Moloch学习笔记

最新推荐文章于 2021-09-24 15:21:50 发布

lepton126

最新推荐文章于 2021-09-24 15:21:50 发布

阅读量4.8k

点赞数 1

分类专栏：网络安全运维文章标签： moloch backtracking

本文链接：https://blog.csdn.net/lepton126/article/details/84520194

版权

Moloch是一个旨在提供快速 pcap 文件索引能力的安全分析工具，其用户界面便于快速分析安全事件。它具有强大的搜索功能，支持多种条件筛选，如会话的起始时间点、包时间戳、IP、端口、协议等，并能进行正则表达式和统配符搜索。此外，Moloch还提供了Sessions会话分析，特别是SPI视图，用于深入研究会话详情。

摘要由CSDN通过智能技术生成

简介：
Moloch并不是用以代替的入侵检测系统的。Moloch是意在为pcap文件提供一个快速索引的能力。Moloch为快速分析安全事件建立了一个更直接的界面。

搜索栏：
大多数的Moloch版本在页面的上部都有一搜索栏。通过下拉框的不同选项可以准确设置数据包起始时间点，因为每一个会话过程都有第一个包，最后一个包和整个会话的数据时间戳，Moloch为不同的情况提供了不同的选择。
First Packet 一个会话接收的第一个包的时间戳
Last Packet 一个会话接收的最后一个包的时间戳
Bounded 会话在时间窗口的范围的第一个包和最后一个包的时间戳
Session Overlaps 在时间窗口结束前的会话的第一个包的时间戳和在时间窗口开始后的最后一个包的时间戳
Database 以会话为始终为界

搜索：
统配符 * 例如 http.uri=="www.f*k.com" 包括 www.fork.com 或者 www.frack.com
正则表达式
列表例如 protocols == [http,ssh]
IP 例如 ip == 1.2.3/24:80 ip == [1.2.3.4,1.3/16]
数字例如 bytes <= 10000 port == [80,443,23]
日期 starttime == "2004/07/31 05:33:41" stoptime == ["2004/07/31 05:33:41","2004/07/31 06:33:41"] +或-可以用来指示偏移量
对一个域是否存在进行判断肯定的表述 field == EXISTS! 否定的表述 field != EXISTS! 举例 cert.issuer.cn != EXISTS! && cert.issuer.on == EXISTS! 较验证书没有发布者信息但有发布组织的情况
(country == RU || country == CN) && port == 80 && host == *com 过滤使用80端口并且主机名或域名中包含 ".com" 涉及中国或是俄罗斯的所有会话
tags == "http:content:text/plain" && country == CA && packets < 20
Sessions会话
Session部分主要用于分析流量
SPI View
SPI(Session Profile Information 会话文档信息) 用于详细分析一个会话

下面是用于搜索的相关选项

Name	Exp	Operators	Data Type	What?
ASN	asn.dns	==, !=	mixed case string	GeoIP ASN string calculated from the IP from DNS result
ASN	asn.dns.mailserver	==, !=	mixed case string	GeoIP ASN string calculated from the IPs for mailservers
ASN	asn.dns.nameserver	==, !=	mixed case string	GeoIP ASN string calculated from the IPs for nameservers
ASN	asn.email	==, !=	mixed case string	GeoIP ASN string calculated from the Email IP address
ASN	asn.socks	==, !=	mixed case string	GeoIP ASN string calculated from the SOCKS destination IP
GEO	country.dns	==, !=	upper case string	GeoIP country string calculated from the IP from DNS result
GEO	country.dns.mailserver	==, !=	upper case string	GeoIP country string calculated from the IPs for mailservers
GEO	country.dns.nameserver	==, !=	upper case string	GeoIP country string calculated from the IPs for nameservers
GEO	country.email	==, !=	upper case string	GeoIP country string calculated from the Email IP address
GEO	country.socks	==, !=	upper case string	GeoIP country string calculated from the SOCKS destination IP
RIR	rir.dns	==, !=	upper case string	Regional Internet Registry string calculated from IP from DNS result
RIR	rir.dns.mailserver	==, !=	upper case string	Regional Internet Registry string calculated from IPs for mailservers
RIR	rir.dns.nameserver	==, !=	upper case string	Regional Internet Registry string calculated from IPs for nameservers
RIR	rir.email	==, !=	upper case string	Regional Internet Registry string calculated from Email IP address
RIR	rir.socks	==, !=	upper case string	Regional Internet Registry string calculated from SOCKS destination IP
All ASN fields	asn	==, !=	mixed case string	Search all ASN fields
All country fields	country	==, !=	upper case string	Search all country fields
All Host	host.dns.all	==, !=	lower case string	Shorthand for host.dns or host.dns.nameserver
All Host fields	host	==, !=	lower case string	Search all Host fields
All IP fields	ip	==, !=	ip	Search all ip fields
All port fields	port	<, <=, ==, >=, >, !=	integer	Search all port fields
All rir fields	rir	==, !=	upper case string	Search all rir fields
Alt Name	cert.alt	==, !=	lower case string	Certificate alternative names
Alt Name Cnt	cert.alt.cnt	<, <=, ==, >=, >, !=	integer	Unique number of Certificate alternative names
Application	postgresql.app	==, !=	mixed case string	Postgresql application
Asset	asset	==, !=	lower case string	Asset name
Asset Cnt	asset.cnt	<, <=, ==, >=, >, !=	integer	Unique number of Asset name
Attach Content-Type	email.file-content-type	==, !=	mixed case string	Email attachment content types
Attach Content-Type Cnt	email.file-content-type.cnt	<, <=, ==, >=, >, !=	integer	Unique number of Email attachment content types
Attach MD5s	email.md5	==, !=	mixed case string	Email attachment MD5s
Attach MD5s Cnt	email.md5.cnt	<, <=, ==, >=, >, !=	integer	Unique number of Email attachment MD5s
Auth Type	http.authtype	==, !=	lower case string	HTTP Auth Type
Auth Type	ldap.authtype	==, !=	mixed case string	The auth type of ldap bind
Auth Type Cnt	http.authtype.cnt	<, <=, ==, >=, >, !=	integer	Unique number of HTTP Auth Type
Auth Type Cnt	ldap.authtype.cnt	<, <=, ==, >=, >, !=	integer	Unique number of The auth type of ldap bind
Bind Name	ldap.bindname	==, !=	mixed case string	The bind name of ldap bind
Bind Name Cnt	ldap.bindname.cnt	<, <=, ==, >=, >, !=	integer	Unique number of The bind name of ldap bind
Body Magic	email.bodymagic	==, !=	mixed case string	The content type of body determined by libfile/magic
Body Magic	http.bodymagic	==, !=	mixed case string	The content type of body determined by libfile/magic
Body Magic Cnt	email.bodymagic.cnt	<, <=, ==, >=, >, !=	integer	Unique number of The content type of body determined by libfile/magic
Body Magic Cnt	http.bodymagic.cnt	<, <=, ==, >=, >, !=	integer	Unique number of The content type of body determined by libfile/magic
Body MD5	http.md5	==, !=	lower case string	MD5 of http body response
Body MD5 Cnt	http.md5.cnt	<, <=, ==, >=, >, !=	integer	Unique number of MD5 of http body response
Bytes	bytes	<, <=, ==, >=, >, !=	integer	Total number of raw bytes sent AND received in a session
Cert Cnt	cert.cnt	<, <=, ==, >=, >, !=	integer	Count of certificates
Channel	irc.channel	==, !=	mixed case string	Channels joined
Channel Cnt	irc.channel.cnt	<, <=, ==, >=, >, !=	integer	Unique number of Channels joined
Cipher	tls.cipher	==, !=	upper case string	SSL/TLS cipher field
Cipher Cnt	tls.cipher.cnt	<, <=, ==, >=, >, !=	integer	Unique number of SSL/TLS cipher field