Thursday, April 9, 2015

Extending Search Granularity with Moloch Filters

In the course of investigating over 5,000 alerts one evening, from one IP, I needed to use Moloch to eliminate the alerts that bounced off the wall and concentrate on anything that might have succeeded.
If we disregard the possibility of servers leaking too much information via their stock error page, we can use Moloch to look at packets from the attackers IP and a status code of 200.

ip == x.x.x.x && http.statuscode == 200

That’s a great start, but in this case, that still left a LOT of sessions to investigate (65). Could I use Moloch to further pare down the number of sessions? Turns out I could. After sorting by bytes to seethe sessions with data flow, I found out the attacker had hit a site that had no default landing page.

The first sessions I found had a data content size of 1,856 bytes. Now I can use the databytes filter in Moloch to specify any sessions with over 1,856 bytes.

ip == x.x.x.x && http.statuscode == 200 && databytes > 1856

I also found the same error message, from the same server, with byte sizes of 1,905, 1,915 and 1,944. The differing sizes are due to the size of content in the client header. Now I can specify a data size greater than 1,944 and eliminate all of the “no default landing page error” sessions.

ip == x.x.x.x && http.statuscode == 200 && databytes > 1944

I've now narrowed my investigation from 65 sessions down to 7.

1 comment:

Dan Popp said...

Nice little write-up, very cool stuff. I am a big fan of Maloc, wish it could do IPv6 though... Anyway I found you on , you were the only person following my current employer (Pwnie Express). Not sure if you've taken a look at us lately, but we're doing some cool things in the IoT space.

Blog Archive