Project Name: Moloch Usage
Description: Moloch Usage includes understanding packet with respect to system level components, GUI views of MOLOCH Packet Analytics and MOLOCH Use Case.
Author: Rohit D Sadgune
Summary of Content
- System Level Concepts of MOLOCH
- Important Files & Folders
- Working with MOLOCH
- USE cases of MOLOCH
System Level Concepts of MOLOCH
- Default Folder of Moloch :- The default folder of MOLOCH is
# cd moloch-master
- The db folder contains elasticsearch.yml file. This file is very crucial from clustering & node perspective. Here you can see that there are 2 script file one is db.pl & dails.sh. The db.pl interacts with elasticsearch for node & indexing.
All majority of network changes need to be done in this file. As you will perform respective changes it will get populated on dashboard.
- Moloch is having so many dependencies & it requires 3rd party plugins to process input data.
This folder contains following plugins & dependencies.
- GeoIP :- This package is used for tracking all src & dst data with Geological location.
- Glib :- contains a low-level libraries useful for providing data structure handling.
- Nodejs :- Java script.
- Yara :- This package is used for filtering all results.
- Curl :- It is commanded injector. Curl is used as a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.
- Elasticsearch :- Packet analytical engine & db.
- Moloch is a packet analytics open source technology but it has plenty of test which moloch perform on packets.
# cd tests
This is the location where you will find all test-cases for PCAP analytics.
- Moloch works on predefined parser so as to interpret data on dashboard
Here you will find all the parser’s of MOLOCH
6.As we have discussed earlier MOLOCH has 3 main component out of which 2 are located in
# cd /moloch-master/single-host/bin
Here you can see that run_capture.sh & run-viewer.sh files. Capture file actually captures the traffic of network in real time & viewer is graphical component for traffic analysis.
Other Important Files & Folders for Moloch Packet Analytics
- ststus :- It is file which is used to configure that status of MOLOCH instance. After successful installation configuration status changes
- GEO-IP :- This folder contains the scripts which are associated for locating source & destination IP location in real time.
- YARA: – This folder where all his script are rested. YARA works on binaries & context of files so as to classify malware.
- Viewer :- This directory is present in /data/moloch/viewer. This gives GUI format
WORKING WITH MOLOCH
URL :- https://IP:8005
Elasticsearch Head :- Elasticsearch-head is a web front end for browsing and interacting with an Elastic Search cluster.
There are 5 main views of MOLOCH .
- Session – Landing Dashboard where you can see all the traffic of network infrastructure.
- SPI View: – This analytical view is very deep diving i.e. here you will get all the traffic segregated by category.
- SPI Graph: – :- Is a very interesting view for analysis, where you have more than 50 options to select and get a appropriate graph. e.g in SPI Graph option I can select dns for domain traffic.
- Connection: – It shows a real time connection with internal or external IPs along with Port. Here you can further drill down your analysis to specific IP by writing MOLOCH query.
e.g ip.src == 192.168.1.25 && dst.src==18.104.22.168
- Stats :- Stat view will give you a statistical view about MOLOCH and elasticsearch system.
MOLOCH USE CASES / Network Behavior Anomaly Detection Use Cases