{"id":3807,"date":"2018-11-09T15:41:05","date_gmt":"2018-11-09T14:41:05","guid":{"rendered":"http:\/\/nil2.kis.fri.uniza.sk\/?p=3807"},"modified":"2019-05-17T14:23:43","modified_gmt":"2019-05-17T12:23:43","slug":"moloch-usage-possibilities","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/moloch-usage-possibilities\/","title":{"rendered":"Moloch &#8211; Usage possibilities of Moloch"},"content":{"rendered":"<h1><a id=\"Usage_possibilities_of_Moloch_0\"><\/a>Usage possibilities of Moloch<\/h1>\n<ul>\n<li><strong>Author<\/strong> : Tom\u00e1\u0161 Moko\u0161<\/li>\n<\/ul>\n<p>Moloch offers many distinct usage possibilities, the set of which is not limited to the ones mentioned down below and can be expanded by individual users, provided they can find other applications of this service:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><strong>DOS attacks<\/strong> \u2013 Analysis of connections suspected of originating DOS attacks.<\/li>\n<li><strong>Geolocation<\/strong> \u2013 Identification of connection\u2019s country of origin.<\/li>\n<li><strong>Access Intelligence<\/strong> \u2013 Helps with the analysis of authorized\/non-authorized access to system resources, applications, servers, system operation and different functions. You can also perform depth analysis (with the use of tagging) of a particular system, application or service running in the network<\/li>\n<li><strong>Port connection usage<\/strong> \u2013 amount of connections on a particular port.<\/li>\n<li><strong>URL connection usage<\/strong> \u2013 amount of connections tied to a particular URL by requests.<\/li>\n<li><strong>Data volumes<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>As an example, we will show you the use of Moloch for analysis of the CICIDS 2017 dataset, where we analyze a DDoS Hulk attack. First, we filter the traffic. Using the command tags == CICIDS2017_WEDNESDAY &amp;&amp; ip.dst == 192.168.10.50 we extract the traffic from the day of the attack with the webserver&#8217;s IP as the destination address.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/lw4ESup.png\" alt=\"Moloch1\" \/><\/p>\n<p>Afterwards, in the\u00a0 SPI Graph tab, we can look up the source IP addresses that communicated with this web server by setting SPI Graph to ip.src.<\/p>\n<p>As we can see, the IP address 172.16.0.1 generated 84315 of the 85268 sessions, making it likely to be the address of the attacker.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/YyRLjvv.png\" alt=\"Moloch2\" \/><\/p>\n<p>In the SPI View tab, we can see that the network communication did not originate from just one port, but several thousands and almost all of these were bound for the port 80. Furthermore, we can see that most of the communication was bound for miscellaneous URIs, which is characteristic of a Hulk attack. By generating random URIs, Hulk attack causes resource depletion of the web server, making the server inaccessible.<img decoding=\"async\" src=\"https:\/\/i.imgur.com\/G8WhKc5.png\" alt=\"Moloch3\" \/><br \/>\n<img decoding=\"async\" src=\"https:\/\/i.imgur.com\/K187YQQ.png\" alt=\"Moloch4\" \/><\/p>\n<h3><a id=\"Sources_40\"><\/a>Sources<\/h3>\n<ul>\n<li><a href=\"http:\/\/opac.crzp.sk\/?fn=detailBiblioFormChild3&amp;sid=B7A4F0D5DE0EE4D8F05E77CD7EE5\">CRZP<\/a> Komplexn\u00fd syst\u00e9m pre detekciu \u00fatokov a archiv\u00e1ciu d\u00e1t &#8211; Moloch<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Usage possibilities of Moloch Author : Tom\u00e1\u0161 Moko\u0161 Moloch offers many distinct usage possibilities, the set of which is not limited to the ones mentioned down below and can be expanded by individual users, provided they can find other applications of this service: DOS attacks \u2013 Analysis of connections suspected of originating DOS attacks. Geolocation&#8230;<\/p>","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[872],"tags":[874,920],"class_list":["post-3807","post","type-post","status-publish","format-standard","hentry","category-network-security-moloch-en","tag-moloch","tag-usage"],"taxonomy_info":{"category":[{"value":872,"label":"Moloch"}],"post_tag":[{"value":874,"label":"Moloch"},{"value":920,"label":"usage"}]},"featured_image_src_large":false,"author_info":{"display_name":"Tom\u00e1\u0161 Moko\u0161","author_link":"https:\/\/nil.uniza.sk\/en\/author\/tomas-mokos\/"},"comment_info":1,"category_info":[{"term_id":872,"name":"Moloch","slug":"network-security-moloch-en","term_group":0,"term_taxonomy_id":870,"taxonomy":"category","description":"","parent":707,"count":14,"filter":"raw","cat_ID":872,"category_count":14,"category_description":"","cat_name":"Moloch","category_nicename":"network-security-moloch-en","category_parent":707}],"tag_info":[{"term_id":874,"name":"Moloch","slug":"moloch","term_group":0,"term_taxonomy_id":872,"taxonomy":"post_tag","description":"","parent":0,"count":10,"filter":"raw"},{"term_id":920,"name":"usage","slug":"usage","term_group":0,"term_taxonomy_id":918,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/3807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=3807"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/3807\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=3807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=3807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=3807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}