Moloch學習筆記
簡介:
Moloch並不是用以代替的入侵檢測系統的。Moloch是意在為pcap檔案提供一個快速索引的能力。Moloch為快速分析安全事件建立了一個更直接的介面。
搜尋欄:
大多數的Moloch版本在頁面的上部都有一搜索欄。通過下拉框的不同選項可以準確設定資料包起始時間點,因為每一個會話過程都有第一個包,最後一個包和整個會話的資料時間戳,Moloch為不同的情況提供了不同的選擇。
First Packet 一個會話接收的第一個包的時間戳
Last Packet 一個會話接收的最後一個包的時間戳
Bounded 會話在時間視窗的範圍的第一個包和最後一個包的時間戳
Session Overlaps 在時間視窗結束前的會話的第一個包的時間戳和在時間視窗開始後的最後一個包的時間戳
Database 以會話為始終為界
搜尋:
統配符 * 例如 http.uri=="www.f*k.com" 包括 www.fork.com 或者 www.frack.com
正則表示式
列表 例如 protocols == [http,ssh]
IP 例如 ip == 1.2.3/24:80 ip == [1.2.3.4,1.3/16]
數字 例如 bytes <= 10000 port == [80,443,23]
日期 starttime == "2004/07/31 05:33:41" stoptime == ["2004/07/31 05:33:41","2004/07/31 06:33:41"] +或-可以用來指示偏移量
對一個域是否存在進行判斷 肯定的表述 field == EXISTS! 否定的表述 field != EXISTS! 舉例 cert.issuer.cn != EXISTS! && cert.issuer.on == EXISTS! 較驗證書沒有釋出者資訊但有釋出組織的情況
(country == RU || country == CN) && port == 80 && host == *com 過濾使用80埠並且主機名或域名中包含 ".com" 涉及中國或是俄羅斯的所有會話
tags == "http:content:text/plain" && country == CA && packets < 20
Sessions會話
Session部分主要用於分析流量
SPI View
SPI(Session Profile Information 會話文件資訊) 用於詳細分析一個會話
下面是用於搜尋的相關選項
Name | Exp | Operators | Data Type | What? |
---|---|---|---|---|
ASN | asn.dns | ==, != | mixed case string | GeoIP ASN string calculated from the IP from DNS result |
ASN | asn.dns.mailserver | ==, != | mixed case string | GeoIP ASN string calculated from the IPs for mailservers |
ASN | asn.dns.nameserver | ==, != | mixed case string | GeoIP ASN string calculated from the IPs for nameservers |
ASN | asn.email | ==, != | mixed case string | GeoIP ASN string calculated from the Email IP address |
ASN | asn.socks | ==, != | mixed case string | GeoIP ASN string calculated from the SOCKS destination IP |
GEO | country.dns | ==, != | upper case string | GeoIP country string calculated from the IP from DNS result |
GEO | country.dns.mailserver | ==, != | upper case string | GeoIP country string calculated from the IPs for mailservers |
GEO | country.dns.nameserver | ==, != | upper case string | GeoIP country string calculated from the IPs for nameservers |
GEO | country.email | ==, != | upper case string | GeoIP country string calculated from the Email IP address |
GEO | country.socks | ==, != | upper case string | GeoIP country string calculated from the SOCKS destination IP |
RIR | rir.dns | ==, != | upper case string | Regional Internet Registry string calculated from IP from DNS result |
RIR | rir.dns.mailserver | ==, != | upper case string | Regional Internet Registry string calculated from IPs for mailservers |
RIR | rir.dns.nameserver | ==, != | upper case string | Regional Internet Registry string calculated from IPs for nameservers |
RIR | rir.email | ==, != | upper case string | Regional Internet Registry string calculated from Email IP address |
RIR | rir.socks | ==, != | upper case string | Regional Internet Registry string calculated from SOCKS destination IP |
All ASN fields | asn | ==, != | mixed case string | Search all ASN fields |
All country fields | country | ==, != | upper case string | Search all country fields |
All Host | host.dns.all | ==, != | lower case string | Shorthand for host.dns or host.dns.nameserver |
All Host fields | host | ==, != | lower case string | Search all Host fields |
All IP fields | ip | ==, != | ip | Search all ip fields |
All port fields | port | <, <=, ==, >=, >, != | integer | Search all port fields |
All rir fields | rir | ==, != | upper case string | Search all rir fields |
Alt Name | cert.alt | ==, != | lower case string | Certificate alternative names |
Alt Name Cnt | cert.alt.cnt | <, <=, ==, >=, >, != | integer | Unique number of Certificate alternative names |
Application | postgresql.app | ==, != | mixed case string | Postgresql application |
Asset | asset | ==, != | lower case string | Asset name |
Asset Cnt | asset.cnt | <, <=, ==, >=, >, != | integer | Unique number of Asset name |
Attach Content-Type | email.file-content-type | ==, != | mixed case string | Email attachment content types |
Attach Content-Type Cnt | email.file-content-type.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email attachment content types |
Attach MD5s | email.md5 | ==, != | mixed case string | Email attachment MD5s |
Attach MD5s Cnt | email.md5.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email attachment MD5s |
Auth Type | http.authtype | ==, != | lower case string | HTTP Auth Type |
Auth Type | ldap.authtype | ==, != | mixed case string | The auth type of ldap bind |
Auth Type Cnt | http.authtype.cnt | <, <=, ==, >=, >, != | integer | Unique number of HTTP Auth Type |
Auth Type Cnt | ldap.authtype.cnt | <, <=, ==, >=, >, != | integer | Unique number of The auth type of ldap bind |
Bind Name | ldap.bindname | ==, != | mixed case string | The bind name of ldap bind |
Bind Name Cnt | ldap.bindname.cnt | <, <=, ==, >=, >, != | integer | Unique number of The bind name of ldap bind |
Body Magic | email.bodymagic | ==, != | mixed case string | The content type of body determined by libfile/magic |
Body Magic | http.bodymagic | ==, != | mixed case string | The content type of body determined by libfile/magic |
Body Magic Cnt | email.bodymagic.cnt | <, <=, ==, >=, >, != | integer | Unique number of The content type of body determined by libfile/magic |
Body Magic Cnt | http.bodymagic.cnt | <, <=, ==, >=, >, != | integer | Unique number of The content type of body determined by libfile/magic |
Body MD5 | http.md5 | ==, != | lower case string | MD5 of http body response |
Body MD5 Cnt | http.md5.cnt | <, <=, ==, >=, >, != | integer | Unique number of MD5 of http body response |
Bytes | bytes | <, <=, ==, >=, >, != | integer | Total number of raw bytes sent AND received in a session |
Cert Cnt | cert.cnt | <, <=, ==, >=, >, != | integer | Count of certificates |
Channel | irc.channel | ==, != | mixed case string | Channels joined |
Channel Cnt | irc.channel.cnt | <, <=, ==, >=, >, != | integer | Unique number of Channels joined |
Cipher | tls.cipher | ==, != | upper case string | SSL/TLS cipher field |
Cipher Cnt | tls.cipher.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSL/TLS cipher field |
Client MAC | dhcp.mac | ==, != | lower case string | Client ethernet MAC |
Client MAC Cnt | dhcp.mac.cnt | <, <=, ==, >=, >, != | integer | Unique number of Client ethernet MAC |
Client OUI | dhcp.oui | ==, != | mixed case string | Client ethernet OUI |
Client OUI Cnt | dhcp.oui.cnt | <, <=, ==, >=, >, != | integer | Unique number of Client ethernet OUI |
cname | krb5.cname | ==, != | mixed case string | Kerberos 5 cname |
cname Cnt | krb5.cname.cnt | <, <=, ==, >=, >, != | integer | Unique number of Kerberos 5 cname |
Content-Type | email.content-type | ==, != | mixed case string | Email content-type header |
Content-Type Cnt | email.content-type.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email content-type header |
Cookie Keys | http.cookie.key | ==, != | mixed case string | The keys to cookies sent up in requests |
Cookie Keys Cnt | http.cookie.key.cnt | <, <=, ==, >=, >, != | integer | Unique number of The keys to cookies sent up in requests |
Cookie Values | http.cookie.value | ==, != | mixed case string | The values to cookies sent up in requests |
Cookie Values Cnt | http.cookie.value.cnt | <, <=, ==, >=, >, != | integer | Unique number of The values to cookies sent up in requests |
Data bytes | databytes | <, <=, ==, >=, >, != | integer | Total number of data bytes sent AND received in a session |
Database | postgresql.db | ==, != | mixed case string | Postgresql database |
Days Valid For | cert.validfor | <, <=, ==, >=, >, != | integer | Certificate is valid for this may days |
Domain | smb.domain | ==, != | mixed case string | SMB domain |
Domain Cnt | smb.domain.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB domain |
Dst ASN | asn.dst | ==, != | mixed case string | GeoIP ASN string calculated from the destination IP |
Dst Bytes | bytes.dst | <, <=, ==, >=, >, != | integer | Total number of raw bytes sent by destination in a session |
Dst Country | country.dst | ==, != | upper case string | Destination Country |
Dst data bytes | databytes.dst | <, <=, ==, >=, >, != | integer | Total number of data bytes sent by destination in a session |
Dst IP | ip.dst | ==, != | ip | Destination IP |
Dst MAC | mac.dst | ==, != | lower case string | Destination ethernet mac addresses set for session |
Dst MAC Cnt | mac.dst.cnt | <, <=, ==, >=, >, != | integer | Unique number of Destination ethernet mac addresses set for session |
Dst OUI | oui.dst | ==, != | mixed case string | Destination ethernet oui set for session |
Dst OUI Cnt | oui.dst.cnt | <, <=, ==, >=, >, != | integer | Unique number of Destination ethernet oui set for session |
Dst Packets | packets.dst | <, <=, ==, >=, >, != | integer | Total number of packets sent by destination in a session |
Dst Port | port.dst | <, <=, ==, >=, >, != | integer | Source Port |
Dst RIR | rir.dst | ==, != | upper case string | Destination RIR |
Dst Session Id | tls.sessionid.dst | ==, != | lower case string | SSL/TLS Dst Session Id |
Dst Version | http.version.dst | ==, != | mixed case string | Response HTTP version number |
Dst Version Cnt | http.version.dst.cnt | <, <=, ==, >=, >, != | integer | Unique number of Response HTTP version number |
Endpoint IP | radius.endpoint-ip | ==, != | ip | Radius endpoint ip addresses for session |
Endpoint IP ASN | radius.endpoint-ip.asn | ==, != | mixed case string | GeoIP ASN string calculated from the Radius endpoint ip addresses for session |
Endpoint IP Cnt | radius.endpoint-ip.cnt | <, <=, ==, >=, >, != | integer | Unique number of Radius endpoint ip addresses for session |
Endpoint IP GEO | radius.endpoint-ip.country | ==, != | upper case string | GeoIP country string calculated from the Radius endpoint ip addresses for session |
Endpoint IP RIR | radius.endpoint-ip.rir | ==, != | upper case string | Regional Internet Registry string calculated from Radius endpoint ip addresses for session |
Filename | file | Moloch offline pcap filename | ||
Filename | smb.fn | ==, != | mixed case string | SMB files opened, created, deleted |
Filename Cnt | smb.fn.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB files opened, created, deleted |
Filenames | email.fn | ==, != | mixed case string | Email attachment filenames |
Filenames Cnt | email.fn.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email attachment filenames |
Framed IP | radius.framed-ip | ==, != | ip | Radius framed ip addresses for session |
Framed IP ASN | radius.framed-ip.asn | ==, != | mixed case string | GeoIP ASN string calculated from the Radius framed ip addresses for session |
Framed IP Cnt | radius.framed-ip.cnt | <, <=, ==, >=, >, != | integer | Unique number of Radius framed ip addresses for session |
Framed IP GEO | radius.framed-ip.country | ==, != | upper case string | GeoIP country string calculated from the Radius framed ip addresses for session |
Framed IP RIR | radius.framed-ip.rir | ==, != | upper case string | Regional Internet Registry string calculated from Radius framed ip addresses for session |
GRE IP | gre.ip | ==, != | ip | GRE ip addresses for session |
GRE IP ASN | gre.ip.asn | ==, != | mixed case string | GeoIP ASN string calculated from the GRE ip addresses for session |
GRE IP Cnt | gre.ip.cnt | <, <=, ==, >=, >, != | integer | Unique number of GRE ip addresses for session |
GRE IP GEO | gre.ip.country | ==, != | upper case string | GeoIP country string calculated from the GRE ip addresses for session |
GRE IP RIR | gre.ip.rir | ==, != | upper case string | Regional Internet Registry string calculated from GRE ip addresses for session |
Has Dst Header | http.hasheader.dst | ==, != | lower case string | Response has header present |
Has Dst Header Cnt | http.hasheader.dst.cnt | <, <=, ==, >=, >, != | integer | Unique number of Response has header present |
Has Src Header | http.hasheader.src | ==, != | lower case string | Request has header present |
Has Src Header Cnt | http.hasheader.src.cnt | <, <=, ==, >=, >, != | integer | Unique number of Request has header present |
Has Src or Dst Header | http.hasheader | ==, != | lower case string | Shorthand for http.hasheader.src or http.hasheader.dst |
Has Value in Src or Dst Header | http.hasheader.value | ==, != | lower case string | Shorthand for http.hasheader.src.value or http.hasheader.dst.value |
Hash | cert.hash | ==, != | lower case string | SHA1 hash of entire certificate |
HASSH | ssh.hassh | ==, != | lower case string | SSH HASSH field |
HASSH Cnt | ssh.hassh.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSH HASSH field |
HASSH Server | ssh.hasshServer | ==, != | lower case string | SSH HASSH Server field |
HASSH Server Cnt | ssh.hasshServer.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSH HASSH Server field |
Header | email.has-header | ==, != | lower case string | Email has the header set |
Header Cnt | email.has-header.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email has the header set |
Header Value | email.has-header.value | ==, != | mixed case string | Email has the header value |
Header Value Cnt | email.has-header.value.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email has the header value |
Host | dhcp.host | ==, != | lower case string | DHCP Host |
Host | host.dns | ==, != | lower case string | DNS lookup hostname |
Host | host.socks | ==, != | lower case string | SOCKS destination host |
Host | oracle.host | ==, != | lower case string | Oracle Host |
Host Cnt | dhcp.host.cnt | <, <=, ==, >=, >, != | integer | Unique number of DHCP Host |
Host Cnt | host.dns.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup hostname |
Hostname | host.email | ==, != | lower case string | Email hostnames |
Hostname | host.http | ==, != | lower case string | HTTP host header field |
Hostname | host.quic | ==, != | lower case string | QUIC host header field |
Hostname | host.smb | ==, != | mixed case string | SMB Host name |
Hostname Cnt | host.email.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email hostnames |
Hostname Cnt | host.http.cnt | <, <=, ==, >=, >, != | integer | Unique number of HTTP host header field |
Hostname Cnt | host.quic.cnt | <, <=, ==, >=, >, != | integer | Unique number of QUIC host header field |
Hostname Cnt | host.smb.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB Host name |
Hunt ID | huntId | ==, != | mixed case string | The ID of the packet search job that matched this session |
Hunt Name | huntName | ==, != | mixed case string | The name of the packet search job that matched this session |
ICMP Code | icmp.code | <, <=, ==, >=, >, != | integer | ICMP code field values |
ICMP Type | icmp.type | <, <=, ==, >=, >, != | integer | ICMP type field values |
Id | email.message-id | ==, != | mixed case string | Email Message-Id header |
Id Cnt | email.message-id.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email Message-Id header |
IP | ip.dns | ==, != | ip | IP from DNS result |
IP | ip.dns.all | ==, != | ip | Shorthand for ip.dns or ip.dns.nameserver |
IP | ip.dns.mailserver | ==, != | ip | IPs for mailservers |
IP | ip.dns.nameserver | ==, != | ip | IPs for nameservers |
IP | ip.email | ==, != | ip | Email IP address |
IP | ip.socks | ==, != | ip | SOCKS destination IP |
IP Cnt | ip.dns.cnt | <, <=, ==, >=, >, != | integer | Unique number of IP from DNS result |
IP Cnt | ip.dns.mailserver.cnt | <, <=, ==, >=, >, != | integer | Unique number of IPs for mailservers |
IP Cnt | ip.dns.nameserver.cnt | <, <=, ==, >=, >, != | integer | Unique number of IPs for nameservers |
IP Cnt | ip.email.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email IP address |
IP Protocol | ip.protocol | ==, != | lower case string | IP protocol number or friendly name |
Issuer CN | cert.issuer.cn | ==, != | lower case string | Issuer's common name |
Issuer ON | cert.issuer.on | ==, != | mixed case string | Issuer's organization name |
JA3 | tls.ja3 | ==, != | lower case string | SSL/TLS JA3 field |
JA3 Cnt | tls.ja3.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSL/TLS JA3 field |
JA3S | tls.ja3s | ==, != | lower case string | SSL/TLS JA3S field |
JA3S Cnt | tls.ja3s.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSL/TLS JA3S field |
Key | ssh.key | ==, != | mixed case string | SSH Key |
Key Cnt | ssh.key.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSH Key |
MAC | radius.mac | ==, != | lower case string | Radius Mac |
MAC Cnt | radius.mac.cnt | <, <=, ==, >=, >, != | integer | Unique number of Radius Mac |
Mime-Version | email.mime-version | ==, != | mixed case string | Email Mime-Header header |
Mime-Version Cnt | email.mime-version.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email Mime-Header header |
Moloch ID | id | ==, != | mixed case string | Moloch ID for the session |
Moloch Node | node | ==, != | mixed case string | Moloch node name the session was recorded on |
Moloch Root ID | rootId | ==, != | mixed case string | Moloch ID of the first session in a multi session stream |
MX Host | host.dns.mailserver | ==, != | lower case string | Hostnames for Mail Exchange Server |
MX Host Cnt | host.dns.mailserver.cnt | <, <=, ==, >=, >, != | integer | Unique number of Hostnames for Mail Exchange Server |
Nickname | irc.nick | ==, != | mixed case string | Nicknames set |
Nickname Cnt | irc.nick.cnt | <, <=, ==, >=, >, != | integer | Unique number of Nicknames set |
Not After | cert.notafter | Certificate is not valid after this date | ||
Not Before | cert.notbefore | Certificate is not valid before this date | ||
NS Host | host.dns.nameserver | ==, != | lower case string | Hostnames for Name Server |
NS Host Cnt | host.dns.nameserver.cnt | <, <=, ==, >=, >, != | integer | Unique number of Hostnames for Name Server |
Op Code | dns.opcode | ==, != | upper case string | DNS lookup op code |
Op Code Cnt | dns.opcode.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup op code |
OS | smb.os | ==, != | mixed case string | SMB OS information |
OS Cnt | smb.os.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB OS information |
Packets | packets | <, <=, ==, >=, >, != | integer | Total number of packets sent AND received in a session |
Payload Dst Hex | payload8.dst.hex | ==, != | lower case string | First 8 bytes of destination payload in hex |
Payload Dst UTF8 | payload8.dst.utf8 | ==, != | mixed case string | First 8 bytes of destination payload in utf8 |
Payload Hex | payload8.hex | ==, != | lower case string | First 8 bytes of payload in hex |
Payload Src Hex | payload8.src.hex | ==, != | lower case string | First 8 bytes of source payload in hex |
Payload Src UTF8 | payload8.src.utf8 | ==, != | mixed case string | First 8 bytes of source payload in utf8 |
Payload UTF8 | payload8.utf8 | ==, != | lower case string | First 8 bytes of payload in hex |
Port | port.socks | <, <=, ==, >=, >, != | integer | SOCKS destination port |
Protocols | protocols | ==, != | mixed case string | Protocols set for session |
Protocols Cnt | protocols.cnt | <, <=, ==, >=, >, != | integer | Unique number of Protocols set for session |
Puny | dns.puny | ==, != | lower case string | DNS lookup punycode |
Puny Cnt | dns.puny.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup punycode |
QS Keys | http.uri.key | ==, != | mixed case string | Keys from query string of URI |
QS Keys Cnt | http.uri.key.cnt | <, <=, ==, >=, >, != | integer | Unique number of Keys from query string of URI |
QS Values | http.uri.value | ==, != | mixed case string | Values from query string of URI |
QS Values Cnt | http.uri.value.cnt | <, <=, ==, >=, >, != | integer | Unique number of Values from query string of URI |
Query Class | dns.query.class | ==, != | upper case string | DNS lookup query class |
Query Class Cnt | dns.query.class.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup query class |
Query Type | dns.query.type | ==, != | upper case string | DNS lookup query type |
Query Type Cnt | dns.query.type.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup query type |
Realm | krb5.realm | ==, != | mixed case string | Kerberos 5 Realm |
Realm Cnt | krb5.realm.cnt | <, <=, ==, >=, >, != | integer | Unique number of Kerberos 5 Realm |
Receiver | email.dst | ==, != | lower case string | Email to address |
Receiver Cnt | email.dst.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email to address |
Request Body | http.reqbody | ==, != | mixed case string | HTTP Request Body |
Request Header Values | http.hasheader.src.value | ==, != | lower case string | Contains request header values |
Request Header Values Cnt | http.hasheader.src.value.cnt | <, <=, ==, >=, >, != | integer | Unique number of Contains request header values |
Request Method | http.method | ==, != | mixed case string | HTTP Request Method |
Request Method Cnt | http.method.cnt | <, <=, ==, >=, >, != | integer | Unique number of HTTP Request Method |
Response Header Values | http.hasheader.dst.value | ==, != | lower case string | Contains response header values |
Response Header Values Cnt | http.hasheader.dst.value.cnt | <, <=, ==, >=, >, != | integer | Unique number of Contains response header values |
Scrubbed By | scrubbed.by | ==, != | lower case string | SPI data was scrubbed by |
Sender | email.src | ==, != | lower case string | Email from address |
Sender Cnt | email.src.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email from address |
Serial Number | cert.serial | ==, != | lower case string | Serial Number |
Service | oracle.service | ==, != | lower case string | Oracle Service |
Session Length | session.length | <, <=, ==, >=, >, != | integer | Session Length in milliseconds so far |
Session Segments | session.segments | <, <=, ==, >=, >, != | integer | Number of segments in session so far |
Share | smb.share | ==, != | mixed case string | SMB shares connected to |
Share Cnt | smb.share.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB shares connected to |
sname | krb5.sname | ==, != | mixed case string | Kerberos 5 sname |
sname Cnt | krb5.sname.cnt | <, <=, ==, >=, >, != | integer | Unique number of Kerberos 5 sname |
Src ASN | asn.src | ==, != | mixed case string | GeoIP ASN string calculated from the source IP |
Src Bytes | bytes.src | <, <=, ==, >=, >, != | integer | Total number of raw bytes sent by source in a session |
Src Country | country.src | ==, != | upper case string | Source Country |
Src data bytes | databytes.src | <, <=, ==, >=, >, != | integer | Total number of data bytes sent by source in a session |
Src IP | ip.src | ==, != | ip | Source IP |
Src MAC | mac.src | ==, != | lower case string | Source ethernet mac addresses set for session |
Src MAC Cnt | mac.src.cnt | <, <=, ==, >=, >, != | integer | Unique number of Source ethernet mac addresses set for session |
Src or Dst MAC | mac | ==, != | lower case string | Shorthand for mac.src or mac.dst |
Src or Dst Session Id | tls.sessionid | ==, != | lower case string | Shorthand for tls.sessionid.src or tls.sessionid.dst |
Src OUI | oui.src | ==, != | mixed case string | Source ethernet oui set for session |
Src OUI Cnt | oui.src.cnt | <, <=, ==, >=, >, != | integer | Unique number of Source ethernet oui set for session |
Src Packets | packets.src | <, <=, ==, >=, >, != | integer | Total number of packets sent by source in a session |
Src Port | port.src | <, <=, ==, >=, >, != | integer | Source Port |
Src RIR | rir.src | ==, != | upper case string | Source RIR |
Src Session Id | tls.sessionid.src | ==, != | lower case string | SSL/TLS Src Session Id |
Src Version | http.version.src | ==, != | mixed case string | Request HTTP version number |
Src Version Cnt | http.version.src.cnt | <, <=, ==, >=, >, != | integer | Unique number of Request HTTP version number |
Start Time | starttime | <, <=, ==, >=, >, != | date time | Session Start Time |
Status Code | dns.status | ==, != | upper case string | DNS lookup return code |
Status Code | http.statuscode | <, <=, ==, >=, >, != | integer | Response HTTP numeric status code |
Status Code Cnt | dns.status.cnt | <, <=, ==, >=, >, != | integer | Unique number of DNS lookup return code |
Status Code Cnt | http.statuscode.cnt | <, <=, ==, >=, >, != | integer | Unique number of Response HTTP numeric status code |
Stop Time | stoptime | <, <=, ==, >=, >, != | date time | Session Stop Time |
Subject | email.subject | ==, != | mixed case string | Email subject header |
Subject CN | cert.subject.cn | ==, != | lower case string | Subject's common name |
Subject Cnt | email.subject.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email subject header |
Subject ON | cert.subject.on | ==, != | mixed case string | Subject's organization name |
Tags | tags | ==, != | mixed case string | Tags set for session |
Tags Cnt | tags.cnt | <, <=, ==, >=, >, != | integer | Unique number of Tags set for session |
TCP Flag ACK | tcpflags.ack | <, <=, ==, >=, >, != | integer | Count of packets with only the ACK flag set |
TCP Flag FIN | tcpflags.fin | <, <=, ==, >=, >, != | integer | Count of packets with FIN flag set |
TCP Flag PSH | tcpflags.psh | <, <=, ==, >=, >, != | integer | Count of packets with PSH flag set |
TCP Flag RST | tcpflags.rst | <, <=, ==, >=, >, != | integer | Count of packets with RST flag set |
TCP Flag SYN | tcpflags.syn | <, <=, ==, >=, >, != | integer | Count of packets with SYN and no ACK flag set |
TCP Flag SYN-ACK | tcpflags.syn-ack | <, <=, ==, >=, >, != | integer | Count of packets with SYN and ACK flag set |
TCP Flag URG | tcpflags.urg | <, <=, ==, >=, >, != | integer | Count of packets with URG flag set |
Transaction id | dhcp.id | ==, != | lower case string | DHCP Transaction Id |
Transaction id Cnt | dhcp.id.cnt | <, <=, ==, >=, >, != | integer | Unique number of DHCP Transaction Id |
Type | dhcp.type | ==, != | upper case string | DHCP Type |
Type Cnt | dhcp.type.cnt | <, <=, ==, >=, >, != | integer | Unique number of DHCP Type |
URI | http.uri | ==, != | mixed case string | URIs for request |
URI Cnt | http.uri.cnt | <, <=, ==, >=, >, != | integer | Unique number of URIs for request |
URI Path | http.uri.path | ==, != | mixed case string | Path portion of URI |
URI Path Cnt | http.uri.path.cnt | <, <=, ==, >=, >, != | integer | Unique number of Path portion of URI |
User | http.user | ==, != | mixed case string | HTTP Auth User |
User | mysql.user | ==, != | lower case string | Mysql user name |
User | oracle.user | ==, != | lower case string | Oracle User |
User | postgresql.user | ==, != | mixed case string | Postgresql user name |
User | radius.user | ==, != | mixed case string | RADIUS user |
User | smb.user | ==, != | mixed case string | SMB User |
User | socks.user | ==, != | mixed case string | SOCKS authenticated user |
User | user | ==, != | lower case string | External user set for session |
User Cnt | http.user.cnt | <, <=, ==, >=, >, != | integer | Unique number of HTTP Auth User |
User Cnt | smb.user.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB User |
User Cnt | user.cnt | <, <=, ==, >=, >, != | integer | Unique number of External user set for session |
User-Agent | quic.user-agent | ==, != | mixed case string | User-Agent |
User-Agent Cnt | quic.user-agent.cnt | <, <=, ==, >=, >, != | integer | Unique number of User-Agent |
Useragent | http.user-agent | ==, != | mixed case string | User-Agent Header |
Useragent Cnt | http.user-agent.cnt | <, <=, ==, >=, >, != | integer | Unique number of User-Agent Header |
Version | http.version | ==, != | mixed case string | HTTP version number |
Version | mysql.ver | ==, != | mixed case string | Mysql server version string |
Version | quic.version | ==, != | mixed case string | QUIC Version |
Version | smb.ver | ==, != | mixed case string | SMB Version information |
Version | ssh.ver | ==, != | lower case string | SSH Software Version |
Version | tls.version | ==, != | mixed case string | SSL/TLS version field |
Version Cnt | quic.version.cnt | <, <=, ==, >=, >, != | integer | Unique number of QUIC Version |
Version Cnt | smb.ver.cnt | <, <=, ==, >=, >, != | integer | Unique number of SMB Version information |
Version Cnt | ssh.ver.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSH Software Version |
Version Cnt | tls.version.cnt | <, <=, ==, >=, >, != | integer | Unique number of SSL/TLS version field |
View Name | view | Moloch view name | ||
VLan | vlan | <, <=, ==, >=, >, != | integer | vlan value |
VLan Cnt | vlan.cnt | <, <=, ==, >=, >, != | integer | Unique number of vlan value |
X-Mailer Header | email.x-mailer | ==, != | mixed case string | Email X-Mailer header |
X-Mailer Header Cnt | email.x-mailer.cnt | <, <=, ==, >=, >, != | integer | Unique number of Email X-Mailer header |
XFF ASN | asn.xff | ==, != | mixed case string | GeoIP ASN string calculated from the X-Forwarded-For Header |
XFF GEO | country.xff | ==, != | upper case string | GeoIP country string calculated from the X-Forwarded-For Header |
XFF RIR | rir.xff | ==, != | upper case string | Regional Internet Registry string calculated from X-Forwarded-For Header |
XFF IP | ip.xff | ==, != | ip | X-Forwarded-For Header |
XFF IP Cnt | ip.xff.cnt | <, <=, ==, >=, >, != | integer | Unique number of X-Forwarded-For Header |
相關推薦
Moloch學習筆記
簡介: Moloch並不是用以代替的入侵檢測系統的。Moloch是意在為pcap檔案提供一個快速索引的能力。Moloch為快速分析安全事件建立了一個更直接的介面。 搜尋欄: 大多數的Moloch版本在頁面的上部都有一搜索欄。通過下拉框的不同選項可以準確設
Robot Operating System (ROS)學習筆記4---語音控制
sla 語音 出現 tput http 學習 process 輸入 ubun 搭建環境:XMWare Ubuntu14.04 ROS(indigo) 轉載自古月居 轉載連接:http://www.guyuehome.com/260 一、語音識別包 1、安裝
MySQL學習筆記(六)—— MySQL自連接
概念 cor 子查詢 ron 表操作 例子 質量 _id order by 有的時候我們需要對同一表中的數據進行多次檢索,這個時候我們可以使用之前學習過的子查詢,先查詢出需要的數據,再進行一次檢索。 例如:一張products表,有產品id,供應商id(vend_
jquery 深入學習筆記之中的一個 (事件綁定)
color 動態 name his pan mouseover this pre con 【jquery 事件綁定】 1、加入元素事件綁定 (1) 加入事件為當前元素 $(‘p‘).on(‘click‘,function(){ //code here ..
AngularJS入門學習筆記一
rect directive 技術分享 attr 兩個 ava 內容 module 大括號 首先聲明: 本博客源自於學習:跟我學AngularJs:AngularJs入門及第一個實例。通過學習,我自己的一些學習筆記。 1.AngularJS的一些基本特性 (1)使用雙大括號
Python學習筆記-2017.5.4
列表 lin 覆蓋範圍 復習 處理 pytho 內部 global txt 本文章記錄學習過程中的細節和心得: 復習所學課程: 1、文件的操作: 打開文件,對文件的操作打開方式有兩種: 第一種: f = open("test.txt", "r")#以只讀
SAS學習筆記之函數應用
不能 oracle 理解 資料 oracl 函數應用 特殊 put acl 今天在做數據需求的時候遇到一些問題,因為不能夠在數據庫裏面做,僅僅好在SAS裏面實現。這就遇到了一些麻煩,須要使用一些函數實現部分功能,如查找字段中某個特殊字符出現的次數,查找某個字符的位置等,
OpenCV2學習筆記(十五):利用Cmake高速查找OpenCV函數源代碼
one 生成 img log 分享 lan 學習筆記 全部 modules 在使用OpenCV時,在對一個函數的調用不是非常了解的情況下,通常希望查到該函數的官方聲明。而假設想進一步研究OpenCV的函數,則必須深入到源碼。在VS中我們能夠選中想要查
avalonjs 學習筆記1---checkbox
nod item ack lex server ini npm 學習 define 一、vscode 安裝使用 1.vs code+node.js下載安裝 2.在node.js command prompt 中運行 npm install -g live-server 3
Linux學習筆記(三):系統執行級與執行級的切換
查看 用戶操作 回車 water hat ntsysv tde 文件表 config 1.Linux系統與其它的操作系統不同,它設有執行級別。該執行級指定操作系統所處的狀態。Linux系統在不論什麽時候都執行於某個執行級上,且在不同的執行級上執行的程序和服務都不同,所要
Principle of Computing (Python)學習筆記(7) DFS Search + Tic Tac Toe use MiniMax Stratedy
ide out generate depth sku color ati cond with 1. Trees Tree is a recursive structure. 1.1 math nodes https://class.coursera.org/prin
Java程序猿的JavaScript學習筆記(12——jQuery-擴展選擇器)
type write number article mat 我們 content ace val 計劃按例如以下順序完畢這篇筆記: Java程序猿的JavaScript學習筆記(1——理念) Java程序猿的JavaScript學習筆記(2——屬性復制和繼承) Jav
java學習筆記——String類
通過 ray [] 原理 log spl 2.3 -s 長度 一、概述 ·字符串是一個特殊的對象 ·字符串一旦初始化就不可以被改變 ·String str = "abc"; ·String str1 = new String("abc"); 有什麽區別? package
java學習筆記——java中對象的創建,初始化,引用的解析
初始 學習筆記 style article 學習 base 表達 如果 bsp 如果有一個A類。 1、例如以下表達式: A a1 = new A(); 那麽A是類,a1是引用。new A()是對象。僅僅是a1這個引用指向了new A()這個對象。 2、又如: A
構建之法 學習筆記04
部分 使用 用戶 != 工作 應該 覆蓋率 錯誤處理 必須 關於軟件工程的一些基本概念和技術 單元測試 絕大部分軟件都是由多人合作完成的,大家的工作互相有依賴關系。最典型的的例子就是,某人負責的模板的功能被其他人調用。軟件的額很多錯誤都是來源於程序員對模塊功能的誤解、疏忽或
cocos2d-x學習筆記(c++與lua交互回調函數的處理)
回調函數 tolua++ cocos2dx lua 本文假設讀者已經會使用tolua++進行C++與lua之間的通訊1、在頭文件中定義註冊回調函數,定義在MyClass類中void register(unsigned short cmdID, LUA_FUNCTION func);//LUA_
python框架之 Tornado 學習筆記(一)
tornado pythontornado 一個簡單的服務器的例子:首先,我們需要安裝 tornado ,安裝比較簡單: pip install tornado 測試安裝是否成功,可以打開python 終端,輸入: import tornado.https
Java學習筆記--鏈表
引用變量 nts mage 集合 tran 分享 isp exce pub 心在山東身在吳,飄蓬江海漫嗟籲。 他時若遂淩雲誌, 敢笑黃巢不丈夫。 ——水滸傳 先上源代碼,LinkedList類: 1 private static class
Linux Unix shell 編程指南學習筆記(第四部分)
fcm 驗證 () only arguments line div 反饋 sed 第十六章 shell腳本介紹 此章節內容較為簡單,跳過。 第十七章 條件測試 test命令 expr命令 test 格式 test condition 或者 [
php yii 學習筆記
code https lease nbsp utf8 down title 應用 nload yii 歸檔安裝 1,下載 yii Yii2的高級應用程序模板 2,解壓模板到目錄,進入控制臺進入目錄 運行 php init 安裝YII 3,進入 http://loc