Tektip ep24 - Moloch
Before getting into Moloch, I wanted to take a moment to say thank you to everyone who has putting the word out there on Automater lately. Automater has got a lot of recognition lately (thanks Reddit), which has been very motivating.
In this episode of Tektip, we take a closer look at one of the most exciting projects showed at Shmoocon 2013, Moloch.
A description of Moloch from their Github page:
"Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic."
A bit about the creators from the Shmoocon Speakers page:
"Andy Wick and Eoin Miller are members of AOL’s Computer Emergency Response Team. Andy Wick has more than 15 years of development experience at AOL. He has recently come into the CERT group and has begun developing tools for defense and forensics. Eoin Miller specializes in using IDS and full packet capture systems to identify drive by exploit kits and the traffic that feeds them (malvertising in particular). He regularly contributes the developed signatures to EmergingThreats/OISF and other groups."
Now I have put a lot of time into MASTIFF lately and haven't had a chance to get Moloch installed and configured properly quite yet. Luckily, the securabit.com team has given me access to their lab, where they have Moloch built out, along with many other products. A huge thank you to them, especially Mike Bailey (@mpbailey1911) who took the time to get Moloch installed and configured, with a decent amount of traffic pumping through it.
The version of Moloch I am using for this video is 0.7.3. Moloch gives the user an efficient method of browsing, querying, exporting, and visualizing packet data. Some commercial products I would say are similar in function are NetScout, NetWitness, and Cascade.
The power of Moloch, at least for what I will be using it for is the ability to have immediate access to traffic data and pcaps that match custom filters based on fields that are not normally available as a queryable field, such as http header information. As Moloch uses a syntax for filters very similar to wireshark, network analysts will quickly adapt to the product. On the visualization side, there is a maltego like feel. It shows how IP Addresses and ports relate to each other based on the data you have filtered on.
As Moloch is still early in development I expect the product will evolve to incorporate even more features. My current Moloch wish list is:
- Groups: Have the ability to create groups of IPs, Services, tags, and then query on those groups. An example is create a group for all of your DNS servers and then write a filter to the effect of "IP Source of Not 'DNS Servers' to External on UDP/53"
- Save Filters: Would be nice to be able to save filters for future use.
- Share saved filters: Share filters with other users.
Enjoy of the screenshots, and check out the video for a more in-depth look.