Moloch is an open source, large scale, full packet capturing, indexing, and database system. Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Moloch exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Moloch stores and exports all packets in standard PCAP format allow you to also use your favourite PCAP ingesting tools, such as Wireshark, during your analysis workflow.
Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the sensors and are only accessed using the Moloch interface or API. Moloch is not meant to replace an IDS but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Metadata retention is based on the Elasticsearch cluster scale. Both can be increased at any time and are under your complete control.
SPI View Tab
Here are some sample deployments of Moloch for different network architectures. Most folks will probably run a hybrid of the following since no one solution fits all. The ability to scale capturing can be done horizontally by adding more capture machines, vertically by adding more CPUs/disk, or both. We usually recommend scaling horizontally unless physically space constrained, and using a network packet broker in front of multiple machines. However it is possible to use big machines, with lots of cpu/disk, and run moloch-capture with more threads.
- A box represents a physical machine.
- It is possible to run multiple capture processes per machine or have a single capture process to listen to multiple interfaces – (FAQ Answer)
- Recommend “Big Data” style boxes for capture – (FAQ Answer)
- Run multiple Elasticsearch processes per machine since each ES node should be configured at most to 30G – (FAQ Answer)
- Except for single host deployments, it is recommended/useful that all operator access flows through a single Apache/viewer combination that can provide better authentication, logging, and a single choke point – (FAQ Answer)
- All ES instances should have iptables for port 9200-920N and 9300-930N, where N is the number of ES instances per machine, and only allow the other elasticsearch, capture and viewer machines to connect
- All viewer hosts, except the apache/viewer box, should have iptables for port 8005 and only allow other viewer machines to connect. The viewer must listen on OS interface if using multiple machines
- The shared viewer instances can listen on localhost since only apache talks to it
Multiple Hosts Monitoring Multiple Network Segments
Multiple Hosts Monitoring High Traffic Networks
- Using a Network Packet Broker (NPB) allows traffic to be load balanced and recombined. This is especially useful in HA or asymmetric routing cases
- By using an NPB, other security devices can see the same traffic moloch sees
- When running multiple moloch-captures on the same host make sure the IO doesn’t overwhelm the disk and other subsystems.
- Use a TAP with high traffic networks since many mirror ports drop traffic under heavy load
- Operators use an apache fronted viewer and don’t hit the other viewers directly. The apache provides authentication.
- Lockdown ES and moloch viewer with iptables
- It is possible to use a single ES cluster using the prefix= ini configuration
- Operator uses apache fronted viewers and doesn’t hit the other viewers directly. The apache provides authentication. Can use virtual paths to route to different clusters.
- NPBs are recommended for high traffic networks
– NOTICE: db.pl upgrade is required
– viewer – upgrade to d3 v5 for connections page
– viewer – typeahead history for spigraph/connections
– viewer – stats tasks page has a num item selector now
– viewer – welcome message for new users
– viewer – save the last time a user used moloch
– viewer – two –debug will display why proxying traffic
– viewer – connections now uses ipv6.port and ipv4:port
– viewer – fix date/time picker timezone and input bugs
– wise – support json paths
– wise – improve alienvault loading
– capture – more tcpflags fields can be matched with rules
– capture – print more stats at exit with –debug
– capture – fix small bpf memory leak
– capture – rules can support most .cnt fields
– capture – fix OBR if cert has no serial
– capture – libfuzzer support and initial fixes
– parliament – add no alert cluster type
– parliament – remove selected acknowledged issues
– parliment – add help page
Copyright 2012-2017 AOL Inc