Skip to content
/ otta Public

Automated query engine for aol/moloch. Parse statistical data for known good queries, and publish to influxdb.

License

Notifications You must be signed in to change notification settings

ccdcoe/otta

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

otta

Automated query engine for aol/moloch. Parse statistical data for known good queries, and publish to influxdb.

Query engine

Cobbled together in python. Only command line (and therefore crontab) usage is supported.

* *    * * *   root    /srv/otta/python/main.py -t 60 -r 1 -mh 1.2.3.4 -u admin -p admin -if 5.6.7.8

Replay

Tool is written to run queries in a loop, with each loop corresponding to a time period. Backwards. Setting -r flag as 2 and -t as 60 would result in a batch of query for last minute and a another batch for the preceding minute. Aggregate data is written to InfluxDB after results for each batch is collected. Useful if you want to analyze historical PCAP data. For example, -t 60 -r 60 would analyze last hour with the precision of 1 minute.

Elasticsearch

Moloch queries can be stored as Elasticsearch documents, as opposed to a list of python dictionaries. Experimental and barely tested. Got it working once, disabled the feature via global variable and then rewrote most of my code.

Alerting

Current idea is to alert the red team once they get too loud. Using kapacitor tick scripts and sigma function to generate an alert for noisy source IP-s, and to display the data on alerta. WIP.

kapacitor

kapacitor define otta -type batch -tick /srv/otta/tick/sigma.tick -dbrp telegraf.autogen
kapacitor enable otta
kapacitor show otta

About

Automated query engine for aol/moloch. Parse statistical data for known good queries, and publish to influxdb.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published