Post on 13-Apr-2017
transcript
Moloch Recipes: investigate incidents at
top speedWorkshop
About me
Geoffrey CRESPIN - Security Consultant
CEO of IntelSec Consulting SPRL
Incident Handler for a big EU Institution
Agenda
What is Moloch?
How to use it?
Quick and easy filters
Conclusion
What is Moloch?
Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly.
What is Moloch?
Several tools already exist... what’s new?
Indexing pcaps with Elasticsearch!!!! Yeahh
Real-time searches: no need to import/analyse
Analyzing dozens of GB : try with Wireshark...
Fantastic and user friendly search engine
How to use it?
IDS, IPS sensors already deployed?
Starting from scratch?
Stand alone? Distributed?
How to use it?
Our requirements:
Full Packet Capture &&
Search for Network Forensic cases &&
Export malicious files/content detected && ...
How to use it?
Full Packet Capture:
Option 1: re-use the sensors already in place!
IDS Molochscp pcaps
How to use it?
Full Packet Capture:
Option 2: sniff the traffic directly from Moloch
Switch Molochport mirroring or TAP
How to use it?
Full Packet Capture:
Option 3: sniff the traffic directly from Moloch (distributed) - Multinode with Cluster
Switch Molochport mirroring or TAP Moloch
CentralMoloch
Switch
Quick and easy filters
Search for User Agent
Command: http.user-agent == “*wget*”
!
Quick and easy filters
Search for Clear Text Password
Command: port.dst == 80 || port.dst == 8080 && http.uri.key == “password”
!
Quick and easy filters
Search for connection from specific countries
(country == rus || country == chn) && port == 80 && host == *com
!
Quick and easy filters
Search for large DNS packets
Command: port == 53 && packets > 200
!
!
Supsicious Pattern
Quick and easy filters
Search for extension .ZIP sent via email from or to a specific domain name.
Command: email.fn == “*.ZIP*” && email.src == “*mydomain.be”
!
File Download for forensic
Full mail communication
Quick and easy filters
Display ssh connections on the “Connections Map”.
Command: port.dst == 22 && databytes > 0
Only real connection. Not attempts.
!
ConclusionIt’s not an IDS! No Detection.
It’s free.
It’s fast!
Easy to use if you know what looking for.
Combine several sensors data (internet access + mail + web server, etc.)
Online and/or Offline.