Elsa To Moloch

Published by Matt Clemons on

Let’s say you’re using Bro, and you have this bad assed app called ELSA to search through the mountains of logs produced.

You find exactly what you’re looking for but you need the payload from the stream.

One option is to integrate ELSA and Moloch.  It’s super easy.

edit /etc/elsa_web.conf and add this somewhere in the file.

“moloch_urls”: {
       “https://YOURIP:8005”: {
        “start”: “10.X.X.0”,
        “end”: “10.X.X.255”
 }
},

Then edit  /usr/local/elsa/web/lib/Controller.pm

and change the pcap_url section to the following.

if ($self->conf->get(‘pcap_url’) or $self->conf->get(‘streamdb_url’) or $self->conf->get(‘streamdb_urls’) or $self->conf->get(‘moloch_urls’)){

Restart apache and you can invoke Moloch from the info link in ELSA.

Then it’ll pull that session with timestamp in Moloch. 
Make sure you have NTP setup.

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Open ports when you can’t open ports

Accessing resources remotely without cumbersome jumpboxes and dealing with restrictive red tape has been a recurring challenge for many. In this blog post, I will introduce a method to seamlessly extend your Wide Area Network Read more…

Uncategorized

Simple Method to push any PCAP through a Router

Introduction: Have you ever wanted to test how a system reacts, displays information, or handles attacks by pushing a bunch of PCAP (Packet Capture) files through a router or an Intrusion Detection and Prevention System Read more…

Uncategorized

ASM Cheat sheet

Back to basics.  Everything needed to learn ASM is available for free online.  Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language.  Towards the end, you’ll Read more…