e. here you will get all the traffic segregated by category.
Moloch Usage- SPI VIEW
Moloch Usage- SPI VIEW

 

 

 

  • SPI Graph: – :- Is a very interesting view for analysis, where you have more than 50 options to select and get a appropriate graph. e.g in SPI Graph option I can select dns for domain traffic.
Moloch Usage- SPI GRAPH
Moloch Usage- SPI GRAPH
  • Connection: – It shows a real time connection with internal or external IPs along with Port. Here you can further drill down your analysis to specific IP by writing MOLOCH query.

e.g ip.src == 192.168.1.25 && dst.src==22.22.14.25

Moloch Usage- Connection View
Moloch Usage- Connection View

 

 

  • Stats :- Stat view will give you a statistical view about MOLOCH and elasticsearch system.

 

Moloch Usage - Stat
Moloch Usage – Stat

MOLOCH USE CASES / Network Behavior Anomaly Detection Use Cases

Moloch Use Cases
Moloch Use Cases

 

Back to Packet Analytics

 

 

Packet Analytics
Packet Forensics and Analytics
Packet Analytics

Packet Analytics Project Name: Packet Analytics Description: Packet Analytics includes understanding Packet. Both will perform this activity in Real Time so as to resolve many issues like DOS attack, DDOS Attack, Insider Threats, Access Intelligence, Bandwidth Issue and many more. Author: Rohit D Sadgune Frequently Asked Question on MOLOCH Packet …

Digital Evedance
Packet Forensics and Analytics
Moloch Packet Analytics

Moloch Packet Analytics Project Name:  Moloch Packet Analytics Description: Moloch Packet Analytics includes understanding MOLOCH and Elasticsearch to a great extent. Packet Forensics and Analytics will help you to understand MOLOCH for Packet Analytics & Elasticsearch for forensics indexing for packet. Both will perform this activity in Real Time so …

Live Evidence Invetigation
Packet Forensics and Analytics
Installation of MOLOCH

Installation of MOLOCH Project Name: Installation of MOLOCH Description: Packet Analytics includes understanding MOLOCH and Elasticsearch to great extent. In this blog we will try to figure out step by step installation of MOLOCH for Packet Analytics & Packet Forensics. Packet Forensics and Analytics will help you understand MOLOCH for …

%d bloggers like this: