First step will be updating the box, installing java and cloning github repository: Once cloned the repo we must install, at least, one of his components: capture, viewer or elasticsearch. -t, --tag Extra tag to add to all packets, can be used multiple, --copy When in offline mode copy the pcap files into the pcapDir from the config file, --dryrun dry run, noting written to database, # ./moloch-capture -R /tmp/ddos_pcaps/ --tag ddos --copy, # Read html response and transform to JSON, '[*] Some statistics about elasticsearch at node ", ' [+] This elasticsearch node has served up. Here is can help with making all data more accessible and finding anomalies in the data. The review and analysis of this project resulted in the following remarks for this security tool: Zeek is a network security monitoring tool (NSM) and helps with monitoring. Moloch is an open source, large scale IPv4 (IPv6 soon) packet capturing (PCAP), indexing and database system. # set, it is automatically derived. DejaVu is an open source deception framework which can be used to deploy and administer decoys across a network infrastructure. Moloch is not meant to replace Intrusion Detection Systems (IDS), instead it provides more visibility. This tool is categorized as a network security monitoring tool. It can also search in the data or export it. For deploying a moloch machine in a “all-in-one” setup i created a virtual machine with Ubuntu server 12.10 64bits and assigned about 100GB of HDD, 16GB of RAM and 4 CPU cores, moloch is a highly consuming platform, to have a more detailed info about this go to hardware requirements. Moloch. If we don’t want this then we have to specify a capture filtering in Berkeley Packet Filter (bpf) format at “/data/moloch/etc/config.ini”: To change elasticsearch configuration and allow access from other IP address than moloch host itself (it could pose a security risk, using SSH tunneling would be a better aproach) go to “/data/moloch/etc/elasticsearch.yml” and edit network parameters (network.host), to view/change moloch configuration take a look to “/data/moloch/etc/config.ini”: We need to shutdown elasticsearch node and start it again, so here we go: We can also start viewer and capturer from same dir “/data/moloch/bin/run_viewer.sh” and “/data/moloch/bin/run_capture.sh” respectively. Now we have access to elasticsearch-head plugin to see elasticsearch cluster health and manage it at “https://MOLOCH_IP_ADDRESS:9200/_plugin/head/”: To have some info indexed by moloch in a few minutes we are going to make some light random nmap scans, having in mind the interface assigned to virtual machine. Tools like Moloch are a great addition to everyone working with network data. A simple web interface is provided for PCAP browsing, searching, and exporting. Few words on Moloch from their website molo.ch: Augment your current security infrastructure to store and index network traffic in standard PCAP format. If you want to use virtual interface and launch nmap scan from moloch box then you could need to change bpf filter to “bpf=not port (9200 or 8005)” (this isn’t, by far, the correct way, but will be enough for a quick test). It isn’t as complete as Wireshark filtering system for example but will save us tons of work when dealing with some filtering and visualization as well as Moloch will provide us with some features Wireshark lacks, like filtering by country or AS. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic. Moloch is an open source, large scale, full packet capturing, indexing, and database system. MOLOCH can index PCAP file for further packet forensics analysis and give a analytical view to end user. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. # Set both 'bind_host' and 'publish_host': # curl -XPOST 'http://localhost:9200/_shutdown', Quick nmap scan to index some HTTP headers, # ./nmap -sS -Pn -n -v -p80 -iR 10000 --script=http-headers, -c, --config Config file name, default, -R, --pcapdir Offline pcap directory, all *.pcap files will be processed, --recursive When in offline pcap directory mode, recurse sub directories. A simple web interface is provided for PCAP browsing, searching, and exporting. As his own website says: “Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. Besides pcap, the JSON format is supported, so data can be easily consumed in other tools (like Wireshark). Help the community by submitting an update. On behalf of the packet forensics index we can easily search, which reduces the time & increases the efficiency in security operation center or forensics investigation. If we take a look again to moloch web interface now we will see some pretty info: We can see more info about any session clicking on “green plus” icon: A new dropdown will appear and will give us some interesting options like downloading pcap (for example, to make a deeper manual analysis with wireshark), downloading data in RAW format, and showing use a set of links to make some filtering. Moloch … APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. A simple web interface is provided for PCAP browsing, searching, and exporting. If not. It must point to an actual IP address. I’m sure to not be the only who would have loved to rely on moloch when analyzing dozens of GB with tshark and wireshark, particularly each time you apply a filter to show some kind of data…. Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. Learn how it works in this review. Moloch give us the chance to visualize indexed traffic from a graph’s theory point of view (“Connections” tab), using hosts as nodes and connections (with or without port) as edges: This is really useful to get an idea at a glance of what event is being analyzed, in this case we can easily spot few targets and thousands of hosts targeting them. A simple web interface is provided for PCAP browsing, searching, and exporting. ddos, elasticsearch, forensics, moloch, networking, « Indexing PDF for OSINT and pentesting Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the tool a test-drive.Per the documentation, “Moloch is a open source large scale IPv4 full PCAP capturing, indexing and database system”. solr: Improving queries performance », # apt-get update && apt-get upgrade -y && apt-get install git openjdk-7-jdk openjdk-7-jre -y, # git clone https://github.com/aol/moloch.git, Don’t index ANY traffic related with moloch box.