New to Moloch

[Jay Hawk]

Hey guys, 

I just heard about Moloch after someone on my team recently stood up an instance to analyze some PCAP data we had sitting around, but I haven't gotten to play with it yet. 

Could someone give me a quick breakdown on it? I've got alot of knowledge on SecurityOnion - Why would someone use Moloch over say the new SecurityOnion-Elastic? What does Moloch do better/different or offer that SecurityOnion doesn't?

Thanks!

-Jay

[Andy]

https://molo.ch/ you might get more responses on the slack channel.  Haven't heard of SecurityOnion-Elastic.

Thanks,

Andy

[Jay Hawk]

Securityonion is a popular NSM that uses pfring/netsniff-ng to capture packets, Bro to generate logs, Snort/Suricata/OSSEC to do signature based intrusion detection and much more. Infact it seems to do many things Moloch does and then some... it is being updated to use elasticsearch and kibana (currently open beta).

http://blog.securityonion.net/2018/01/security-onion-elastic-stack-release.html?m=1

Thanks for the heads up. The slack didn't seem very active. But I'll check it out. Thanks for the reply.

[Andy]

Yep, I know what security onion is, just hadn't heard of securityonion-elastic and couldn't find much info from Google.  That link doesn't really explain either.  If you are happy with the FPC inside security onion then Moloch might not be for you, if you want a tool that is built from the ground up around FPC then check out Moloch.

Thanks,

Andy

[Jay Hawk]

Ah, yeah, that wasn't the best link, this one might be better: https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic

The elastic update is still currently in testing, but they've really come a long way with it already and their current RC has been solid. If you scroll through some of the blog posts it lays out the system pretty well. Here's how they've build out their Architecture if you're curious. https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture... and you could definitely argue it's built around PCAP also - they ingest and store PCAP for analysis but also processes it with Bro in order to make analysis easier.

But yeah I was curious about Moloch, is the entire packet indexed into elastic-search?

[Andy]

Note, I've never used SO in production and in general I don't like doing comparisons with other tools, especially ones I haven't used.

On Sunday, February 18, 2018 at 8:31:04 PM UTC-5, Jay Hawk wrote:

Ah, yeah, that wasn't the best link, this one might be better: https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic

Still doesn't summarize what the SOElastic project is.  What I think it is from googling

* SO now ships with ElasticStack using docker

* SO now sends everything to ElasticStack (or the tools do)

* SO now provides a bunch of Kibana dashboards and fronts all the UI with a reverse proxy that allows SSO

* this makes pivoting/searching/... better.

Sounds great

 

The elastic update is still currently in testing, but they've really come a long way with it already and their current RC has been solid. If you scroll through some of the blog posts it lays out the system pretty well. Here's how they've build out their Architecture if you're curious. https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture... and you could definitely argue it's built around PCAP also - they ingest and store PCAP for analysis but also processes it with Bro in order to make analysis easier.

Thats great they have improved their PCAP handling, and when I say PCAP I mean PCAP files not network sniffing.  Previously I know you had to use tcpreplay to ingest PCAP, which lost timestamps.

But yeah I was curious about Moloch, is the entire packet indexed into elastic-search?

No, only the meta data, some portion of the raw data, and portion of post data.  

Moloch is a FPC system.  It isn't a IDS or log generator.  So comparing SO and Moloch is an Fruit vs Apple discussion.  Most folks still run suricata and/or bro with Moloch.  In a SO world it doesn't always make sense to run Moloch, since SO is a collection of tools integrated for you, unless you need a FPC system also.  I know some folks have done work to integrate Moloch and SO, they might be good folks to talk to.

Thanks,

Andy