- Author : Tomáš Mokoš
Moloch offers many distinct usage possibilities, the set of which is not limited to the ones mentioned down below and can be expanded by individual users, provided they can find other applications of this service:
- DOS attacks – Analysis of connections suspected of originating DOS attacks.
- Geolocation – Identification of connection’s country of origin.
- Access Intelligence – Helps with analysis of authorized/non-authorized access to system resources, applications, servers, system operation and different functions. You can also perform depth analysis (with the use of tagging) of a particular system, application or service running in the network
- Port connection usage – amount of connections on a particular port.
- URL connection usage – amount of connections tied to a particular URL by requests.
- Data volumes
Na príklade ukážeme využitie Molocha pri analýze CICIDS 2017 datasetu, kde postupne analyzujeme DDoS Hulk útok.
Najskôr si prefiltrujeme prevádzku, kde pomocou filtra tags == CICIDS2017_WEDNESDAY && ip.dst == 192.168.10.50 získamé toky s cieľovou adresou webservera zo dňa útoku.