2. 程式人生 > >Moloch學習筆記

Moloch學習筆記

阿新 發佈:2019-01-12

簡介:
    Moloch並不是用以代替的入侵檢測系統的。Moloch是意在為pcap檔案提供一個快速索引的能力。Moloch為快速分析安全事件建立了一個更直接的介面。

搜尋欄:
    大多數的Moloch版本在頁面的上部都有一搜索欄。通過下拉框的不同選項可以準確設定資料包起始時間點,因為每一個會話過程都有第一個包,最後一個包和整個會話的資料時間戳,Moloch為不同的情況提供了不同的選擇。
    First Packet 一個會話接收的第一個包的時間戳
    Last Packet 一個會話接收的最後一個包的時間戳
    Bounded 會話在時間視窗的範圍的第一個包和最後一個包的時間戳
    Session Overlaps 在時間視窗結束前的會話的第一個包的時間戳和在時間視窗開始後的最後一個包的時間戳
    Database 以會話為始終為界

搜尋:
    統配符 * 例如 http.uri=="www.f*k.com" 包括 www.fork.com 或者 www.frack.com
    正則表示式 
    列表 例如 protocols == [http,ssh]
    IP 例如 ip == 1.2.3/24:80    ip == [1.2.3.4,1.3/16]
    數字 例如 bytes <= 10000  port == [80,443,23]
    日期 starttime == "2004/07/31 05:33:41"    stoptime == ["2004/07/31 05:33:41","2004/07/31 06:33:41"]   +或-可以用來指示偏移量
    對一個域是否存在進行判斷  肯定的表述 field == EXISTS! 否定的表述 field != EXISTS! 舉例 cert.issuer.cn != EXISTS! && cert.issuer.on == EXISTS! 較驗證書沒有釋出者資訊但有釋出組織的情況
    (country == RU || country == CN) && port == 80 && host == *com  過濾使用80埠並且主機名或域名中包含 ".com" 涉及中國或是俄羅斯的所有會話
    tags == "http:content:text/plain" && country == CA && packets < 20
Sessions會話
    Session部分主要用於分析流量
SPI View
    SPI(Session Profile Information 會話文件資訊)  用於詳細分析一個會話

下面是用於搜尋的相關選項

Name  Exp  Operators Data Type What?
ASN asn.dns ==, != mixed case string GeoIP ASN string calculated from the IP from DNS result
ASN asn.dns.mailserver ==, != mixed case string GeoIP ASN string calculated from the IPs for mailservers
ASN asn.dns.nameserver ==, != mixed case string GeoIP ASN string calculated from the IPs for nameservers
ASN asn.email ==, != mixed case string GeoIP ASN string calculated from the Email IP address
ASN asn.socks ==, != mixed case string GeoIP ASN string calculated from the SOCKS destination IP
GEO country.dns ==, != upper case string GeoIP country string calculated from the IP from DNS result
GEO country.dns.mailserver ==, != upper case string GeoIP country string calculated from the IPs for mailservers
GEO country.dns.nameserver ==, != upper case string GeoIP country string calculated from the IPs for nameservers
GEO country.email ==, != upper case string GeoIP country string calculated from the Email IP address
GEO country.socks ==, != upper case string GeoIP country string calculated from the SOCKS destination IP
RIR rir.dns ==, != upper case string Regional Internet Registry string calculated from IP from DNS result
RIR rir.dns.mailserver ==, != upper case string Regional Internet Registry string calculated from IPs for mailservers
RIR rir.dns.nameserver ==, != upper case string Regional Internet Registry string calculated from IPs for nameservers
RIR rir.email ==, != upper case string Regional Internet Registry string calculated from Email IP address
RIR rir.socks ==, != upper case string Regional Internet Registry string calculated from SOCKS destination IP
All ASN fields asn ==, != mixed case string Search all ASN fields
All country fields country ==, != upper case string Search all country fields
All Host host.dns.all ==, != lower case string Shorthand for host.dns or host.dns.nameserver
All Host fields host ==, != lower case string Search all Host fields
All IP fields ip ==, != ip Search all ip fields
All port fields port <, <=, ==, >=, >, != integer Search all port fields
All rir fields rir ==, != upper case string Search all rir fields
Alt Name cert.alt ==, != lower case string Certificate alternative names
Alt Name Cnt cert.alt.cnt <, <=, ==, >=, >, != integer Unique number of Certificate alternative names
Application postgresql.app ==, != mixed case string Postgresql application
Asset asset ==, != lower case string Asset name
Asset Cnt asset.cnt <, <=, ==, >=, >, != integer Unique number of Asset name
Attach Content-Type email.file-content-type ==, != mixed case string Email attachment content types
Attach Content-Type Cnt email.file-content-type.cnt <, <=, ==, >=, >, != integer Unique number of Email attachment content types
Attach MD5s email.md5 ==, != mixed case string Email attachment MD5s
Attach MD5s Cnt email.md5.cnt <, <=, ==, >=, >, != integer Unique number of Email attachment MD5s
Auth Type http.authtype ==, != lower case string HTTP Auth Type
Auth Type ldap.authtype ==, != mixed case string The auth type of ldap bind
Auth Type Cnt http.authtype.cnt <, <=, ==, >=, >, != integer Unique number of HTTP Auth Type
Auth Type Cnt ldap.authtype.cnt <, <=, ==, >=, >, != integer Unique number of The auth type of ldap bind
Bind Name ldap.bindname ==, != mixed case string The bind name of ldap bind
Bind Name Cnt ldap.bindname.cnt <, <=, ==, >=, >, != integer Unique number of The bind name of ldap bind
Body Magic email.bodymagic ==, != mixed case string The content type of body determined by libfile/magic
Body Magic http.bodymagic ==, != mixed case string The content type of body determined by libfile/magic
Body Magic Cnt email.bodymagic.cnt <, <=, ==, >=, >, != integer Unique number of The content type of body determined by libfile/magic
Body Magic Cnt http.bodymagic.cnt <, <=, ==, >=, >, != integer Unique number of The content type of body determined by libfile/magic
Body MD5 http.md5 ==, != lower case string MD5 of http body response
Body MD5 Cnt http.md5.cnt <, <=, ==, >=, >, != integer Unique number of MD5 of http body response
Bytes bytes <, <=, ==, >=, >, != integer Total number of raw bytes sent AND received in a session
Cert Cnt cert.cnt <, <=, ==, >=, >, != integer Count of certificates
Channel irc.channel ==, != mixed case string Channels joined
Channel Cnt irc.channel.cnt <, <=, ==, >=, >, != integer Unique number of Channels joined
Cipher tls.cipher ==, != upper case string SSL/TLS cipher field
Cipher Cnt tls.cipher.cnt <, <=, ==, >=, >, != integer Unique number of SSL/TLS cipher field
Client MAC dhcp.mac ==, != lower case string Client ethernet MAC
Client MAC Cnt dhcp.mac.cnt <, <=, ==, >=, >, != integer Unique number of Client ethernet MAC
Client OUI dhcp.oui ==, != mixed case string Client ethernet OUI
Client OUI Cnt dhcp.oui.cnt <, <=, ==, >=, >, != integer Unique number of Client ethernet OUI
cname krb5.cname ==, != mixed case string Kerberos 5 cname
cname Cnt krb5.cname.cnt <, <=, ==, >=, >, != integer Unique number of Kerberos 5 cname
Content-Type email.content-type ==, != mixed case string Email content-type header
Content-Type Cnt email.content-type.cnt <, <=, ==, >=, >, != integer Unique number of Email content-type header
Cookie Keys http.cookie.key ==, != mixed case string The keys to cookies sent up in requests
Cookie Keys Cnt http.cookie.key.cnt <, <=, ==, >=, >, != integer Unique number of The keys to cookies sent up in requests
Cookie Values http.cookie.value ==, != mixed case string The values to cookies sent up in requests
Cookie Values Cnt http.cookie.value.cnt <, <=, ==, >=, >, != integer Unique number of The values to cookies sent up in requests
Data bytes databytes <, <=, ==, >=, >, != integer Total number of data bytes sent AND received in a session
Database postgresql.db ==, != mixed case string Postgresql database
Days Valid For cert.validfor <, <=, ==, >=, >, != integer Certificate is valid for this may days
Domain smb.domain ==, != mixed case string SMB domain
Domain Cnt smb.domain.cnt <, <=, ==, >=, >, != integer Unique number of SMB domain
Dst ASN asn.dst ==, != mixed case string GeoIP ASN string calculated from the destination IP
Dst Bytes bytes.dst <, <=, ==, >=, >, != integer Total number of raw bytes sent by destination in a session
Dst Country country.dst ==, != upper case string Destination Country
Dst data bytes databytes.dst <, <=, ==, >=, >, != integer Total number of data bytes sent by destination in a session
Dst IP ip.dst ==, != ip Destination IP
Dst MAC mac.dst ==, != lower case string Destination ethernet mac addresses set for session
Dst MAC Cnt mac.dst.cnt <, <=, ==, >=, >, != integer Unique number of Destination ethernet mac addresses set for session
Dst OUI oui.dst ==, != mixed case string Destination ethernet oui set for session
Dst OUI Cnt oui.dst.cnt <, <=, ==, >=, >, != integer Unique number of Destination ethernet oui set for session
Dst Packets packets.dst <, <=, ==, >=, >, != integer Total number of packets sent by destination in a session
Dst Port port.dst <, <=, ==, >=, >, != integer Source Port
Dst RIR rir.dst ==, != upper case string Destination RIR
Dst Session Id tls.sessionid.dst ==, != lower case string SSL/TLS Dst Session Id
Dst Version http.version.dst ==, != mixed case string Response HTTP version number
Dst Version Cnt http.version.dst.cnt <, <=, ==, >=, >, != integer Unique number of Response HTTP version number
Endpoint IP radius.endpoint-ip ==, != ip Radius endpoint ip addresses for session
Endpoint IP ASN radius.endpoint-ip.asn ==, != mixed case string GeoIP ASN string calculated from the Radius endpoint ip addresses for session
Endpoint IP Cnt radius.endpoint-ip.cnt <, <=, ==, >=, >, != integer Unique number of Radius endpoint ip addresses for session
Endpoint IP GEO radius.endpoint-ip.country ==, != upper case string GeoIP country string calculated from the Radius endpoint ip addresses for session
Endpoint IP RIR radius.endpoint-ip.rir ==, != upper case string Regional Internet Registry string calculated from Radius endpoint ip addresses for session
Filename file Moloch offline pcap filename
Filename smb.fn ==, != mixed case string SMB files opened, created, deleted
Filename Cnt smb.fn.cnt <, <=, ==, >=, >, != integer Unique number of SMB files opened, created, deleted
Filenames email.fn ==, != mixed case string Email attachment filenames
Filenames Cnt email.fn.cnt <, <=, ==, >=, >, != integer Unique number of Email attachment filenames
Framed IP radius.framed-ip ==, != ip Radius framed ip addresses for session
Framed IP ASN radius.framed-ip.asn ==, != mixed case string GeoIP ASN string calculated from the Radius framed ip addresses for session
Framed IP Cnt radius.framed-ip.cnt <, <=, ==, >=, >, != integer Unique number of Radius framed ip addresses for session
Framed IP GEO radius.framed-ip.country ==, != upper case string GeoIP country string calculated from the Radius framed ip addresses for session
Framed IP RIR radius.framed-ip.rir ==, != upper case string Regional Internet Registry string calculated from Radius framed ip addresses for session
GRE IP gre.ip ==, != ip GRE ip addresses for session
GRE IP ASN gre.ip.asn ==, != mixed case string GeoIP ASN string calculated from the GRE ip addresses for session
GRE IP Cnt gre.ip.cnt <, <=, ==, >=, >, != integer Unique number of GRE ip addresses for session
GRE IP GEO gre.ip.country ==, != upper case string GeoIP country string calculated from the GRE ip addresses for session
GRE IP RIR gre.ip.rir ==, != upper case string Regional Internet Registry string calculated from GRE ip addresses for session
Has Dst Header http.hasheader.dst ==, != lower case string Response has header present
Has Dst Header Cnt http.hasheader.dst.cnt <, <=, ==, >=, >, != integer Unique number of Response has header present
Has Src Header http.hasheader.src ==, != lower case string Request has header present
Has Src Header Cnt http.hasheader.src.cnt <, <=, ==, >=, >, != integer Unique number of Request has header present
Has Src or Dst Header http.hasheader ==, != lower case string Shorthand for http.hasheader.src or http.hasheader.dst
Has Value in Src or Dst Header http.hasheader.value ==, != lower case string Shorthand for http.hasheader.src.value or http.hasheader.dst.value
Hash cert.hash ==, != lower case string SHA1 hash of entire certificate
HASSH ssh.hassh ==, != lower case string SSH HASSH field
HASSH Cnt ssh.hassh.cnt <, <=, ==, >=, >, != integer Unique number of SSH HASSH field
HASSH Server ssh.hasshServer ==, != lower case string SSH HASSH Server field
HASSH Server Cnt ssh.hasshServer.cnt <, <=, ==, >=, >, != integer Unique number of SSH HASSH Server field
Header email.has-header ==, != lower case string Email has the header set
Header Cnt email.has-header.cnt <, <=, ==, >=, >, != integer Unique number of Email has the header set
Header Value email.has-header.value ==, != mixed case string Email has the header value
Header Value Cnt email.has-header.value.cnt <, <=, ==, >=, >, != integer Unique number of Email has the header value
Host dhcp.host ==, != lower case string DHCP Host
Host host.dns ==, != lower case string DNS lookup hostname
Host host.socks ==, != lower case string SOCKS destination host
Host oracle.host ==, != lower case string Oracle Host
Host Cnt dhcp.host.cnt <, <=, ==, >=, >, != integer Unique number of DHCP Host
Host Cnt host.dns.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup hostname
Hostname host.email ==, != lower case string Email hostnames
Hostname host.http ==, != lower case string HTTP host header field
Hostname host.quic ==, != lower case string QUIC host header field
Hostname host.smb ==, != mixed case string SMB Host name
Hostname Cnt host.email.cnt <, <=, ==, >=, >, != integer Unique number of Email hostnames
Hostname Cnt host.http.cnt <, <=, ==, >=, >, != integer Unique number of HTTP host header field
Hostname Cnt host.quic.cnt <, <=, ==, >=, >, != integer Unique number of QUIC host header field
Hostname Cnt host.smb.cnt <, <=, ==, >=, >, != integer Unique number of SMB Host name
Hunt ID huntId ==, != mixed case string The ID of the packet search job that matched this session
Hunt Name huntName ==, != mixed case string The name of the packet search job that matched this session
ICMP Code icmp.code <, <=, ==, >=, >, != integer ICMP code field values
ICMP Type icmp.type <, <=, ==, >=, >, != integer ICMP type field values
Id email.message-id ==, != mixed case string Email Message-Id header
Id Cnt email.message-id.cnt <, <=, ==, >=, >, != integer Unique number of Email Message-Id header
IP ip.dns ==, != ip IP from DNS result
IP ip.dns.all ==, != ip Shorthand for ip.dns or ip.dns.nameserver
IP ip.dns.mailserver ==, != ip IPs for mailservers
IP ip.dns.nameserver ==, != ip IPs for nameservers
IP ip.email ==, != ip Email IP address
IP ip.socks ==, != ip SOCKS destination IP
IP Cnt ip.dns.cnt <, <=, ==, >=, >, != integer Unique number of IP from DNS result
IP Cnt ip.dns.mailserver.cnt <, <=, ==, >=, >, != integer Unique number of IPs for mailservers
IP Cnt ip.dns.nameserver.cnt <, <=, ==, >=, >, != integer Unique number of IPs for nameservers
IP Cnt ip.email.cnt <, <=, ==, >=, >, != integer Unique number of Email IP address
IP Protocol ip.protocol ==, != lower case string IP protocol number or friendly name
Issuer CN cert.issuer.cn ==, != lower case string Issuer's common name
Issuer ON cert.issuer.on ==, != mixed case string Issuer's organization name
JA3 tls.ja3 ==, != lower case string SSL/TLS JA3 field
JA3 Cnt tls.ja3.cnt <, <=, ==, >=, >, != integer Unique number of SSL/TLS JA3 field
JA3S tls.ja3s ==, != lower case string SSL/TLS JA3S field
JA3S Cnt tls.ja3s.cnt <, <=, ==, >=, >, != integer Unique number of SSL/TLS JA3S field
Key ssh.key ==, != mixed case string SSH Key
Key Cnt ssh.key.cnt <, <=, ==, >=, >, != integer Unique number of SSH Key
MAC radius.mac ==, != lower case string Radius Mac
MAC Cnt radius.mac.cnt <, <=, ==, >=, >, != integer Unique number of Radius Mac
Mime-Version email.mime-version ==, != mixed case string Email Mime-Header header
Mime-Version Cnt email.mime-version.cnt <, <=, ==, >=, >, != integer Unique number of Email Mime-Header header
Moloch ID id ==, != mixed case string Moloch ID for the session
Moloch Node node ==, != mixed case string Moloch node name the session was recorded on
Moloch Root ID rootId ==, != mixed case string Moloch ID of the first session in a multi session stream
MX Host host.dns.mailserver ==, != lower case string Hostnames for Mail Exchange Server
MX Host Cnt host.dns.mailserver.cnt <, <=, ==, >=, >, != integer Unique number of Hostnames for Mail Exchange Server
Nickname irc.nick ==, != mixed case string Nicknames set
Nickname Cnt irc.nick.cnt <, <=, ==, >=, >, != integer Unique number of Nicknames set
Not After cert.notafter Certificate is not valid after this date
Not Before cert.notbefore Certificate is not valid before this date
NS Host host.dns.nameserver ==, != lower case string Hostnames for Name Server
NS Host Cnt host.dns.nameserver.cnt <, <=, ==, >=, >, != integer Unique number of Hostnames for Name Server
Op Code dns.opcode ==, != upper case string DNS lookup op code
Op Code Cnt dns.opcode.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup op code
OS smb.os ==, != mixed case string SMB OS information
OS Cnt smb.os.cnt <, <=, ==, >=, >, != integer Unique number of SMB OS information
Packets packets <, <=, ==, >=, >, != integer Total number of packets sent AND received in a session
Payload Dst Hex payload8.dst.hex ==, != lower case string First 8 bytes of destination payload in hex
Payload Dst UTF8 payload8.dst.utf8 ==, != mixed case string First 8 bytes of destination payload in utf8
Payload Hex payload8.hex ==, != lower case string First 8 bytes of payload in hex
Payload Src Hex payload8.src.hex ==, != lower case string First 8 bytes of source payload in hex
Payload Src UTF8 payload8.src.utf8 ==, != mixed case string First 8 bytes of source payload in utf8
Payload UTF8 payload8.utf8 ==, != lower case string First 8 bytes of payload in hex
Port port.socks <, <=, ==, >=, >, != integer SOCKS destination port
Protocols protocols ==, != mixed case string Protocols set for session
Protocols Cnt protocols.cnt <, <=, ==, >=, >, != integer Unique number of Protocols set for session
Puny dns.puny ==, != lower case string DNS lookup punycode
Puny Cnt dns.puny.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup punycode
QS Keys http.uri.key ==, != mixed case string Keys from query string of URI
QS Keys Cnt http.uri.key.cnt <, <=, ==, >=, >, != integer Unique number of Keys from query string of URI
QS Values http.uri.value ==, != mixed case string Values from query string of URI
QS Values Cnt http.uri.value.cnt <, <=, ==, >=, >, != integer Unique number of Values from query string of URI
Query Class dns.query.class ==, != upper case string DNS lookup query class
Query Class Cnt dns.query.class.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup query class
Query Type dns.query.type ==, != upper case string DNS lookup query type
Query Type Cnt dns.query.type.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup query type
Realm krb5.realm ==, != mixed case string Kerberos 5 Realm
Realm Cnt krb5.realm.cnt <, <=, ==, >=, >, != integer Unique number of Kerberos 5 Realm
Receiver email.dst ==, != lower case string Email to address
Receiver Cnt email.dst.cnt <, <=, ==, >=, >, != integer Unique number of Email to address
Request Body http.reqbody ==, != mixed case string HTTP Request Body
Request Header Values http.hasheader.src.value ==, != lower case string Contains request header values
Request Header Values Cnt http.hasheader.src.value.cnt <, <=, ==, >=, >, != integer Unique number of Contains request header values
Request Method http.method ==, != mixed case string HTTP Request Method
Request Method Cnt http.method.cnt <, <=, ==, >=, >, != integer Unique number of HTTP Request Method
Response Header Values http.hasheader.dst.value ==, != lower case string Contains response header values
Response Header Values Cnt http.hasheader.dst.value.cnt <, <=, ==, >=, >, != integer Unique number of Contains response header values
Scrubbed By scrubbed.by ==, != lower case string SPI data was scrubbed by
Sender email.src ==, != lower case string Email from address
Sender Cnt email.src.cnt <, <=, ==, >=, >, != integer Unique number of Email from address
Serial Number cert.serial ==, != lower case string Serial Number
Service oracle.service ==, != lower case string Oracle Service
Session Length session.length <, <=, ==, >=, >, != integer Session Length in milliseconds so far
Session Segments session.segments <, <=, ==, >=, >, != integer Number of segments in session so far
Share smb.share ==, != mixed case string SMB shares connected to
Share Cnt smb.share.cnt <, <=, ==, >=, >, != integer Unique number of SMB shares connected to
sname krb5.sname ==, != mixed case string Kerberos 5 sname
sname Cnt krb5.sname.cnt <, <=, ==, >=, >, != integer Unique number of Kerberos 5 sname
Src ASN asn.src ==, != mixed case string GeoIP ASN string calculated from the source IP
Src Bytes bytes.src <, <=, ==, >=, >, != integer Total number of raw bytes sent by source in a session
Src Country country.src ==, != upper case string Source Country
Src data bytes databytes.src <, <=, ==, >=, >, != integer Total number of data bytes sent by source in a session
Src IP ip.src ==, != ip Source IP
Src MAC mac.src ==, != lower case string Source ethernet mac addresses set for session
Src MAC Cnt mac.src.cnt <, <=, ==, >=, >, != integer Unique number of Source ethernet mac addresses set for session
Src or Dst MAC mac ==, != lower case string Shorthand for mac.src or mac.dst
Src or Dst Session Id tls.sessionid ==, != lower case string Shorthand for tls.sessionid.src or tls.sessionid.dst
Src OUI oui.src ==, != mixed case string Source ethernet oui set for session
Src OUI Cnt oui.src.cnt <, <=, ==, >=, >, != integer Unique number of Source ethernet oui set for session
Src Packets packets.src <, <=, ==, >=, >, != integer Total number of packets sent by source in a session
Src Port port.src <, <=, ==, >=, >, != integer Source Port
Src RIR rir.src ==, != upper case string Source RIR
Src Session Id tls.sessionid.src ==, != lower case string SSL/TLS Src Session Id
Src Version http.version.src ==, != mixed case string Request HTTP version number
Src Version Cnt http.version.src.cnt <, <=, ==, >=, >, != integer Unique number of Request HTTP version number
Start Time starttime <, <=, ==, >=, >, != date time Session Start Time
Status Code dns.status ==, != upper case string DNS lookup return code
Status Code http.statuscode <, <=, ==, >=, >, != integer Response HTTP numeric status code
Status Code Cnt dns.status.cnt <, <=, ==, >=, >, != integer Unique number of DNS lookup return code
Status Code Cnt http.statuscode.cnt <, <=, ==, >=, >, != integer Unique number of Response HTTP numeric status code
Stop Time stoptime <, <=, ==, >=, >, != date time Session Stop Time
Subject email.subject ==, != mixed case string Email subject header
Subject CN cert.subject.cn ==, != lower case string Subject's common name
Subject Cnt email.subject.cnt <, <=, ==, >=, >, != integer Unique number of Email subject header
Subject ON cert.subject.on ==, != mixed case string Subject's organization name
Tags tags ==, != mixed case string Tags set for session
Tags Cnt tags.cnt <, <=, ==, >=, >, != integer Unique number of Tags set for session
TCP Flag ACK tcpflags.ack <, <=, ==, >=, >, != integer Count of packets with only the ACK flag set
TCP Flag FIN tcpflags.fin <, <=, ==, >=, >, != integer Count of packets with FIN flag set
TCP Flag PSH tcpflags.psh <, <=, ==, >=, >, != integer Count of packets with PSH flag set
TCP Flag RST tcpflags.rst <, <=, ==, >=, >, != integer Count of packets with RST flag set
TCP Flag SYN tcpflags.syn <, <=, ==, >=, >, != integer Count of packets with SYN and no ACK flag set
TCP Flag SYN-ACK tcpflags.syn-ack <, <=, ==, >=, >, != integer Count of packets with SYN and ACK flag set
TCP Flag URG tcpflags.urg <, <=, ==, >=, >, != integer Count of packets with URG flag set
Transaction id dhcp.id ==, != lower case string DHCP Transaction Id
Transaction id Cnt dhcp.id.cnt <, <=, ==, >=, >, != integer Unique number of DHCP Transaction Id
Type dhcp.type ==, != upper case string DHCP Type
Type Cnt dhcp.type.cnt <, <=, ==, >=, >, != integer Unique number of DHCP Type
URI http.uri ==, != mixed case string URIs for request
URI Cnt http.uri.cnt <, <=, ==, >=, >, != integer Unique number of URIs for request
URI Path http.uri.path ==, != mixed case string Path portion of URI
URI Path Cnt http.uri.path.cnt <, <=, ==, >=, >, != integer Unique number of Path portion of URI
User http.user ==, != mixed case string HTTP Auth User
User mysql.user ==, != lower case string Mysql user name
User oracle.user ==, != lower case string Oracle User
User postgresql.user ==, != mixed case string Postgresql user name
User radius.user ==, != mixed case string RADIUS user
User smb.user ==, != mixed case string SMB User
User socks.user ==, != mixed case string SOCKS authenticated user
User user ==, != lower case string External user set for session
User Cnt http.user.cnt <, <=, ==, >=, >, != integer Unique number of HTTP Auth User
User Cnt smb.user.cnt <, <=, ==, >=, >, != integer Unique number of SMB User
User Cnt user.cnt <, <=, ==, >=, >, != integer Unique number of External user set for session
User-Agent quic.user-agent ==, != mixed case string User-Agent
User-Agent Cnt quic.user-agent.cnt <, <=, ==, >=, >, != integer Unique number of User-Agent
Useragent http.user-agent ==, != mixed case string User-Agent Header
Useragent Cnt http.user-agent.cnt <, <=, ==, >=, >, != integer Unique number of User-Agent Header
Version http.version ==, != mixed case string HTTP version number
Version mysql.ver ==, != mixed case string Mysql server version string
Version quic.version ==, != mixed case string QUIC Version
Version smb.ver ==, != mixed case string SMB Version information
Version ssh.ver ==, != lower case string SSH Software Version
Version tls.version ==, != mixed case string SSL/TLS version field
Version Cnt quic.version.cnt <, <=, ==, >=, >, != integer Unique number of QUIC Version
Version Cnt smb.ver.cnt <, <=, ==, >=, >, != integer Unique number of SMB Version information
Version Cnt ssh.ver.cnt <, <=, ==, >=, >, != integer Unique number of SSH Software Version
Version Cnt tls.version.cnt <, <=, ==, >=, >, != integer Unique number of SSL/TLS version field
View Name view Moloch view name
VLan vlan <, <=, ==, >=, >, != integer vlan value
VLan Cnt vlan.cnt <, <=, ==, >=, >, != integer Unique number of vlan value
X-Mailer Header email.x-mailer ==, != mixed case string Email X-Mailer header
X-Mailer Header Cnt email.x-mailer.cnt <, <=, ==, >=, >, != integer Unique number of Email X-Mailer header
XFF ASN asn.xff ==, != mixed case string GeoIP ASN string calculated from the X-Forwarded-For Header
XFF GEO country.xff ==, != upper case string GeoIP country string calculated from the X-Forwarded-For Header
XFF RIR rir.xff ==, != upper case string Regional Internet Registry string calculated from X-Forwarded-For Header
XFF IP ip.xff ==, != ip X-Forwarded-For Header
XFF IP Cnt ip.xff.cnt <, <=, ==, >=, >, != integer Unique number of X-Forwarded-For Header

相關推薦

Moloch學習筆記

簡介:     Moloch並不是用以代替的入侵檢測系統的。Moloch是意在為pcap檔案提供一個快速索引的能力。Moloch為快速分析安全事件建立了一個更直接的介面。 搜尋欄:     大多數的Moloch版本在頁面的上部都有一搜索欄。通過下拉框的不同選項可以準確設

Robot Operating System (ROS)學習筆記4---語音控制

sla 語音 出現 tput http 學習 process 輸入 ubun 搭建環境:XMWare Ubuntu14.04 ROS(indigo) 轉載自古月居 轉載連接:http://www.guyuehome.com/260 一、語音識別包 1、安裝

MySQL學習筆記(六)—— MySQL自連接

概念 cor 子查詢 ron 表操作 例子 質量 _id order by 有的時候我們需要對同一表中的數據進行多次檢索,這個時候我們可以使用之前學習過的子查詢,先查詢出需要的數據,再進行一次檢索。 例如:一張products表,有產品id,供應商id(vend_

jquery 深入學習筆記之中的一個 (事件綁定)

color 動態 name his pan mouseover this pre con 【jquery 事件綁定】 1、加入元素事件綁定 (1) 加入事件為當前元素 $(‘p‘).on(‘click‘,function(){ //code here ..

AngularJS入門學習筆記

rect directive 技術分享 attr 兩個 ava 內容 module 大括號 首先聲明: 本博客源自於學習:跟我學AngularJs:AngularJs入門及第一個實例。通過學習,我自己的一些學習筆記。 1.AngularJS的一些基本特性 (1)使用雙大括號

Python學習筆記-2017.5.4

列表 lin 覆蓋範圍 復習 處理 pytho 內部 global txt 本文章記錄學習過程中的細節和心得: 復習所學課程: 1、文件的操作:   打開文件,對文件的操作打開方式有兩種:   第一種:      f = open("test.txt", "r")#以只讀

SAS學習筆記之函數應用

不能 oracle 理解 資料 oracl 函數應用 特殊 put acl 今天在做數據需求的時候遇到一些問題,因為不能夠在數據庫裏面做,僅僅好在SAS裏面實現。這就遇到了一些麻煩,須要使用一些函數實現部分功能,如查找字段中某個特殊字符出現的次數,查找某個字符的位置等,

OpenCV2學習筆記(十五):利用Cmake高速查找OpenCV函數源代碼

one 生成 img log 分享 lan 學習筆記 全部 modules 在使用OpenCV時,在對一個函數的調用不是非常了解的情況下,通常希望查到該函數的官方聲明。而假設想進一步研究OpenCV的函數,則必須深入到源碼。在VS中我們能夠選中想要查

avalonjs 學習筆記1---checkbox

nod item ack lex server ini npm 學習 define 一、vscode 安裝使用 1.vs code+node.js下載安裝 2.在node.js command prompt 中運行 npm install -g live-server 3

Linux學習筆記(三):系統執行級與執行級的切換

查看 用戶操作 回車 water hat ntsysv tde 文件表 config 1.Linux系統與其它的操作系統不同,它設有執行級別。該執行級指定操作系統所處的狀態。Linux系統在不論什麽時候都執行於某個執行級上,且在不同的執行級上執行的程序和服務都不同,所要

Principle of Computing (Python)學習筆記(7) DFS Search + Tic Tac Toe use MiniMax Stratedy

ide out generate depth sku color ati cond with 1. Trees Tree is a recursive structure. 1.1 math nodes https://class.coursera.org/prin

Java程序猿的JavaScript學習筆記(12——jQuery-擴展選擇器)

type write number article mat 我們 content ace val 計劃按例如以下順序完畢這篇筆記: Java程序猿的JavaScript學習筆記(1——理念) Java程序猿的JavaScript學習筆記(2——屬性復制和繼承) Jav

java學習筆記——String類

通過 ray [] 原理 log spl 2.3 -s 長度 一、概述 ·字符串是一個特殊的對象 ·字符串一旦初始化就不可以被改變 ·String str = "abc"; ·String str1 = new String("abc"); 有什麽區別? package

java學習筆記——java中對象的創建,初始化,引用的解析

初始 學習筆記 style article 學習 base 表達 如果 bsp 如果有一個A類。 1、例如以下表達式: A a1 = new A(); 那麽A是類,a1是引用。new A()是對象。僅僅是a1這個引用指向了new A()這個對象。 2、又如: A

構建之法 學習筆記04

部分 使用 用戶 != 工作 應該 覆蓋率 錯誤處理 必須 關於軟件工程的一些基本概念和技術 單元測試 絕大部分軟件都是由多人合作完成的,大家的工作互相有依賴關系。最典型的的例子就是,某人負責的模板的功能被其他人調用。軟件的額很多錯誤都是來源於程序員對模塊功能的誤解、疏忽或

cocos2d-x學習筆記(c++與lua交互回調函數的處理)

回調函數 tolua++ cocos2dx lua 本文假設讀者已經會使用tolua++進行C++與lua之間的通訊1、在頭文件中定義註冊回調函數,定義在MyClass類中void register(unsigned short cmdID, LUA_FUNCTION func);//LUA_

python框架之 Tornado 學習筆記(一)

tornado pythontornado 一個簡單的服務器的例子:首先,我們需要安裝 tornado ,安裝比較簡單: pip install tornado 測試安裝是否成功,可以打開python 終端,輸入: import tornado.https

Java學習筆記--鏈表

引用變量 nts mage 集合 tran 分享 isp exce pub 心在山東身在吳,飄蓬江海漫嗟籲。 他時若遂淩雲誌, 敢笑黃巢不丈夫。                ——水滸傳 先上源代碼,LinkedList類: 1 private static class

Linux Unix shell 編程指南學習筆記(第四部分)

fcm 驗證 () only arguments line div 反饋 sed 第十六章 shell腳本介紹 此章節內容較為簡單,跳過。 第十七章 條件測試 test命令 expr命令 test 格式 test condition 或者 [

php yii 學習筆記

code https lease nbsp utf8 down title 應用 nload yii 歸檔安裝 1,下載 yii Yii2的高級應用程序模板 2,解壓模板到目錄,進入控制臺進入目錄 運行 php init 安裝YII 3,進入 http://loc