In the course of investigating over 5,000 alerts one evening, from one IP, I needed to use Moloch to eliminate the alerts that bounced off the wall and concentrate on anything that might have succeeded.
If we disregard the possibility of servers leaking too much information via their stock error page, we can use Moloch to look at packets from the attackers IP and a status code of 200.
ip == x.x.x.x && http.statuscode == 200
That’s a great start, but in this case, that still left a LOT of sessions to investigate (65). Could I use Moloch to further pare down the number of sessions? Turns out I could. After sorting by bytes to seethe sessions with data flow, I found out the attacker had hit a site that had no default landing page.
The first sessions I found had a data content size of 1,856 bytes. Now I can use the databytes filter in Moloch to specify any sessions with over 1,856 bytes.
ip == x.x.x.x && http.statuscode == 200 && databytes > 1856
I also found the same error message, from the same server, with byte sizes of 1,905, 1,915 and 1,944. The differing sizes are due to the size of content in the client header. Now I can specify a data size greater than 1,944 and eliminate all of the “no default landing page error” sessions.
ip == x.x.x.x && http.statuscode == 200 && databytes > 1944
I've now narrowed my investigation from 65 sessions down to 7.
