BigSnarf blog

Infosec FTW

AOL Moloch is PCAP Elasticsearch full packet search

moloch-stats

https://github.com/bigsnarfdude/moloch

Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic.

Installation is pretty simple for a POC

  1. Spin up an Ubuntu box
  2. Update all the packages
  3. git clone https://github.com/bigsnarfdude/moloch
  4. follow tutorial if you must http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime
  5. cd moloch
  6. ./easybutton-singlehost.sh
  7. follow prompts
  8. load sample PCAPs from http://digitalcorpora.org/corp/nps/scenarios/2009-m57-patents/net
  9. Have fun with Moloch

One response to “AOL Moloch is PCAP Elasticsearch full packet search

  1. Pingback: Solutions for Big Data ingest of network traffic – Analyzing PCAP traffic with Hadoop | BigSnarf blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: