简介:
Moloch并不是用以代替的入侵检测系统的。Moloch是意在为pcap文件提供一个快速索引的能力。Moloch为快速分析安全事件建立了一个更直接的界面。
搜索栏:
大多数的Moloch版本在页面的上部都有一搜索栏。通过下拉框的不同选项可以准确设置数据包起始时间点,因为每一个会话过程都有第一个包,最后一个包和整个会话的数据时间戳,Moloch为不同的情况提供了不同的选择。
First Packet 一个会话接收的第一个包的时间戳
Last Packet 一个会话接收的最后一个包的时间戳
Bounded 会话在时间窗口的范围的第一个包和最后一个包的时间戳
Session Overlaps 在时间窗口结束前的会话的第一个包的时间戳和在时间窗口开始后的最后一个包的时间戳
Database 以会话为始终为界
搜索:
统配符 * 例如 http.uri=="www.f*k.com" 包括 www.fork.com 或者 www.frack.com
正则表达式
列表 例如 protocols == [http,ssh]
IP 例如 ip == 1.2.3/24:80 ip == [1.2.3.4,1.3/16]
数字 例如 bytes <= 10000 port == [80,443,23]
日期 starttime == "2004/07/31 05:33:41" stoptime == ["2004/07/31 05:33:41","2004/07/31 06:33:41"] +或-可以用来指示偏移量
对一个域是否存在进行判断 肯定的表述 field == EXISTS! 否定的表述 field != EXISTS! 举例 cert.issuer.cn != EXISTS! && cert.issuer.on == EXISTS! 较验证书没有发布者信息但有发布组织的情况
(country == RU || country == CN) && port == 80 && host == *com 过滤使用80端口并且主机名或域名中包含 ".com" 涉及中国或是俄罗斯的所有会话
tags == "http:content:text/plain" && country == CA && packets < 20
Sessions会话
Session部分主要用于分析流量
SPI View
SPI(Session Profile Information 会话文档信息) 用于详细分析一个会话
下面是用于搜索的相关选项
Name | Exp | Operators | Data Type | What? |
---|---|---|---|---|
ASN | asn.dns | ==, != | mixed case string | GeoIP ASN string calculated from the IP from DNS result |
ASN | asn.dns.mailserver | ==, != | mixed case string | GeoIP ASN string calculated from the IPs for mailservers |
ASN | asn.dns.nameserver | ==, != | mixed case string | GeoIP ASN string calculated from the IPs for nameservers |
ASN | asn.email | ==, != | mixed case string | GeoIP ASN string calculated from the Email IP address |
ASN | asn.socks | ==, != | mixed case string | GeoIP ASN string calculated from the SOCKS destination IP |
GEO | country.dns | ==, != | upper case string | GeoIP country string calculated from the IP from DNS result |
GEO | country.dns.mailserver | ==, != | upper case string | GeoIP country string calculated from the IPs for mailservers |
GEO | country.dns.nameserver | ==, != | upper case string | GeoIP country string calculated from the IPs for nameservers |
GEO | country.email | ==, != | upper case string | GeoIP country string calculated from the Email IP address |
GEO | country.socks | ==, != | upper case string | GeoIP country string calculated from the SOCKS destination IP |
RIR | rir.dns | ==, != | upper case string | Regional Internet Registry string calculated from IP from DNS result |
RIR | rir.dns.mailserver | ==, != | upper case string | Regional Internet Registry string calculated from IPs for mailservers |
RIR | rir.dns.nameserver | ==, != | upper case string | Regional Internet Registry string calculated from IPs for nameservers |
RIR | rir.email | ==, != | upper case string | Regional Internet Registry string calculated from Email IP address |
RIR | rir.socks | ==, != | upper case string | Regional Internet Registry string calculated from SOCKS destination IP |
All ASN fields | asn | ==, != | mixed case string | Search all ASN fields |
All country fields | country | ==, != | upper case string | Search all country fields |
All Host | host.dns.all | ==, != | lower case string | Shorthand for host.dns or host.dns.nameserver |
All Host fields | host | ==, != | lower case string | Search all Host fields |
All IP fields | ip | ==, != | ip | Search all ip fields |
All port fields | port | <, <=, ==, >=, >, != | integer | Search all port fields |
All rir fields | rir | ==, != | upper case string | Search all rir fields |
Alt Name | cert.alt | ==, != | lower case string | Certificate alternative names |
Alt Name Cnt | cert.alt.cnt | <, <=, ==, >=, >, != | integer | Unique number of Certificate alternative names |
Application | postgresql.app | ==, != | mixed case string | Postgresql application |
Asset | asset | ==, != | lower case string | Asset name |
Asset Cnt | asset.cnt | <, <=, ==, >=, >, != | integer | Unique number of Asset name |
Attach Content-Type | email.file-content-type | ==, != | mixed case string | Email attachment content types |
Attach Content-Type Cnt | email.file-content-type.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email attachment content types |
Attach MD5s | email.md5 | ==, != | mixed case string | Email attachment MD5s |
Attach MD5s Cnt | email.md5.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email attachment MD5s |
Auth Type | http.authtype | ==, != | lower case string | HTTP Auth Type |
Auth Type | ldap.authtype | ==, != | mixed case string | The auth type of ldap bind |
Auth Type Cnt | http.authtype.cnt | <, <=, ==, >=, >, != | integer | Unique number of HTTP Auth Type |
Auth Type Cnt | ldap.authtype.cnt | <, <=, ==, >=, >, != | integer | Unique number of The auth type of ldap bind |
Bind Name | ldap.bindname | ==, != | mixed case string | The bind name of ldap bind |
Bind Name Cnt | ldap.bindname.cnt | <, <=, ==, >=, >, != | integer | Unique number of The bind name of ldap bind |
Body Magic | email.bodymagic | ==, != | mixed case string | The content type of body determined by libfile/magic |
Body Magic | http.bodymagic | ==, != | mixed case string | The content type of body determined by libfile/magic |
Body Magic Cnt | email.bodymagic.cnt | <, <=, ==, >=, >, != | integer | Unique number of The content type of body determined by libfile/magic |
Body Magic Cnt | http.bodymagic.cnt | <, <=, ==, >=, >, != | integer | Unique number of The content type of body determined by libfile/magic |
Body MD5 | http.md5 | ==, != | lower case string | MD5 of http body response |
Body MD5 Cnt | http.md5.cnt | <, <=, ==, >=, >, != | integer | Unique number of MD5 of http body response |
Bytes | bytes | <, <=, ==, >=, >, != | integer | Total number of raw bytes sent AND received in a session |
Cert Cnt | cert.cnt | <, <=, ==, >=, >, != | integer | Count of certificates |
Channel | irc.channel | ==, != | mixed case string | Channels joined |
Channel Cnt | irc.channel.cnt | <, <=, ==, >=, >, != | integer | Unique number of Channels joined |
Cipher | tls.cipher | ==, != | upper case string | SSL/TLS cipher field |
Cipher Cnt | tls.cipher.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSL/TLS cipher field |