NA-1024 Network Traffic Analysis with Moloch

Presented at Texas Cyber Summit 2019, Oct. 11, 2019, 11 a.m. (60 minutes).

Moloch is an open-source tool for full network traffic capture and analysis. https://molo.ch/ Trying to get a handle on what's happening on your network? Network defenders need a thorough understanding of traffic on their networks, and Moloch is an excellent way to get insight into what's happening on the wire. Moloch is a free and open-source platform for full packet capture and analysis. It's scalable from small to very large applications and packages a whole bundle of handy tools, from connection maps to a built-in CyberChef instance for decoding and analysis. Moloch makes an excellent threat hunting application. Analysts can pivot seamlessly from traffic metadata to raw capture analysis. Want to try another tool, or look at an old capture? Moloch ingests and exports standard PCAP files. I'll walk you through the basics first. We'll talk about the Sessions, SPI, and Connections views. We'll talk about Moloch's customization options, where to find documentation, and how you can structure your workflow to chase down important artifacts quickly. Once we're comfortable with the bread and butter, we'll look at some of Moloch's advanced features. Hunts, recurring cron queries, and Moloch's powerful API will be the focus. To cap things off, we'll take some time to walk through some publicly-available PCAP to apply our newfound skills. You should leave this talk with a solid understanding of how to leverage Moloch for your own investigations - sure to come in handy if you plan to compete in certain CTFs...

Presenters:

  • Robert Wilson - Government
    Robert is an elementary school teacher-turned-information security analyst. He holds certifications in network and host forensics and has been working with Moloch for almost two years.

Links:

Similar Presentations: