Menu Close
  • NIL - Network Information Library

Moloch – Usage possibilities of Moloch

Tomáš Mokoš 0 Comments

Usage possibilities of Moloch

  • Author : Tomáš Mokoš

Moloch offers many distinct usage possibilities, the set of which is not limited to the ones mentioned down below and can be expanded by individual users, provided they can find other applications of this service:

    • DOS attacks – Analysis of connections suspected of originating DOS attacks.
    • Geolocation – Identification of connection’s country of origin.
    • Access Intelligence – Helps with the analysis of authorized/non-authorized access to system resources, applications, servers, system operation and different functions. You can also perform depth analysis (with the use of tagging) of a particular system, application or service running in the network
    • Port connection usage – amount of connections on a particular port.
    • URL connection usage – amount of connections tied to a particular URL by requests.
    • Data volumes

    As an example, we will show you the use of Moloch for analysis of the CICIDS 2017 dataset, where we analyze a DDoS Hulk attack. First, we filter the traffic. Using the command tags == CICIDS2017_WEDNESDAY && ip.dst == 192.168.10.50 we extract the traffic from the day of the attack with the webserver’s IP as the destination address.

Read more →

Moloch – Network interface configuration

Tomáš Mokoš 0 Comments

Considering the possibility of packet loss at high traffic flows, it is recommended for the packet capture interface to NOT be the same as the interface connected to the internet, in this case, the interface assigned with static IP address. On the server in our lab there are two interfaces, one for packet capture and one for “outside” communication. To prevent packet loss, it is recommended to increase the Moloch-side interface’s buffer to maximum and turn off most of the NIC’s services by using the following commands:

ethtool –G enp0s9 rx 4096 tx 4096 
ethtool –K enp0s9 rx off tx off gs off tso off gso off

You can find out the maximum buffer size using the ethool -g command, to check NIC’s services use the ethtool -k command. Disable most of NIC’s services, since you want to capture network traffic instead of what the OS can see, they are not going to be used anyway.

Read more →

Moloch – Load Testing

Tomáš Mokoš 0 Comments
  • Author : Tomáš Mokoš, Marek Brodec

In our topology, the server running Moloch was connected to a 100Mbps switch, therefore, even though the generated network traffic reached 140Mbps, the flow was subsequently limited on switch.

Single source to single destination test

At first, while generating packets with a generated IP address from cloud to a lab PC, we have had a problem with the cloud’s security policies. These policies prevented the sending of packets with source IP address different from the one assigned to the hosting cloud instance, therefore we have only generated traffic from a single source IP address to a single destination IP address.

Read more →

Moloch – CPU, RAM and HDD usage

Tomáš Mokoš 0 Comments
  • Author : Tomáš Mokoš, Marek Brodec

Considering the fact that the formulas that we used to calculate for how many days can Moloch archive network traffic and what hardware should we use were only approximate, we have decided to measure some statistics to help us clear up these values.

From the Elasticsearch node quantity calculation formula: ¼ * [average network traffic in Gbit/s] * [number of days to be archived], we get that at 2 Mbit/s, one node should suffice.

Read more →

Forensic analytic tools

Tomáš Mokoš 0 Comments

Forensic analytic tools

  • Author : Tomáš Mokoš

NetworkMiner

NetworkMiner is a Network forensic analysis tool (NFAT) for Windows operating systems. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. NetworkMiner’s primary purpose is collection of data regarding network hosts, rather than data regarding network traffic. In addition to direct file capture, NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. This function can be used for extraction and archiving of media files transferred through the network. Supported file extraction protocols are FTP, SMB and HTTP. Extracted user credentials (username and password) for supported protocols can be found in the Credentials tab. Other useful features include keyword search in the captured/archived data and Nmap MAC vendor lookup.

Xplico

Xplico is an open-source NFAT. The goal of Xplico is the extraction of application data contained in a capture sample of Internet traffic. For example, Xplico can export all e-mails (POP, IMAP and SMTP), HTTP contents, VoIP calls, FTP and TFTP files, etc.

Read more →

Tclsh script examples: how to generate router loop interfaces with IPv4 addresses

palo73 0 Comments

This example shows how to generate 254 loop interfaces with assigned ipv4 addresses 172.16.0.1/24 up to 172.16.255.1/24. The code is:

enable
tclsh
for {set i 0} {$i < 256} {incr i} {
ios_config "int loop $i" "ip address 172.16.$i.1 255.255.255.0"
}
ios_config "end"
tclquit

and you may just simply copy and paste it into a Cisco router CLI. Therefore first run tclsh within of privileged EXEC mode

Read more →

Moloch – Installation

Tomáš Mokoš 0 Comments

  • Authors : Tomáš Mokoš, Marek Brodec
  • Tested version : 0.20.0
  • Operating system : Ubuntu 14.04.5

Note: this guide is obsolete, for a more up-to-date version visit Moloch v1.7.0 – Installation

Installation of Moloch is no trivial matter, that is why we have prepared this guide on how to set up the system in cloud environment. The server obtains an IP address dynamically through DHCP, therefore no editing of the interface configuration file is required.

First add Java repositories and install the Java package.

add-apt-repository ppa:webupd8team/java 
apt-get install oracle-java8-installer

Install additional necessary packages.

apt-get install wget curl libpcre3-dev uuid-dev libmagic-dev pkg-config g++ flex bison zlib1g-dev libffi-dev gettext libgeoip-dev make libjson-perl libbz2-dev libwww-perl libpng-dev xz-utils libffi-dev

Download Node.js, version 6.x is recommended, since version 8.x is not currently supported.

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash – 
sudo apt-get install -y nodejs

Download and install Elasticsearch.

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.3.deb
sudo dpkg -i elasticsearch-5.5.3.deb

Copy Moloch to your server.

git clone https://github.com/aol/moloch.git

Install using the available script.

./easybutton-build.sh

Previous versions required editing of firewall rules.

iptables -A INPUT -m tcp -p tcp --dport 8005 -j ACCEPT 
iptables -A INPUT -m udp -p udp --dport 8005 -j ACCEPT 
iptables -A OUTPUT -m tcp -p tcp --sport 8005 -j ACCEPT 
iptables -A OUTPUT -m udp -p udp --sport 8005 -j ACCEPT 
iptables -A INPUT -m tcp -p tcp --dport 9200 -j ACCEPT 
iptables -A INPUT -m udp -p udp --dport 9200 -j ACCEPT 
sudo su -c 'iptables-save > /etc/iptables/rules.v4'

The following commands will install other necessary files for capture host and configure the listening interface of the system. When asked whether to install Elasticsearch choose no, since you have already installed Elasticsearch earlier and this script offers only the demo version.

make install 
make config

Go to the Viewer directory, update Node.js and run account creation script.

cd /data/moloch/viewer 
npm update 
/data/moloch/bin/moloch_add_user.sh admin "Admin User" PASSWORD --admin

Create symlink in Viewer directory.

ln -sf /usr/bin/nodejs node

Start the individual components.

service elasticsearch start 
service molochcapture start
service molochviewer start

Provided you have done everything right so far, you should be able to access the web interface at http://IPADDRESSOFINTERFACE:8005

Sources:

  • Github Information about Moloch

Read more →